Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools Cybersecurity corp FireEye has confessed its most secure servers have been compromised, almost certainly by state-backed hackers who then made away with its proprietary hacking tools. “Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to …
This post has been deleted by its author
No nation state was named by FireEye though Russian involvement is suspected by the usual anonymous sources. ....... Kieren McCarthy in San Francisco
Given the amount of shit that home governments are trying to bury as key players fleece treasuries and load the usual useful minions with decades of deficit spending and centuries of insurmountable debt which can never ever be paid back, other sources would more reasonably suspect Five Eyes allied nationals, terrified for their safety and lives.
What say you? After all, you can only find millions of billions from nowhere and down the back of sofas to pay for unexpected disruptive global and pandemic events for just so long before everyone starts to realise the fake magic and sheer utter madness of mass deception and everything starts to suddenly collapse and key players also start suddenly trying to disappear away from the scene of their crimes, or are suddenly disappeared away. It is only natural ..... and fully to be expected.
It is though, not as if y'all haven't been formerly earlier well warned, so what does that tell you of yourself and the intelligence you are using to fill your brain and mind with what you are seeing and experiencing ..... apart from it being distinctly serially sub-prime and almightily primitive and easily led to wherever a fool would have you as a tool to toil.
It is well enough that people of the nation do not understand our banking and monetary system, for if they did, I believe there would be a revolution before tomorrow morning. .... Henry FordLet me issue and control a nation's money and I care not who writes the laws. ...... Mayer Amschel Rothschild
I see in the near future a crisis approaching that unnerves me and causes me to tremble for the safety of my country... corporations have been enthroned and an era of corruption in high places will follow, and the money power of the country will endeavor to prolong its reign by working upon the prejudices of the people until all wealth is aggregated in a few hands and the Republic is destroyed. ......Abraham Lincoln
And do you know the crazy thing? Despite all the evidence of the above which now surrounds and effectively drowns you, you would probably deny the existence of all of that and in so doing thus further prove the point about mass human intelligence .... being distinctly serially sub-prime and almightily primitive and easily led to wherever a fool would have you as a tool to toil .... as being perfectly valid and honestly true.
However, using different intelligence renders abiding novel solutions to such a sticky ancient problem, and is something now freely widely available by virtue of these new fangled postmodern entangling internets internetworking.
In one hand, it isn't that great for a cybersecurity company to be hacked.
In the other hand, there are two types of companies, the ones which were hacked and the ones which didn't know they were hacked.
Having more details on the attack and having tips on how to counter it would be useful. Being open and transparent is IMNSHO the best way to go in that case.
I've often said that the value of a partner is not in how well they can manage day to day installs/maintenance, but in how well they respond when the shit hits the fan.
It seems they've responded honestly and are working at breakneck speed to a) create new tools, b) analyse the attack to learn from it and complete A.
A lesser company would go very quiet and attempt a cover up.
"
This isnt a normal company though. You pay this company to shore up your cyber defences.
"
Which is why the only way they can save their reputation is by claiming that the attack was extremely sophisticated and required state resources to carry out. The inference being that not even a security company can be expected to defend against such an overwhelming attack by such powerful agents.
So even if the attack in fact came from a lone teenager using a laptop from their suburban bedroom, the company would pretty much have to *claim* that it was a state actor that was responsible in order to survive.
So even if the attack in fact came from a lone teenager using a laptop from their suburban bedroom, the company would pretty much have to *claim* that it was a state actor that was responsible in order to survive. .....Cynic_999
:-) Would you be assured or terrified to know for a fact, Cynic_999, that there are stranger state actors than that on the payroll and highly active and interactive in and on the virtual fields of Great Games Play ‽ .
My own experience is that individuals, not state actors, are by far the most competent. Bunnie Huang (REd SD cards), Chris Domas (RE'd intel's rings and got to negative rings and undocumented instructions...). Search youtube for either. My own guys REing Microchip's internal debugger (which violated a BS intel patent so their own tools hid how it worked). And on and on. The thing state actors have is time and a guaranteed paycheck. Which might not be that helpful, since if they slip up and are detected before they succeed...they might lose the chance.
Here in the US it turns out that one of our agencies has a program called UMBRAGE to get people to mis-identify their attacks as coming from some _other_ state actor. And it's not even a secret.
Recent news here seems to show that those who've been shouting "Russia" the loudest were actually on the CCP payroll...including some in congress...
As Bruce Schneier (and others) have said, attribution is _hard_. And there are a lot of reasons to attributed things incorrectly to support other agendas. Look, a squirrel!
Many grains of salt are required in this business.
"This isnt a normal company though. You pay this company to shore up your cyber defences."
So, the real lesson to be learned here is not just that you need to keep on top of security at all times, but you most certainly don't get complacent even if you have just had your defences shored up by one of the leading players.
