9 December 2020

FireEye says nation-state hackers stole its Red Team tools


FireEye says nation-state hackers stole its Red Team tools

The U.S. cybersecurity firm FireEye acknowledged it was targeted by “a highly sophisticated threat actor” who hacked into the company’s network and stole its Red Team tools. FireEye CEO Kevin Mandia shared details of the cyber attack in a blog post and said that the company is working with the FBI and Microsoft, as well as with other key partners, in an investigation of the hack.

“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past,” Mandia said.

According to the FireEye’s CEO, the hackers got access to a set of scripts, tools, scanners, and techniques that mimic the behavior of many cyber threat actors. None of them contain zero-day exploits, Mandia said.

“The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community […] Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team,” the cybersecurity firm said.

While the company has no evidence the hackers have used the stolen tools in cyber attacks, out of an abundance of caution, FireEye developed countermeasures to detect and block the tools, as well as countermeasures in its own security products. The list of countermeasures is available on the FireEye GitHub repository.

Back to the list

Latest Posts

Void Arachne targets Chinese-speaking users with Winos backdoor

Void Arachne targets Chinese-speaking users with Winos backdoor

The campaign uses SEO poisoning and disseminates malware via social media and messaging platforms.
19 June 2024
AMD investigates potential cyberattack following claims of data breach

AMD investigates potential cyberattack following claims of data breach

The stolen data allegedly includes sensitive information about AMD's future products employee databases, and customer databases.
19 June 2024
Police shut down online infrastructure used by terrorists for communication and propaganda

Police shut down online infrastructure used by terrorists for communication and propaganda

The websites and communication channels had a global reach, spreading directives and slogans of the Islamic State in over 30 languages.
19 June 2024