FireEye hacked, Red Team tools stolen

[German]It is the absolute disaster for the partly CIA-owned security company FireEye. Suspected state hackers have penetrated their internal networks to search for customer data, but have also stolen their Red Team tools.


FireEye Inc. is a publicly traded company based in Milpitas, California, USA, which provides network security software and services. In 2016 the company had 3,200 employees. Its main product, called the FireEye Malware Protection System, is attack detection software. It works on the basis of traffic analysis using signatures and heuristic methods to identify suspicious behavior and then attempts to reconstruct a compromise by replaying it against a sandbox. The software is marketed as a revolutionary solution against advanced malware such as advanced persistent threats and zero-day exploits. Initially, the venture capitalists of the company, founded in 2004 by a Sun engineer, included In-Q-Tel, the investment team of the US foreign intelligence agency CIA.

(Source: Pexels Markus Spiske CC0 Lizence)

FireEye: Sorry, we are hacked

In a statement titled Unauthorized Access of FireEye Red Team Tools, FireEye admitted a hack on December 8, 2020. The message reads:

A sophisticated, state-sponsored adversary stole FireEye Red Team tools. Since we believe that an opponent possesses these tools, and we don't know if the attacker intends to use the stolen tools himself or to make them public, FireEye is publishing hundreds of countermeasures in this blog post to enable the broader security community to protect themselves against these tools.

In a nutshell, the unknown hackers have stolen the Red Team's tools. The Red Team is an independent group that is supposed to detect security vulnerabilities before an external third party can exploit them. Those who own these tools can use them to find unknown vulnerabilities.

The stolen tools range from simple scripts that automate the detection of an attack to entire frameworks that resemble publicly available technologies such as CobaltStrike and Metasploit. While many of the FireEye Red Team tools have already been released to the general public and are already being distributed in the open source CommandoVM virtual machine, there are still a number of other tools that have not yet been released to the public. 


FireEye writes that the Red Team tools stolen by the attacker did not contain or exploit zero-day exploits. The tools use known and documented methods that are used by other Red Teams worldwide.  Nevertheless, the theft of the tools is of course a disaster for the security officers. 

FireEye's damage limitation

FireEye claims to have already integrated countermeasures into its FireEye products. Furthermore, the defense strategy – and these countermeasures were shared with partners, government agencies – to significantly limit the ability of the adversary to exploit Red Team's tools. A list of these countermeasures can be found in the FireEye GitHub repository. In other words, FireEye is currently attempting to mitigate damage after the pitcher has fallen into the well. The colleagues at heise have published a list of CVEs here that can be exploited in attacks. Administrators should therefore patch the vulnerabilities in the systems quickly.

Hackers seached customer lists

The attackers were probably primarily after the customer lists with the names of government agencies, as the company admitted. Experts suspect that the customer lists could or should be used in future attacks on a variety of U.S. and Western national security agencies and companies. However, FireEye says there is no evidence to date that the data of customers stored on FireEye primary systems has been siphoned off.

"I have come to the conclusion that we are witnessing an attack by a nation with top-level offensive capabilities," Kevin Mandia, FireEye CEO and former Air Force officer, admitted in a blog post. "The attackers have tailored their world-class capabilities specifically to the FireEye target and attack". The attack was different from what FireEye had seen in the wild for years. However, the company is holding back on naming the state hacker group.

A person familiar with the matter is quoted by theWallstreet Journal (WSJ) as saying that Russia is currently considered the most likely perpetrator by investigators, including U.S. intelligence agencies. However, the source stressed that the investigation is continuing. Moscow's foreign intelligence service, known as the SVR and one of two Russian groups that hacked the Democratic National Committee before the 2016 presidential elections, is considered responsible, the person said.

FireEye is in bad company with other hacked security companies. The colleagues from Bleeping Computer have compiled a list of previous hacks by companies such as Avast, Kaspersky, Trend Micro or Google etc. And the consultants are still panting after the myth that an Advanced Thread Protection solution can keep attackers out of your IT networks or the cloud.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *