FireEye hacked, by whom?

(To Alessandro Rugolo)
14/12/20

The US company FireEye, cyber security giant, recently denounced having been the victim of hackers, probably supported by a state.

We remember that FireEye is the company that supports federal government agencies and states, including the FBI and NSA, not to mention American industry.

It was FireEye to inform their customers of the incident through a post on the company's blog in which the hackers are described as highly professional and it is said that the attack was carried out using techniques and procedures never used before and studied specifically for the occasion, what which suggests that there is a well-established state behind the sector with the intention of carrying out espionage activities.

FireEye is working with the FBI and Microsoft to carry out all necessary investigations. 

During the investigation FireEye has found that hackers have stolen some of the tools used by their own Red Teams to perform activities of pentesting. Tools that if used by malicious people could be very dangerous. The company said that, as a precaution, it has developed more than 300 tools to minimize the impact of any use of such tools against its customers (or of releasing such tools to the public).

In another post the company explains which tools have been stolen and indicates a list of countermeasures already released.

What more can I say? It seems that everything is going well ...

But it comes naturally to me to express some of my thoughts aloud.

Firstly everyone knows the tools to do penetration testing are generally public (but not the private ones of the companies that developed them for their own business), what makes the difference are the skills of the organizations that employ them, the ability of an organization to sustain an operation for a long time, the experience of hacker ...

The tools of penetration testing in practice they are weapons, more or less powerful, which are used (by good people) to test friendly systems and indicate how it is possible to better protect them. If you agree up to here, you will agree that since these are customized "weapons", they were certainly well guarded and to think that one of the main companies in the sector has had "weapons" taken from another state, when it is known that the United States are the strongest in the industry, well, let's say that some doubts come. If this is the case, it is easier to think of a theft from within than an attack from the outside. Also it appears that this time the FireEye did not indicate which state could be behind the attack, which is strange given that one of its activities is precisely to identify the provenance of the APTs. 

The company stated that there are none of the stolen tools Zero-Day exploits nor unknown techniques. But he also claimed to have released more than 300 countermeasures ... even in these sentences it seems to me that there are contradictions. What use are specific countermeasures if there is nothing new? If it were true that nothing new has been stolen from him, I don't think it would have been necessary to release hundreds of countermeasure tools ... but so be it!

Finally, and unfortunately this is the most sensitive issue, are we sure that nothing else has been subtracted? Often, in order to carry out work of pentesting, it is necessary to collect information on the systems that we want to make safer, information that in the hands of capable people shows the weak points of the systems.

We know that the FireEye it works with American national agencies for which it is conceivable that among the data in its possession there are also data regarding the critical infrastructures on which they are working or have worked. If this data has gone into the hands of thieves, mere criminals or enemy states, things could get complicated for everyone ... 

To learn more:

FireEye Shares Details of Recent Cyber ​​Attack, Actions to Protect Community | FireEye Inc

FireEye, a top US cybersecurity company, says it was hacked (nbcnews.com)

Unauthorized Access of FireEye Red Team Tools | FireEye Inc

FireEye hacké! Ses outils Red Team ont été dérobés! (programmez.com)

GitHub - fireeye / red_team_tool_countermeasures

FireEye piraté: le géant de la cybersécurité y voit la main d'un Etat - CNET France

FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State - The New York Times (nytimes.com)