Cybersecurity firm FireEye announced Tuesday that a sophisticated group of hackers, likely state-sponsored, broke into its network and stole tools the company’s experts developed to simulate real attackers and test the security of its customers. While this is a worrying development, it’s unlikely that this will result in a significant risk increase to organizations, as some offensive tool leaks did in the past.
FireEye is one of the world’s top cybersecurity firms with major government and enterprise customers around the world. The company is known for its top-notch research on state-sponsored threat actors and its incident response capabilities. Over the years it was called to investigate some of the most high-profile breaches in governments and organizations.
Who breached FireEye?
“Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack,” FireEye CEO Kevin Mandia said in a public announcement. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
What did the FireEye attackers want?
The attackers, which the Washington Post reported are the hacking arm of Russia’s SVR foreign intelligence service, known in the security industry as APT29 or Cozy Bear, sought information related to FireEye’s government customers. The company said that at this time it hasn’t seen any evidence that customer information related to incident response and consulting engagements was stolen, but the attackers did get some of the company’s internal red team tools.
Red team is the industry term for penetration testers contracted to simulate real attacks so that defenders — the blue team — can assess the strength of the organization’s security measures, their ability to respond and the impact of potential breaches. According to FireEye, the tools that were stolen range from simple scripts for network reconnaissance to more advanced attack frameworks that are similar to other publicly available penetration testing toolkits like Metasploit or CobaltStrike, but which were developed specifically for its red team. Some of the tools are already public as part of the company’s open-source virtual machine CommandoVM or are modifications of existing open-source scripts and packages.
“The red team tools stolen by the attacker did not contain zero-day exploits,” FireEye said in a blog post. “The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.”
The company has published indicators of compromise (IOCs) and detection rules and signatures for a variety of popular open-source detection technologies including OpenIOC, Yara, Snort and ClamAV. A list with the CVE identifiers of all vulnerabilities exploited by the tools has also been published on the company’s GitHub account.
How the FireEye breach compares to past cyberattack tool thefts
Public leaks of cyberattack tools in the past, like the 2017 dump of NSA tools and exploits by a group dubbed the Shadow Brokers or the 2015 leak of tools from surveillance software company Hacking Team, resulted in adoption of those offensive capabilities by many attacker groups.
“The first thing I thought of when I heard about the FireEye breach was the Shadowbrokers dump, and how that led to WannaCry,” said Tod Beardsley, director of research at vulnerability and compliance management firm Rapid7, which also oversees the Metasploit Project. “However, there are some important differences between that theft and this one. Namely, the FireEye tools, according to FireEye’s own statements, appear to be mostly incremental improvements to public, already known techniques and tooling.”
The Shadow Brokers dump contained EternalBlue and EternalRomance, two weaponized and reliable exploits for vulnerabilities in the Windows SMB protocol that Microsoft had patched one month before the leak after being alerted by the NSA. At the time they were stolen, however, the exploits had zero-day status. EternalBlue ended up powering the major WannaCry and NotPetya ransomware worms of 2017 that disrupted hundreds of thousands of systems across enterprise networks around the world and caused billions in losses.
What is the risk from the FireEye breach?
“I don’t think that we should be expecting some kind of cyber-apocalypse from this [the FireEye leak], even if the tools ultimately get leaked or released publicly,” Beardsley tells CSO. “Don’t get me wrong, FireEye red teaming is really good — world class, even — but the high level they operate at is much more about how they conduct offensive operations end-to-end, and not reliant on secret super-tooling. All this is to say that IT and IT security organizations should keep doing what they’re doing — managing patch rollouts in a reasonable amount of time, have decent alerting infrastructure for their IDS/IPS/firewalls, and managing their assets in a sensible way to reduce risk to their enterprises.”
Mike Wiacek, CEO and founder of cybersecurity startup Stairwell, feels the same. “The lack of any zero days, in this case, is a blessing, because it means the attackers are no better or worse off for gaining a beachhead in an organization than they were beforehand,” he tells CSO. “That means that the important stalwarts of cybersecurity hygiene are as important as ever: Stay updated, defense in depth, and teaching users to report suspicious events. Much like public health measures in the ongoing pandemic, these basics provide the bulk of our protection.”
For now, FireEye said that it hasn’t seen any evidence that the tools were disseminated or used by any adversaries in the wild. The reality, though, is that this hacker group doesn’t really need those tools giving their existing capabilities. By FireEye’s own description, the attackers developed a never-before-seen combination of techniques to break into the company in the first place, so they’re likely more than capable of creating similar tools to what FireEye had.
Wiacek, who previously founded Google’s Threat Analysis Group and served as CSO of Alphabet’s Chronicle security startup, thinks that the attackers were likely after something else and might have just grabbed the tools because it was convenient. It could also be that they just took them to analyze later without knowing in advance whether they would prove valuable.
