Russia's SVR suspected in FireEye breach.
Security firm FireEye disclosed on Tuesday that a "highly sophisticated state-sponsored adversary" had stolen the company's proprietary red-teaming tools:
"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM. Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team.
"The Red Team tools stolen by the attacker did not contain zero-day exploits. The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario."
The actor also attempted to steal information on some of the company's public-sector customers, although it's unclear if these efforts were successful. FireEye's CEO Kevin Mandia said in a blog post, "Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly."
The Wall Street Journal cites a source close to the matter as saying Russia's Foreign Intelligence Service, the SVR, is viewed as the top suspect. Cozy Bear (APT29) is the best-known SVR threat actor, although FireEye hasn't publicly named any particular group. While FireEye's arsenal might prove useful for various reasons, WIRED sees the theft of hacking tools as more of a statement, noting that the threat actor presumably has equivalent or better tools at its disposal.
FireEye hasn't released many technical details of the hack, but observers say that's consistent with what one would expect at this stage of an investigation. Despite the breathless quality of some reporting on the incident, FireEye has received more praise than criticism for its quick disclosure and transparent handling of the incident.
Cisco Talos has summarized the vulnerabilities most likely to be exploited by the stolen red-team tools, and Data Breach Today has published them alongside the products they affect: CVE-2019-11510 (Pulse Secure), CVE-2020-1472 (Netlogon (Windows)), CVE-2018-13379 (Fortinet FortiGuard FortiOS), CVE-2018-15961 (Adobe ColdFusion), CVE-2019-0604 (Microsoft SharePoint), CVE-2019-0708 (Microsoft Remote Desktop Services), CVE-2019-11580 (Atlassian Crowd and Crowd Data Center), CVE-2019-19781 (Citrix Application Discovery Controller and Citrix Gateway), CVE-2020-10189 (Zoho ManageEngine Desktop Central), CVE-2014-1812 (Group Policy implementation in Microsoft Windows), CVE-2019-3398 (Confluence Server and Data Center), CVE-2020-0688 (Microsoft Exchange), CVE-2016-0167 (Microsoft Windows), CVE-2017-11774 (Microsoft Outlook), CVE-2018-8581 (Microsoft Exchange Server), and CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus). Organizations that want to protect themselves against potential abuse of FireEye's tools can start there when they assess their patch management.