If I'm commissioning a penetration test, I don't want to be assured that the Red Team can win simply because they've got a whole bunch of lock-picks that nobody else has. I want to be assured that my defen[cs]es are sufficient to deter, repulse, or even just detect, the likely threats and attacks. There won't ever be an assurance that they'll be sufficient to repulse every attack, and the FireEye intrusion just demonstrates that truth. Most businesses don't need to worry about nation-state threat actors, while governments and IT manufacturers and cybernetic security operators clearly do.
I think what I'm trying to say is "Why are super-secret penetration tools the Crown Jewels?" They would just enable FireEye to be a better burglar, not a better locksmith. And, yet again, I have to ask why the Crown Jewels are housed on an Internet-connected server? Clearly they have to be deployed on the Internet when they're being used, but in storage they should be in a locked box. I think I'm missing something about how security assurance works in the real world these days.
What you're missing is that states and big corporates with lawyers must be seen to be doing the right thing.
So they all agree with the lawyers what that means in security terms: hire one of their own to do security- a big corporate with a bunch of lawyers. And that's it. That's all that matters.
All the reactions we observe following an incident are dictated by legal. We never find out what actually happened in technical terms. We just get bullsh't. And the cover-all is: 'A completely secure system is impossible', they say.
But if some poor guy in his bedroom discovers a z day which actually matters and which fixing could actually save someone's skin, and makes the mistake of blabbing about it, he gets locked up or must go on the run.
So in other words, nothing changes. Great system.
(Nothing against lawyers........ phew.... think I got away with it...)
Actually we do occasionally, as in the case of Equifax, and it's usually down to poor governance and mismanagement as much as to technical issues.
It's quite rare for the day to day IT of even a security related business to match up to the standards the customer facing technical folks subscribe to. Famously, the DigiNotar certificate servers were on the same flat network as the office machines from which staff browsed the web, but they did thoroughly TEMPEST protect the server room. They were breached, obviously, via the network.
It's also quite depressing to see the facts about every "sophisticated attack" since Noah - they've mostly turned out to be complete technical push-overs.
"... Most businesses don't need to worry about nation-state threat actors ..."
I beg to differ. Nation-state threat actors (in China) are hacking everybody they can, on the off-chance that they'll find something useful. Personal experience, at relatively insignificant clients in engineering industry.
Nation state actors are not one skill level. I typically divide them into three teams (A, B, C) based on my experiences observing such. The C team was nothing more than script kiddies running straight from well traceable IPs. The B team was moderate sophistication, but still detectable, nothing a high end defensive tool couldn't detect and deal with as long as my team (I was on the security team that saw the alerts an tuned the tools) was on its game.
Even targeting was distinct between them. C team was pure targets of opportunity, acting often like your normal Internet vandals in targets, distinguished by source IP and a couple other details. The B team engaged in moderate targeting, picking an choosing.
Yes, this is a simplification, but a useful one.
Nation state actors are not one skill level. I typically divide them into three teams (A, B, C) based on my experiences observing such. The C team was nothing more than script kiddies running straight from well traceable IPs. The B team was moderate sophistication, but still detectable, nothing a high end defensive tool couldn't detect and deal with as long as my team (I was on the security team that saw the alerts an tuned the tools) was on its game....... mmccul
And the very best in those AAA teams, mmccul? Can one do any better than pay them their worthy Danegeld to ensure and be assured that you be insured against their taking any irrevocable, directly unattributable, catastrophically destructive and extremely disruptive, Remote Stealthy ACTion/Advanced Cyber Threat activity against oneself and those wider interests which feed and maintain one's lifestyle and which also generate, sustain and retain one's interests? Or does such a friend/foe not actually exist?
One is wise to take note, as has been alluded to by at least two commentards on this string, and as is also shared by Conrad Prince and James Sullivan in the Royal United Services Institute for Defence and Security Studies Briefing Paper, The UK Cyber Strategy/Challenges for the Next Phase ......
The capabilities of some state actors are likely to be beyond the scope of normal private sector security protections to address.
........ and that itself is best recognised as a monumental understatement of titanic proportion.
And failures in positive engagement and extensive and expensive endowment to such Stealthy AAA State ACTivity are a real and present danger and abiding existential threat to the pleasant contiguous workings of current fiat capital and intellectual property flow markets, and as such are something to be fully prepared for if one is guilty of such a crime and failing.
And although that all might sound quite draconian, it does not necessarily have to be, for you have been left a great choice.
So their Crown Jewels were not air gapped.
I mean, their business is new security threats and how to mitigate them. They know everyone is vulnerable, including them.
If they have created 300 countermeasures, then how long have they known of the "hack".
Boeing's planes crashed, Challenger burnt, Intel can't make the next generation of chips, because as the man said "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled."
Well, we have plenty of public relations from FireEye going on now. Will we ever discover the hacking method? Cat5 cable poked through a mouse hole into their citadel, someone picked up a USB stick in the car park & had a look, a lucky guess of "user, password".
