FireEye Cyberattack Compromises Red-Team Security Tools

FinSpy malware macOS Linux

An attacker stole FireEye’s Red Team assessment tools that the company uses to test its customers’ security.

Cybersecurity firm FireEye has been hit in what CEO Kevin Mandia described as a highly targeted cyberattack. The attacker targeted and was able to access certain Red Team assessment tools that the company uses to test its customers’ security.

Mandia on Tuesday said that based on the techniques and sophistication of the attack, he believes state-sponsored actors were behind the hack. The attacker was primarily hunting out data related to certain government customers, according to FireEye. The hack used “used a novel combination of techniques not witnessed by us or our partners in the past,” he said.

The attack is “different from the tens of thousands of incidents we have responded to throughout the years,” due to its sophistication, said Mandia in a Tuesday post. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination.”

Threatpost Webinar Promo Bug Bounty

Click to register.

The targeted tools provide diagnostic security services to FireEye’s customers, by mimicking the behavior of threat actors, said Mandia. The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.

None of these tools contain zero-day exploits, he stressed. FireEye has also seen no evidence to date that an attacker has utilized the stolen Red Team tools.

However, such use of the tools could allow attackers to take over systems, a Tuesday Cybersecurity & Infrastructure Security Agency (CISA) advisory warned: “Although [CISA] has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems,” according to the advisory.

Meanwhile, Brandon Hoffman, Chief Information Security Officer at Netenrich, said in an email that attackers “most likely… plan to use this commodity type tooling to cover up their tracks so as to not expose their own custom tools and save those for special attacks or second stage attacks.”

FireEye said it will continue to monitor for any activity around the hacked Red Team tools, and is currently investigating the attack in coordination with the Federal Bureau of Investigation (FBI) and other partners such as Microsoft.

“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them,” said Mandia. “Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”

In addition, the company has developed countermeasures that can detect or block the use of stolen Red Team tools. These countermeasures are also publicly available on GitHub.

Customer data appears to be unaffected as of this time, said Mandia: “While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems,” he said.

Related coverage:

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles