author photo
By Bruce Sussman
Tue | Dec 8, 2020 | 3:46 PM PST

Alerts, warnings, and details on countermeasures appeared in rapid succession on Tuesday as the cyber world heard something shocking: attackers stole FireEye's Red Team tools.

These are the tools FireEye is invited to use on organizations around the world to poke, prod, and find holes in cyber defenses so they can be shored up.

Now, someone has these tools and can potentially use them to find cybersecurity vulnerabilities and attack them.

This is a developing situation, and here is what we know so far.

FireEye cyber attack details

It was already dinner time on the east coast when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) sent a U.S. CERT Alert titled Theft of FireEye Red Team Tools.

At the same time, FireEye CEO Kevin Mandia published a blog post addressing the information security community with details on the attack and explaining his belief that nation-state attackers stole the firm's Red Team tools:

"Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."

Like most tech firms, FireEye deals with regular attempts to breach its corporate defenses. This attack, Mandia says, was different, and he believes he has identified a target for use of the stolen tools:

"Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers."

And he goes on to explain what threat actors stole and what they did not get in the attack:

"During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers' security. None of the tools contain zero-day exploits. "

FireEye data breach: what will happen to hacked Red Team tools?

What will happen with the Red Team tools hackers stole from FireEye?

"Hopefully, these tools don't make their way into the public's hands. We have seen the damaging impact of Hacking Team and the NSA's EternalBlue tool leaks/disclosures," says Rick Holland, CISO and VP of Strategy at Digital Shadows.

"If these tools become widely available, this will be another example of the attackers' barrier to entry getting lower and lower. The bottom line here: these tools making into the wrong hands will make defenders' lives more challenging."

And Brandon Hoffman, CISO at Netenrich, has another idea on a possible use:

"Very interesting that they stole the red team toolkit from FireEye. Most likely they plan to use this commodity type tooling to cover up their tracks so as to not expose their own custom tools and save those for special attacks or second stage attacks."

FireEye posts Red Team tool countermeasures

Will these tools be used against your organization or entity tonight, next week, or next year? 

FireEye has released more than 300 countermeasures that it says will help defend your organization from these tools and help you detect their usage. Access the FireEye Red Team Tool Defense on Github.

Comments