Cybersecurity Firm FireEye Suffers Theft of Red Team Assessment Tools
Cybersecurity firm FireEye has been hit with what their CEO Kevin Mandia described as a “highly targeted cyberattack.” The threat actor was able to target and access certain Red Team assessment tools that the company uses to test the security of its customers’ networks.
Mandia also claims that due to the techniques and level of sophistication of the attack, he believes that state-sponsored actors were behind the attack. According to FireEye, the attackers were primarily hunting for data related to certain government customers of the cybersecurity firm. It’s important to note that according to the firm, the attack used “a novel combination of techniques not witnessed by us or our partners in the past.”
Basing their observation on years of practical experience, FireEye believes that the attack was specifically crafted to target FireEye. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,” Mandia wrote in a recent post.
The targeted tools provide diagnostic security services to FireEye’s customers by mimicking the behavior of threat actors. The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are like other publicly available frameworks and technologies such as Metasploit and CobaltStrike.
Mandia stressed in his post that none of the information stolen contained zero-day exploits and that FireEye has seen no evidence yet to suggest that threat actors are currently using the stolen Red Team tools in attacks. It’s important to note that the attackers may plan to use these stolen tools as a “cover” of sorts for their attacks. They can use these tools in lieu of their own tools, saving their signature tactics for more high-valued targets.
However, such use of the tools could allow attackers to take over systems, a Tuesday Cybersecurity & Infrastructure Security Agency (CISA) advisory warned: “Although [CISA] has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems,” according to the advisory.
FireEye said it will continue to monitor for any activity around the hacked Red Team tools and is currently investigating the attack in coordination with the Federal Bureau of Investigation (FBI) and other partners such as Microsoft.
Sources: