Who is FireEye?
What was taken in the hack?
FireEye has stated that their own offensive tooling was taken by the threat actor. This tooling was typically based on existing malware that FireEye has responded to in the wild and as such contains no zero-days. However, the tooling does allow an attacker to exploit several aspects of enterprise IT. FireEye has released hundreds of detection mechanisms that can be used in uncovering the tools if they are used.
Who was responsible?
FireEye stated that it was a nation-state using highly sophisticated techniques never seen before. Speculation is rife that it was Russia’s SVR Foreign Intelligence Service (APT29) – reported by the Washington Post but not yet confirmed. APT29 is a nation-state “advanced persistent threat” group that has been linked with various cyberattacks around the world. The FireEye Attack would be similar to the Shadowbrokers attack on Equation Group (the U.S. NSA) – which stole US offensive tooling subsequently used by a range of Russian threat actors among others.
What don’t we know yet
A lot. Anything beyond this point is pure speculation. We don’t know the techniques used, or who did it. We also don’t know why they did it, and the full range of what was stolen. It seems strange for a sophisticated adversary to use never seen before techniques purely to steal FireEye attack tooling. It is not ‘new’, as it burns something high value for something that is probably less value. So there may be more to this:
- Did the threat actor steal government and customer data?
- Did they steal FireEye product data to craft exploits against it?
- Was this purely a geopolitical statement and a response by Russia in light of recent US Gov disclosures of Russian malware capabilities?
What it means for the industry
This could go two ways:
- People think that if FireEye, one of the most defended firms on the planet can get hacked – then what’s the point in even trying?
- People see the fallout from this, the impact, they see that nation-state cyber war is real. They know they need to do more to defend themselves.
We're all in this together
At this stage it is important to remember that most of what is being written in the media is speculation. We should also be clear that FireEye has set a good example by being open about what happened. They have worked hard to release the detection mechanisms. As a fellow member of the blue team – we at HolistiCyber wish everyone well in the continued fight against an escalating cyber threat.