9 December 2020

FireEye says nation-state hackers stole its Red Team tools


FireEye says nation-state hackers stole its Red Team tools

The U.S. cybersecurity firm FireEye acknowledged it was targeted by “a highly sophisticated threat actor” who hacked into the company’s network and stole its Red Team tools. FireEye CEO Kevin Mandia shared details of the cyber attack in a blog post and said that the company is working with the FBI and Microsoft, as well as with other key partners, in an investigation of the hack.

“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past,” Mandia said.

According to the FireEye’s CEO, the hackers got access to a set of scripts, tools, scanners, and techniques that mimic the behavior of many cyber threat actors. None of them contain zero-day exploits, Mandia said.

“The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community […] Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team,” the cybersecurity firm said.

While the company has no evidence the hackers have used the stolen tools in cyber attacks, out of an abundance of caution, FireEye developed countermeasures to detect and block the tools, as well as countermeasures in its own security products. The list of countermeasures is available on the FireEye GitHub repository.

Back to the list

Latest Posts

Hackers impersonate WHO, DHL, and vaccine makers to spread malware

Hackers impersonate WHO, DHL, and vaccine makers to spread malware

The attacks target users in organizations located in the United States, Canada, Austria, and Germany.
18 January 2021
EMA: Hackers leaked modified COVID-19 vaccine documents to undermine trust in vaccines

EMA: Hackers leaked modified COVID-19 vaccine documents to undermine trust in vaccines

EMA said that COVID-19 vaccine documents stolen from its servers in a recent cyber attack have been manipulated.
18 January 2021
Joker’s Stash, the largest carding marketplace, will shut down next month

Joker’s Stash, the largest carding marketplace, will shut down next month

The Joker’s Stash operators said that all the data will be wiped out from their servers after February 15th, 2021.
18 January 2021