On December 1st, FireEye CEO Kevin Mandia announced that the company was hacked by what they believe was a sophisticated threat actor.
Read the Complete Alert
The FireEye Hack
On December 1st, FireEye CEO Kevin Mandia announced that the company was hacked by what they believe was a sophisticated threat actor, one whose discipline, operational security and techniques lead them to believe it was a state-sponsored adversary.
What Was Stolen?
Consistent with a nation-state cyberespionage, the attacker sought information related to government customers. While the attacker was able to access some internal systems, at the moment of the announcement, there was no evidence of the attackers having exfiltrated confidential or sensitive data. FireEye did confirm that the attacker accessed and stole their red team assessment tools.
The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the red team tools have already been released to the community and are already distributed in their open source virtual machine, CommandoVM.
The red team tools stolen by the attacker did not include zero-day exploits. The tools apply known and documented methods that are used by other red teams around the globe. Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house by the FireEye red team. FireEye has published a collection of rules that provide countermeasures against the weaponized vulnerabilities used in their red team tools.
What Is A Red Team?
A cybersecurity red team is a group that helps organizations improve protection by acting as an opponent hacking group. Red teams perform vulnerability and penetration testing operations and develop in-house tooling or improve on publicly available tools to automate and improve efficiency.
Many organizations that work with sensitive information and are high value targets, such as Facebook, Netflix, Google, Amazon, etc., have their own red teams who continuously test and try to infiltrate their own organization. Organizations that do not have a resident red team can buy red team services from security organizations such as FireEye. There are many security vendors and consultancy organizations providing red team services.
If There Is A Red Team, There Is A Blue Team
The blue team is on the defensive side. Their job is to detect attacks as early as possible, assess the damage if attacks were successful, improve protection to prevent future attacks, and ensure adequate procedures for mitigation and improve incident response plans.
What Is The Impact Of FireEye Red Team Tools Being Stolen?
Based on the information disclosed in the announcement, the FireEye tools leverage only known vulnerabilities and tactics. It was explicitly mentioned that there are no zero-day exploits that were leaked through these tools. In consequence, Radware does not expect a global impact like we have witnessed from the Shadow Brokers leaks, the leaks that contained the EternalBlue exploit and were leveraged by WannaCry and NotPetya back in 2017.
That said, 300 red team tools that weaponize more than a dozen of the most popular vulnerabilities is concerning and the successful hack of a respected security organization such as FireEye demonstrates the difficulty of stopping determined and sophisticated attackers.
Whoever stole the tools have increased their offensive capability, but Radware does not expect a large fallout from this. While red teams are paid professionals, so are nation-state sponsored attackers and there is an expectation their capabilities are on par with red teams. However, tools are typically one of the indicators that can lead to attribution and when stolen tools are leveraged, it makes attribution of the attack much harder.