fireeye security infosec breach

FireEye Breach: What to Know

Who is FireEye?

FireEye provides cybersecurity products (endpoint and network) to detect and prevent against advanced threats. A few years ago FireEye bought Mandiant, one of the world’s premier cybersecurity consultancies, particularly in Incident Response. Together, the product and consulting business has had success worldwide and has several government contracts including in the US.

What was taken in the hack?

FireEye has stated that their own offensive tooling was taken by the threat actor. This tooling was typically based on existing malware that FireEye has responded to in the wild and as such contains no zero-days. However, the tooling does allow an attacker to exploit several aspects of enterprise IT. FireEye has released hundreds of detection mechanisms that can be used in uncovering the tools if they are used.

Who was responsible?

FireEye stated that it was a nation-state using highly sophisticated techniques never seen before. Speculation is rife that it was Russia’s SVR Foreign Intelligence Service (APT29) – reported by the Washington Post but not yet confirmed. APT29 is a nation-state “advanced persistent threat” group that has been linked with various cyberattacks around the world. The FireEye Attack would be similar to the Shadowbrokers attack on Equation Group (the U.S. NSA) – which stole US offensive tooling subsequently used by a range of Russian threat actors among others.

What don’t we know yet

A lot. Anything beyond this point is pure speculation. We don’t know the techniques used, or who did it. We also don’t know why they did it, and the full range of what was stolen. It seems strange for a sophisticated adversary to use never seen before techniques purely to steal FireEye attack tooling. It is not ‘new’, as it burns something high value for something that is probably less value. So there may be more to this:

  • Did the threat actor steal government and customer data?
  • Did they steal FireEye product data to craft exploits against it?
  • Was this purely a geopolitical statement and a response by Russia in light of recent US Gov disclosures of Russian malware capabilities?

What it means for the industry

This could go two ways:

  1. People think that if FireEye, one of the most defended firms on the planet can get hacked – then what’s the point in even trying?
  2. People see the fallout from this, the impact, they see that nation-state cyber war is real. They know they need to do more to defend themselves.

We're all in this together

At this stage it is important to remember that most of what is being written in the media is speculation. We should also be clear that FireEye has set a good example by being open about what happened. They have worked hard to release the detection mechanisms. As a fellow member of the blue team – we at HolistiCyber wish everyone well in the continued fight against an escalating cyber threat.

Learn more about some of the big cyberattacks and what we can learn from them: 

HolistiCyber

HolistiCyber enables organizations in their cyber defense challenge, providing them with state-of-the art consultancy, services & solutions to help them proactively and holistically defend themselves in a new era of constantly evolving cyber threats, many of which lead to nation state grade attacks. 

Learn more…

Share:

We use cookies to provide the services and features offered on our website, and to improve our user experience.