Suspected Russian Attackers Steal FireEye Red Team Tools

  • Security giant FireEye has been on the obtaining end of a subtle, novel attack from nation condition actors looking for facts on federal government consumers, the business has discovered.

    CEO Kevin Mandia described in a blog put up yesterday that the attackers ended up capable to access some inner devices but that there is no evidence so significantly they managed to exfiltrate consumer knowledge or metadata collected by the firm’s risk intelligence techniques.

    Having said that, they did manage to steal some of FireEye’s red crew tools, which it makes use of to test customers’ security.

    “We are not sure if the attacker intends to use our crimson workforce tools or to publicly disclose them. Even so, out of an abundance of warning, we have made additional than 300 countermeasures for our consumers, and the neighborhood at huge, to use in order to decrease the prospective effect of the theft of these equipment,” Mandia defined.

    “We have observed no proof to day that any attacker has utilized the stolen pink staff instruments. We, as properly as others in the security group, will keep on to watch for any such action.”

    According to an additional site from the company, these resources range from very simple scripts used for automating reconnaissance to overall frameworks that are very similar to publicly out there offerings like CobaltStrike and Metasploit.

    Although Mandia released handful of facts of how attackers obtained a foothold in the networks of one particular of the world’s most substantial profile cybersecurity corporations, he did disclose that it was most likely to be a country with “top-tier offensive abilities.

    “This attack is distinct from the tens of thousands of incidents we have responded to throughout the several years. The attackers customized their globe-course abilities particularly to target and attack FireEye,” he said.

    “They are hugely qualified in operational security and executed with discipline and emphasis. They operated clandestinely, using procedures that counter security resources and forensic evaluation. They used a novel blend of procedures not witnessed by us or our companions in the past.”

    Studies have instructed with near certainty that the attackers have been backed by the Russian state. If which is the scenario, it would simply call to head the Shadow Brokers attacks of 2016 which led to the seize of some effective NSA hacking tools.

    Rick Holland, CISO at Digital Shadows, argued that the stolen purple group equipment, which are built to mimic the habits of threat actors, will present the attackers with a further process to compromise authorities targets.

    “They can reserve their best-tier resources for ‘hard targets’ like the Section of Protection and possibly leverage these new instruments against ‘soft targets’ like civilian governing administration agencies,” he added.

    “The unknown burglars could use the stolen resources to imitate other countries’ tactics, incorporating a new layer to secure their true identities and intentions. Thieving these tools also lowers operational fees as the nation point out actors never have to build new software package exploits and administration applications for their intrusions.”