On 8th December 2020, FireEye disclosed that they were hacked and the hackers got away with their Red teaming tools and they have no idea who was behind this attack.
When all efforts to identify the probable attacker fail it becomes it easily becomes the act perpetrated by "state-backed hackers."
In his blogpost , FireEye CEO, Kevin Mandia, says "Based on my 25 years in cybersecurity and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."
Today, 9Dec2020, it was revealed that the APT behind this attack was Cozy Bear, which is sponsored by the Russian state, it is unclear if it is SVR or FSB.
One thing that surprises me is that if the perpetrators were so "advanced" why did they need substandard/obscure FireEye Tools? I guess there is more to this than what has been shared with us to date.
What to do now?
FireEye has released [[Yara]], [[SNORT]], [[ClamAV]], and [[HXIOC]] rules that can be imported in various SIEM tools to proactively monitor activities. They have also released the CVE’s their Red Team Tools were designed to exploit.
But what about…..
FireEye has been great with disclosure so far, however, I have not seen a timeline of the events. This timeline will prepare organizations to see how far they have to go back and apply the shared SIEM rules to the logs to check for compromises.
I will harp on it again, staying on top of your patching is the key to reducing your cyber risk significantly. However, if your vendor has been compromised as was in the case of Solarwinds Orion and Sunburst, you are pretty much out of luck!
What should the industry do?
The consumers will do what they have to, to protect their environment. It is now up to the security vendors to include the FireEye tool signatures in their platforms, some of the vendors that come to my mind are:
- Palo Alto Networks
- Juniper Networks
What is going to happen to FireEye?
FireEye’s brand and reputation are damaged now, it is evident with their stock taking a 14% hit. New business will be difficult to close as the trust in their capability is tarnished. Existing customers might be thinking of not renewing or getting out of contracts. We don’t even know ‘what else’ was stolen.