FireEye Discloses Data Breach and Confirms Theft of Red Team Tools

The U.S. cybersecurity firm FireEye has announced a sophisticated threat actor has successfully hacked into its systems and stole Red Team assessment tools that the company uses to test the security of its customers’ systems. The stolen tools mimic those used by many cyber threat actors to gain access to organizations’ systems.

Cyberattacks on cybersecurity companies are relatively rare, but they do occur, with Trend Micro, Avast, and Symantec all experiencing breaches in 2019. These attacks tend to be conducted by sophisticated, state-sponsored hacking groups. FireEye says the attack was conducted by a highly sophisticated threat actor and had the hallmarks of a nation state group, based on the discipline, operational security, and techniques used to breach its systems.

“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” said FireEye Chief Executive Officer and Board Director Kevin Mandia in a filing with the Securities and Exchange Commission (SEC). “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye.”

The cyberattack is still being investigated by FireEye, its partners, and the Federal Bureau of Investigation, but those efforts have been hampered as the tactics used in the cyberattack were designed to prevent forensic examination as well as bypass FireEye’s tools for detecting malicious activity.

No zero-day vulnerabilities were exploited in the attack, but the attackers did use novel techniques to gain access to its systems. The Red Team tools stolen were diverse, and included simple scripts for automated reconnaissance to entire frameworks similar to technologies such as Metasploit and CobaltStrike. In addition to stealing the Red Team tools, the attackers were able to gain access to some of FireEye’s internal systems and attempted to collect information on its government customers. So far, the investigation has not uncovered evidence to suggest customer data and other information stored on its primary internal systems was exfiltrated by the attackers, nor the metadata collected by the company’s products in its dynamic threat intelligence systems.

The Red Team tools stolen in the attack could be used for offensive purposes, but FireEye is sharing Snort and Yara Rules that will detect when those tools are used. Countermeasures that can prevent the tools from being used have also been publicly released on GitHub. FireEye said that based on its intelligence, its tools have not yet been used in the wild.

The threat group behind the attack has yet to be confirmed, although the Washington Post has obtained information from sources indicating the Russian state-sponsored hacking group APT29 – aka Cozy Bear – was responsible for the attack.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of