“A sophisticated adversary developed new techniques to compromise FireEye only to steal code that mimicked known attackers. Nothing there makes sense,” he said. “It’s like Jeff Bezos or Elon Musk robbing a bank at gunpoint — it’s almost comical to imagine it happening. This is pure opinion/speculation on my part, but it seems like a waste of capability to develop novel techniques and steal tools that imitate known attackers. Part of [me] wonders if they went for something else, but it’s impossible to say and odds are, FireEye doesn’t even know yet. Similar to a museum heist — where someone breaks in to steal the Mona Lisa but they maybe grab something from the gift shop on the way out — the first thing you’ll notice missing is from the gift shop, right when you walk in.”
The value for the attackers in having those tools could be that they provide some insight into what attacker techniques FireEye uses against its customers and then teaches those customers to detect. The risk of the tools being made public at some point is that organizations who are not FireEye customers might not have detection for them in place since they were intended to be undetectable for red team engagements. That’s why FireEye decided to develop and release hundreds of IOCs and detection signatures, a move that many security experts applauded, as well as the company’s openness and overall response so far.
“There is absolutely an increased risk to companies because of the theft of these tools,” says Roger Hale, CSO of data privacy firm BigID and an industry veteran who has served in CISO and CSO positions at other large enterprises and cybersecurity firms. “The tools were specifically designed to be undetected. While the good news is that FireEye publicly released the IOCs and counter-measures, companies still need to update their security stacks to protect themselves. The risk isn’t mitigated until the countermeasures are deployed and then only until the tools are modified.”
While Hale thinks attackers might be able to advance their own technology by analyzing and modifying the FireEye tools and techniques, he agrees that the risk is lower than what it was with the Shadow Brokers leak.
There is some risk, but it’s the difference between the multibillion-dollar risk of weaponized vulnerabilities like we saw with WannaCry versus an already sophisticated actor having another tool to use, Robert Lee, the CEO and founder of industrial cybersecurity firm Dragos, tells CSO. “So, I’m not saying there’s no risk. It’s just very much apples and oranges at this point.”
FireEye breach presents an opportunity for defenders
Lee thinks the value of the countermeasures released by FireEye goes beyond organizations and security vendors just deploying detection for the leaked tools into their products and networks, though that should absolutely happen.
“It’s actually an opportunity for defenders to look at those YARA rules and try to think about the tactics, techniques and behaviors being exposed, more than just detecting the tools, because it’s giving defenders an opportunity to learn from the style of targeting that FireEye was able to do. So, there could even be some positive things that come out of this for organizations that do it correctly. If you widen the aperture a little bit, and think beyond just the FireEye toolset, you should be able to find good detection ideas for broader adversary groups.”
It wouldn’t be hard for attackers to modify the leaked tools to evade the detection signatures if they wanted to, so detecting the techniques being used instead could prove more useful. That said, not all companies have big security teams with the necessary bandwidth to make such a deep analysis and turn this into an internal project to strengthen defenses and that’s probably fine, because there are likely more urgent holes that need to be closed.
“If you’re a smaller company or a company doesn’t have a very sophisticated security team, I don’t know that this rises to the top of the list,” Lee says. “There have been a lot of pretty bad Microsoft vulnerabilities that have been disclosed lately, as an example, so maybe those end up being more important to you before you get into the winter holiday shut down or similar. So, do I think this is the number one thing to focus on? No. Do I think it is a good opportunity to focus on this if you’ve got the bandwidth? Absolutely. Otherwise, every major security vendor is going to be adding these detections to their product.”
“It’s virtually certain an adversary of this nature — again based on FireEye’s and FBI’s statements — would be able to trivially evade published indicators,” Wiacek says. “However, no one is perfect and opportunities to detect malicious activity shouldn’t be ignored because of hypotheticals.”
Biggest lesson from the FireEye breach: Anyone can be hacked
Cybersecurity firms being breached by sophisticated actors is not something that’s unheard of — some past examples include attacks against Kaspersky Lab, Bit9 and Avast — and it can be discouraging for defenders across other organizations to see that even those who are at the top of the security game get hacked. After all, if this happens to the best, what chance do they have?
It’s worth remembering there’s no such thing as impenetrable defenses when dealing with complex environments like enterprise networks. A sufficiently motivated and well-resourced attacker will eventually find a way. The goal of modern security programs is to minimize and manage risk, not eliminate it, and it’s common to hear security experts say that it’s a question of when, not if, you get hacked. The important thing is to be prepared to handle such incidents as efficiently as possible and with a reasonably low impact to the organization.
“I feel bad for the FireEye folks, but if anything, this is kind of a good story on one hand, because it shows that even a private sector company can detect and respond to state-level adversaries in near real time,” Lee says. “It’s actually a very nice thing that they weren’t breached and found out about it a year later. They got breached, they almost immediately detected it and were able to respond correctly, which minimized the impact significantly. That’s actually exactly what infosec professionals try to advocate companies do: Not only prevention, but also detection and response because it increases your overall resilience. I would hope that anybody looking at this case, as shocking as it might be at the first pass, can take that and feel pretty emboldened about what they can do with a security program.”
Copyright © 2020 IDG Communications, Inc.