State-Supported Actors Attacked American Infosec Expert ‘FireEye’

Published on December 9, 2020
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The California-based cybersecurity firm ‘FireEye’ has announced a security incident involving a highly sophisticated state-sponsored team of hackers accessing its network and stealing “Red Team” tools. Now, the hackers may either use these tools for malicious purposes or disclose them publicly. In response, FireEye has released a large number of countermeasures to help secure the community.

The firm clarifies that its toolset isn’t exploiting zero-day flaws, but instead, it relies on well-known and documented vulnerabilities. Thus, keeping your software up to date would be a sure way to protect against that particular kit. The infosec firm also believes that this incident won’t strengthen the actor significantly, as sophisticated hackers develop and use their own toolset anyway. It is, however, an important event that encloses symbolism and opens up additional assault channels.

FireEye will actively monitor the web for attacks that appear to derive from the abuse of its tools, hopefully learning more about the adversaries and managing to stop them. In the meantime, everyone is urged to check the firm’s GitHub repository, where hundreds of countermeasures for OpenIOC, Yara, Snort, and ClamAV have been released. A full list of CVEs to plug was also posted there, so system admins are advised to take a closer look.

Although FireEye chose not to speculate on the origin of the attacks, a report from The Wall Street Journal, which invokes internal sources, points to Russian actors. It is important to clarify that the investigations are currently underway, and the cybersecurity firm will almost certainly share more details once they are in a position to speak with certainty.

We have also received commentary from experts in the field, who were asked to estimate the actual impact of this incident on the U.S. national security and the community in general. Rick Holland (CSO and VP at Digital Shadows) comments that the stolen tools will most likely be used against “soft targets” like civilian government agencies, with the hackers reserving their custom top-tier toolset for “hard targets” like the Department of Defense. The more carefully these top-tier tools are used, the less exposure to analysts they have.

Brandon Hoffman, CSO at Netenrich, believes that the scenario of publishing the stolen tools would benefit the actors in the sense that they would create misdirection, helping them cover their tracks. Releasing the kit to the entire threat actor community would lead to a significant rise in activity, as there are many low-level actors out there who would love to use FireEye’s toolset.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: