The U.S. cybersecurity firm FireEye acknowledged it was targeted by “a highly sophisticated threat actor” who hacked into the company’s network and stole its Red Team tools. FireEye CEO Kevin Mandia shared details of the cyber attack in a blog post and said that the company is working with the FBI and Microsoft, as well as with other key partners, in an investigation of the hack.
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past,” Mandia said.
According to the FireEye’s CEO, the hackers got access to a set of scripts, tools, scanners, and techniques that mimic the behavior of many cyber threat actors. None of them contain zero-day exploits, Mandia said.
“The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community […] Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team,” the cybersecurity firm said.
While the company has no evidence the hackers have used the stolen tools in cyber attacks, out of an abundance of caution, FireEye developed countermeasures to detect and block the tools, as well as countermeasures in its own security products. The list of countermeasures is available on the FireEye GitHub repository.