The weak links were apparently in the internal Red Team tools used for assessing customer cybersecurity levels.

The CEO of a US cybersecurity firm has this week announced that his organization was attacked by a highly-sophisticated threat actor.

The tactics, techniques and procedures of the attacker have led the firm, FireEye to believe it was a state-sponsored attack—possibly Russian in nature.

CEO Kevin Mandia noted in his blogpost that his firm’s number one priority is working to strengthen the security of customers and the broader community. “We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyberattacks.”

Mandia stated that the attack was different from the tens of thousands of incidents his teams have responded to throughout the years. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly-trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that countered security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

Red Team tools used against the firm

In coordination with the Federal Bureau of Investigation and other key partners, including Microsoft, the firm’s latest findings are that the attacker(s) targeted and accessed certain Red Team assessment tools that were used for testing customers’ security. “These tools mimic the behavior of many cyberthreat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contains zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.”   

In order to minimize the potential impact of the theft of these tools, the firm has developed more than 300 countermeasures for its customers and the community at large, and also:  

  • prepared countermeasures that can detect or block the use of the stolen Red Team tools
  • implemented countermeasures into current security products
  • shared these countermeasures with peers in the security community
  • made the countermeasures publicly-available on GitHub
  • continued to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with security partners

Nation-state implications 

Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. “While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly.”

Mandia noted that his teams have learned and continue to learn more about adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. “We will never be deterred from doing what is right,” he said, alluding to prompt disclosure and execution of exhaustive mitigative countermeasures.