Breach, Content

State-Sponsored Hackers Steal FireEye Red Team Security Testing, Assessment Tools

State-sponsored hackers have attacked FireEye and stolen the cybersecurity company's Red Team penetration testing and assessment tools, FireEye disclosed in an SEC filing on December 8, 2020. FireEye is concerned the hackers will potentially use the stolen Red Team penetration testing tools to attack additional companies. As a precaution, the company is sharing countermeasures to help potential targets mitigate attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, issued this warning about the stolen FireEye tools.

FireEye CEO Kevin Mandia
FireEye CEO Kevin Mandia

Among the key FireEye disclosures in the SEC filing:

1. State Sponsored Actor?: The attacker was a "highly sophisticated cyber threat actor" whose "discipline, operational security, and techniques lead us to believe it was a state-sponsored attack." CEO Kevin Mandia believes the atack involves a "nation with top-tier offensive capabilities."

2. FireEye Tools Were the Specific Target: This attack specifically targeted FireEye, and used methods that "counter security tools and forensic examination." Hackers attacked "used a novel combination of techniques not witnessed by us or our partners in the past." The attacker targeted and accessed certain Red Team assessment tools that FireEye uses to test our customers’ security.

3. FBI, Microsoft Assist Investigation: FireEye is investigating the attack in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft.

4. Defending Against the Red Team Tools: FireEye is proactively "releasing methods and means to detect the use of our stolen Red Team tools." The company doesn't know if the attacker intends to use the Red Team tools or to publicly disclose them. FireEye has developed more than 300 countermeasures for customers and the community at large to use in order to minimize the potential impact of the theft of these tools.

5. No Additional Attacks So Far: FireEye has seen no evidence to date that any attacker has used the stolen Red Team tools, but continues to monitor for their use.

6. Customer Information Targeted, But Not Stolen: The attacker primarily sought information related to certain government customers. While the attacker was able to access some of FireEye's internal systems, there's no evidence (so far) that the attacker exfiltrated data from the company's customer information, incident response or consulting engagements or the metadata collected by products in the dynamic threat intelligence systems. FireEye plans to contact customers directly if it discovers any information was detected.

7. More Details: If/when more details become available, FireEye will disclose the information via its corporate blog.

About FireEye: Business Focus, Recent PE-Backed XDR Acquisition

FireEye is both a cybersecurity software provider and a consulting firm that investigates attacks for customers. The company, backed by private equity firm Blackstone, recently acquired XDR (extended detection and response) company Respond Software for $186 million.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.