Getty Images
Attackers working on behalf of an undisclosed nation state actor – likely Russia – have compromised the systems of cyber security firm FireEye and accessed and stolen a number of the hacking tools it uses to conduct red team assessments of its customers’ security.
These tools are designed to test security by mimicking the behaviour of cyber threat actors, enabling FireEye’s consultants to provide diagnostic security services and advice to user organisations. Although no active zero-day exploits were contained within them, their theft is a source of great concern as, depending upon whose hands they fall into, they could now be used offensively by malicious actors, as opposed to ethical hackers.
To this end, FireEye said it was now proactively releasing methods and means to detect the use of its stolen tools. It already has an arsenal of over 300 countermeasures to hand for its customers, and the wider security community, to minimise the potential impact of the breach. These can be found at its GitHub repository.
Kevin Mandia, FireEye CEO, said there were a number of factors that had led him to conclude the incident was a state-backed attack, and although he did not directly point the finger at Russian actors, it was clear the attacker was backed by a nation with top-tier capabilities. He added that by being open about the incident from the outset, the security community will be better equipped to fight what may now be coming.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” said Mandia. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.
“We are actively investigating in coordination with the Federal Bureau of Investigation (FBI) and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilising novel techniques,” he said.
“We have seen no evidence to date that any attacker has used the stolen Red Team tools. We, as well as others in the security community, will continue to monitor for any such activity. At this time, we want to ensure that the entire security community is both aware and protected against the attempted use of these Red Team tools.”
Mandia noted that, consistent with nation state cyber espionage efforts, FireEye’s attackers seemed to be mainly seeking information on its government customers. He went on to state that while they did access some of the firm’s internal systems, there was – as yet – no evidence that any customer data or information from its incident response or consulting practice, or metadata from its threat intelligence systems, has been compromised. If this changes, relevant customers will be informed.
“Every day, we innovate and adapt to protect our customers from threat actors who play outside the legal and ethical bounds of society,” said Mandia. “This event is no different. We’re confident in the efficacy of our products and the processes we use to refine them. We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.”
The attack on FireEye is a highly significant incident reminiscent of the Shadow Brokers attacks on the US National Security Agency (NSA), which ultimately resulted in the theft of the exploits used in the devastating WannaCry attacks of May 2017.
The group went on to establish a subscription service for the purloined zero-day exploits, and there has been widespread speculation already that the FireEye incident may result in a similar outcome.
The attack also serves as a near-perfect demonstration of the fact that even with the optimum security controls and watertight policies in place, organisations have no control over whether or not they fall victim to a cyber attack – moreover, that there is no shame in being open and transparent about them.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
CIO dashboards can be a vital tool for assessing metrics in real time to gain insight on IT performance and support better …
The business response to COVID-19 has accelerated technology adoption, making emerging technologies a more accessible and …
The Open Group is teaming up with a United Nations agency on best practices, guides and standards to show resource-strapped …
Companies looking to introduce security testing earlier into software development must look past myths and understand what to …
The lack of consistent updates (and the open source nature of the stacks) make the Amnesia:33 vulnerabilities difficult to fix as…
In his GitHub post, researcher Oskars Vegeris discussed Microsoft classifying the vulnerability as “Important” rather than “…
Network performance is a top issue among IT teams and remote workers amid the pandemic and can correlate with other technical …
The Apstra acquisition could help Juniper sell networking hardware and software to heterogeneous data centers and large-scale …
Network teams can avoid signal coverage issues by performing different wireless site surveys as they evaluate new spaces, set up …
Colocation facility costs can include anything from power fees and bandwidth service charges to connectivity expenses, change …
In any multi-tenant IT environment, noisy neighbors can be an issue. Here’s a closer look at how the challenges differ in the …
Use this data center selection checklist to make fair and comprehensive comparisons between colocation data center providers …
Raj Verma, CEO of SingleStore, explains why the vendor rebranded from MemSQL and how its platform is more than just an in-memory …
Collibra CEO discusses the importance of data governance for enterprises and how to tie data governance to business terminology …
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
