FireEye is not the only firm to have suffered a data breach - in 2015 Kaspersky suffered a similar incident and many other cyber security companies have been targeted by attackers in the past. Cyber security companies have always been viewed as attractive targets either for the intellectual property and data they hold about their clients, or because they are in some senses the ‘ultimate prize’ by attackers looking to send a message or gain kudos among peers.
The commonality between this latest attack and that against Kaspersky is the alignment between the company and its country of origin. This alignment means that the cyber security company takes on some of the risks associated with its host nation. As a big provider of services to the US Government, privileged knowledge of and access to their Government clients’ networks has made FireEye an inviting target.
Like all businesses cyber security companies need to balance cyber security risk against other business priorities. FireEye cannot be blamed for being the target of an attack, and it is likely that they were not at fault.
News outlets have published unconfirmed reports that the attackers are state sponsored with ties to the Russian Government, claiming that it was the work of the APT-29 or “Cozy Bear” group, made famous for their attacks on the Democratic National Committee in 2016 prior to the US election and more recently attacks which targeted COVID-19 vaccines and treatments. FireEye in the past have reported extensively on Russian state-sponsored attackers, leading some to speculate an element of retaliation. The firm has engaged with the US Federal Bureau of Investigation (FBI) to help investigate the attack, probably in part a response to the sensitivity of some of the government clients and projects that the business works on.
The response from FireEye has been characteristically thorough, revealing an impressive level of preparation and response. The business has published several blogs on the issue and released several hundred detection tools to protect their clients and the wider cybersecurity community.
Although the exact nature of the attack was not disclosed by FireEye, it was described by the company as a novel combination of techniques tailored specifically to the company from attackers with a "top-tier capability". The attackers were said to have acted with stealth, “discipline” and “focus” and used methods to counter security tools and analysis.
The attackers targeted FireEye's "red team" assessment tools. Red teams are those that help businesses mimic real attacks. None of the tools stolen were said to use "zero day" exploits meaning that they used known weaknesses in software and hardware. As a response, FireEye officially released signatures to detect use of the tools for businesses to deploy to protect or minimise the impacts of attacks which have used the stolen assets. They include both basic scripts for automating research into targets and fully functional attack frameworks that aid the FireEye red teams in simulating multi-stage attacks. FireEye has said some of the tools are publicly available but changed to evade security detection while others were developed in-house.
Analysis of the countermeasures released by FireEye show the toolset included malware, scripts for gaining external access to Windows networks by exploiting vulnerabilities which allow remote code execution and for elevating privileges on compromised systems. The malware gathered passwords, created backdoors and remotely controlled compromised machines, among other functions. Among the malware names were known variants such as "GoRAT", "Rubeus" and "Excavator".
US cybersecurity agency CISA released an advisory stating that it had not received reports of these tools being maliciously used, although it was feasible that they could be.
Impact and mitigation
The impact of the theft of the tools is not assessed to be severe, as they used well-known techniques employed by red teams around the world, meaning the attacker’s access to them will not greatly enhance their capabilities, particularly if they are a well-resourced nation state. A greater threat may be if the tools are leaked publicly, as per the release of stolen US National Security Agency (NSA) tools in 2017 by an online group calling themselves “The Shadowbrokers”. The release of one of these tools, EternalBlue, was eventually used as part of the WannaCry attack which led to significant losses and damage across the world. There is, however, no suggestion that the leak of these tools would lead to an attack as severe as this one.
Although risks to businesses are not considered to elevated at this point, they are advised to deploy the detection countermeasures where practical and perform ongoing monitoring and detection of the stolen tools. Businesses should beware that FireEye has not concluded their investigation and therefore the risks from this attack may escalate in future, as more details are revealed. With that in mind, businesses are advised to monitor the development of this incident.
To get updates like these, details about MDR cyber events and news please subscribe to our mailing list.