Flash Alert: FireEye Breach

On December 8, 2020, the security vendor FireEye disclosed that unidentified and highly sophisticated state-sponsored threat actors had breached its networks and stolen its Red Team tools that it uses for penetration testing of its clients. FireEye accordingly released countermeasures to defend against the potential malicious use of these tools in OpenIOC, Yara, Snort, and ClamAV. The scope and the applications of the compromised tools vary, from complete frameworks to automated reconnaissance scripts, but they do not include any zero-day exploits. FireEye developed its own tools in-house to emulate attacks that it observed in the wild and publicly available penetration testing tools.

FireEye did not provide further details on the identity or the affiliations of the state-sponsored intruders but noted their special interest in its government clients. Mainstream media reporting has nonetheless suggested an attribution of the incident to APT29, also known as CozyBear. APT29 is attributable to the SVR, Russia's foreign intelligence service. Previous targets of APT29 have included the White House, the U.S. State Department, and COVID-19 vaccine research. The FBI, which is investigating the incident, reportedly assigned the case to its Russia specialists.

This incident serves as a reminder that even the most security-conscious and security-centric organizations, such as a well-known security vendor and a thought leader in the field of advanced threat detection, can become victims. State-sponsored threat actors in particular often pursue more difficult targets at length and invest considerable resources in such attacks if they believe that the compromise of those specific targets is essential to their intelligence mission. State-sponsored threat actors seek to fulfill specific intelligence requirements and often cannot simply shift to another target in order to fulfill them, as many criminals would do when they encounter a prohibitively difficult target.

The capabilities and accesses of security vendors can make them extremely desirable targets. It emerged in 2015 that the Russian anti-virus software vendor Kaspersky Lab suffered a breach at the hands of the highly sophisticated Israeli cyber espionage operation “Duqu 2.0.” In that case, the Israeli attackers may have wanted to learn about Kaspersky's malware detection capabilities in order to improve its ability to evade them. The FireEye breach has also prompted comparisons to the 2016 Shadow Brokers' disclosure of NSA tools, raising the prospect that the potential disclosure of these FireEye tools would enhance the capabilities of both criminals and state-sponsored actors worldwide. It nonetheless remains unclear what the perpetrators of the FireEye breach intend to do with these tools. IntSights notes the possibility that the intruders believe it to be in their interest to keep these tools private for their own use, rather than distributing them, which might dilute their malicious value.

IntSights continues to monitor this incident and the implications thereof and has created a threat library item for it: “FireEye breach – December 2020.” This item includes IOC’s from the run of the above Yara rules against VirusTotal database.

Mitigation Tools:

Fireeye Countermeasures released on GitHub

Learn more about how Russian threat actors attack global organizations, military operations, and government departments in our research report,The Dark Side of Russia.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.