How was Top Cybersecurity Firm FireEye Hacked!
Table of Contents
- By Dawna M. Roberts
- Published: Dec 10, 2020
- Last Updated: Mar 18, 2022
Let this be a lesson; no one is immune to hacking. Top cybersecurity firm FireEye was hacked by a nation-state they called a “highly sophisticated threat actor,” and the thieves stole Red Team penetration tools, which are the tests and resources they use to test the security of client’s assets.
What Happened?
The Washington Post and New York Times both reported the hacking. They mentioned that although there was no clear confirmation of where the threat came from, it was handed over to the Russian specialist at the FBI. The FBI suspects it is the work of Cozy Bear (aka APT29), a state-sponsored hacking group backed by Russia’s SVR Foreign Intelligence Service.
Hackers also accessed internal system data looking for government clients and information. FireEye does not believe any of the data was exfiltrated for use. Kevin Mandia, CEO of FireEye, commented in a blog post that “This attack is different from the tens of thousands of incidents we have responded to throughout the years.” He explained with “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
The attack was sophisticated and well-planned. Criminals set up thousands of IP addresses throughout the U.S. to use in perpetrating the crime. Google and Microsoft were asked to consult, and they, too, had never seen anything like this particular scheme.
What are Red Team Pen Tools?
Security researchers and defense companies use Red Team pen tools to duplicate attacks in the wild. They mimic attacks to learn how to defend against them and respond.
These tools in the hands of hackers are a dangerous proposition. Cybercriminals could use these tools to circumvent security measures and evade detection. FireEye confirmed that the assets stolen did not include any zero-day exploits.
The tools stolen did include scripts, entire frameworks, and modified publicly available resources. According to The HackerNews, “To minimize the potential impact of the theft of these tools, the company has also released 300 countermeasures, including a list of 16 previously disclosed critical flaws that should be addressed to limit the effectiveness of the Red Team tools.”
What is Being Done?
FireEye is working closely with the Federal Bureau of Investigation (FBI) and Microsoft, along with other partners, to discover how the data breach occurred and how to mitigate any future risk.
Unfortunately, this is the latest in a string of attacks on cybersecurity firms such as Avast, Bit9, Kaspersky Labs, and RSA Security. FireEye is a well-known resource for government cybersecurity and large corporate entities like Sony and Equifax, which is why they were a prime target.
This breach is the largest since the 2016 violation of the National Security Agency by ShadowBrokers. Threat actors there stole a whole host of security tools, which were then used later to attack and infiltrate hospitals, government agencies, and corporations.
The good news is that FireEye’s Red Team pen tools were mostly snippets of malware that already exists in the wild and tools to mitigate it.
The New York Times quoted Patrick Wardle, former NSA hacker, now a security expert with “Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability.” He went on to say, “In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”
How Can the Layman Stay Safe?
If big, fancy cybersecurity firms are not immune to threat actors, how can the general public expect to keep their systems safe? Although it’s impossible to guarantee 100% safety, there are things you can do to secure your network and keep your stuff as safe as possible.
- Keep all your devices updated with the latest security patches.
- Install and run deep scans, often using good, strong antivirus/anti-malware software.
- Never provide personal information to anyone you don’t know.
- Do NOT click links in an email.
- Watch out for phishing email scams.
- Turn on two-factor authentication whenever it is offered.
- Create very long, strong passwords.
- Never reuse passwords on multiple websites.
- Monitor your network diligently by reviewing access logs.
- Use a firewall to limit outside access by IP or other means.
- Don’t share logins with anyone.
- Keep your banking “offline” to protect your financial assets.
The bottom line is, anything you do not want to be accessed, keep it offline. If it’s on a computer, disconnect that computer from the internet so there is no way a threat actor can gain access. These days it’s critical to take a defensive stance against cybercrime and do more than you think is necessary to keep you and your stuff safe.