No longer breaking news as I’m sure every Cyber Security Professional is aware that FireEye announced on Dec 8 2020 that they were victims of a data breach from what they are calling a “state sponsored attack”. Now that things have settled down a little and more details have been officially released lets dig in to the breach to summarize what we know and analyze what sort of impact this could have on the the Cyber Industry and businesses across the world.
But first, who is FireEye?
FireEye was initially founded in 2004 specializing in sandboxing technology but really took shape to the FireEye we recognize today when they acquired Mandiant in December 2013 for $1 Billion. With this acquisition they expanded thier portfolio and became a world leader in Incidents Response services. Today FireEye Mandiant offers the following services: Network Security and Forensics, Endpoint Security, Email Security, and of course Consulting, Incidents Response and training. As of December 2019 their employee base was around 3,400, today they are estimated at a net worth of 3.12Billion.
In FireEye’s initial write up release on the attack they stated the uniquely constructed attack was executed “by a nation with top-tier offensive capabilities.” “They are highly trained in operational security and executed with discipline and focus.” Who better to lead a breach incident than Mandiant themselves, however they are doing their full due diligence and pulling in the FBI and Microsoft among others to assist in the investigation. Major news agencies are reporting the main culprit in this attack is looking like Russia’s elite hacking group know as Cozy Bear or ATP29.
During investigations it has been discovered that the main target of the attacking group was FireEye’s treasure trove of custom Red Team assessment tools. Where we can assume these tools by themselves are quite dangerous in the hands of an enemy, there does not appear to be any Zero-Day exploits included in what was taken.
“The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit”
FireEye took a cautionary route in releasing more than 300 countermeasures to the public to detect and minimize potential impact. Yara, Snort, ClamAV and OpenIOC detections have been released so we can guarantee that AV and IPS vendors are hard at work updating rule sets before anything is seen in the wild.
Details can be found here: https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
The github of countermeasures: https://github.com/fireeye/red_team_tool_countermeasures
Business News Insider reports that FireEye stock took a 13% hit after the breach was disclosed which equals around -$450 million off the groups market capitalization. Will they bounce back from this attack? In my opinion yes, without a doubt. They handled the breach in a very respectful manner, assisted the industry in being open with releasing IOCs and countermeasures. Lets face it, the fact that they didn’t open their first public statement with “we take security seriously” gives them a few extra points. Maybe with the drop in stock prices that just means now is the time to buy.
Some very sophisticated tools stolen are now in wrong hands, there is no arguing that fact but this will not be the straw that breaks the Cyber Professionals back. We have no idea what the attacker will use these tools for, or if they will even end up being released at all to the public. If one of these tools truly is a framework similar to CobaltStrike yes its good to be aware of its existence, but again for the average organization this is not an event to prioritize over general Windows patches for example. If your org has the bandwidth and the tools required to detect IOCs released in the countermeasures by all means take action to protect yourself. If your org has port 3389 open to the public or haven’t deployed MFA, knock those out before even thinking about spending time on protecting yourself from these tools.
The well known saying “Its not if you will get breached its when and how bad“ as always fits this FireEye situation. RSA, Kaspersky, the NSA, SANS are just a few of the many high scale Security vendors breached over the past few years. It will happen but how you react at that time when the pressure is on is how you will be remembered and judged for years to come.