"We were so valuable that we got hacked."
"We now have a better understanding of our customer's perspectives."
"We weren't the first (Cf Kaspersky) and we won't be the last."
"Life is like a box of chocolates. You never know what you're going to get."
"We take security seriously."
Can't see them getting any new customers for a while and I expect some of there existing customers will be leaving as soon as is practically possible. All of which is perfectly understandable. Would you want to be protected by a company who had their "most secure servers" hacked?
It matters not how much they protest that the attack was sophisticated and unusual you can't go round claiming to be the best in your field and then get pwned and not pay the consequences.
All things considered I think their share price is doing very well indeed.
Yes, you'd expect a more detailed response from a company like this. Clearly they have decided to hide that information, why? Is it embarrassing?
I am highly suspicious of claims of state sponsored actors being the culprits. It's the ideal excuse. Only the best of the best could beat us we are so great...
Where's your evidence that it was a state sponsored actor? Hmm you've decided not to provide that information, why?
My spidey sense is tingling.
Bringing in the latest trendy cyber sec firm is no substitute for knowing things about your own asset inventory and network. But, no, must concentrate on developing core capabilities and outsourcing other stuff... Goddammit, Infosec in an information driven business IS a core activity.
One day they'll learn. AC because reasons.
"They used a novel combination of techniques not witnessed by us or our partners in the past."
You're telling me that - in a world where stuxnet is just the tip of the tail of the hidden cat - you have never seen anything like this before?
Did someone implanted a satellite sting that uses custom protocols on inaccessible frequencies, burnt a bunch of 0 days for access/escalation, used thermal/seismic/wind techniques to bridge air gapped networks and finally extracted everything using a custom morse code with an invisible laser?
And all of that to steal red team tools and customer contracts and metadata from an infosec vendor that is no different than many others?
I'm sure they did. Might as well convince me it was aliens.
OK, so FireEye got compromised.
The open disclosure and public release of countermeasures speaks to a mature, planned response. They knew the Red Team tools they had developed were a high value asset and could be targeted. That they have come forwards reasonably quickly and released the countermeasures to their toolset as open source speaks well to their approach and preparedness.
Digital security is a process, not a bounded task. They seem to have clearly assumed breach and had a response ready for the eventuality. This should be a call to us all to put our houses in similar order. I imagine the learnings internally will be considerable and valuable for them. Not suggesting for a moment that this isn't a significant hit but it literally can and does happen to anyone.
To those taking to the schadenfreude pulpit and seeking only to mock, I ask: What would you have done differently?
(PS I have no skin in this particular game...)
> The open disclosure and public release of countermeasures speaks to a mature, planned response.
not wrong - but I think it's funny and a little bit dishonest that the blog post follows the shit sandwich structure
"
FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats.
[higly embarrassing stuff]
We’re confident in the efficacy of our products and the processes we use to refine them.
"
Smells like a PR exercise for future clandestine use of its tools.
If it's an above-board target, then its law enforcement using a full licenced copy.
If it's an inappropriate target - oh its not us we're lovely, it must be those criminals that stole our software, did we mention the baddies got our software, here's the FBI press release.
“We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.” ...... Kevin Mandia, CEO FireEye
The greater security community better protected maybe, but a significantly greater customer base more widely compromised and definitely vulnerable to use and misuse and abuse of the tools discovered and pilfered, surely?
Their only route to credibility is to have someone on the outside vouch for the detailed public postmortem. The FBI agreeing that this was a state actor helps. The lack of a commitment to producing a postmortem certainly does not.
To those who say that this looks like they have a prepared response for this (unavoidable) eventuality, I say this, "Yes, it looks like they had their press releases prepared." What I want is the postmortem.
Only naive fools assume that a "secret" master key, global "friend", deliberately introduced vulnerability, or other such technical measure for LE use remains in the hands of the "good guys". Once you make the assumption that any such backdoors will be discovered by an adversary, the only conclusion is good security without exceptions.
"The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
============================
To: Kevin.Mandia@FireEye.com
From: UPS_Delivery@yandex.ru
Your package was not deliverable. Please check the attached tracking document.
*UPS-Tracking.docx*
(P.S. You may need to enable macros to view)
It is clearly every security practitioner's nightmare to get hacked, yet since humans are involved it is bound to happen. A few observations which do not make a lot of sense or are just BS:
1. Every reported compromise I have ever seen has stated "These guys were the best!".. Once the specific details are reported it is something as simple as, "Joe used a default password for everything, including a super secret generic account, and clicked on the wrong e-mail". Joe was also are #1 admin.
2. They stole our L33T toolset.. "Using methods we have never seen before and cannot fathom". Well, assuming you were eating your own dog food and red teaming yourself (guessing you were not); the toolset may not have been all that great OR these guys have WAY better tools.. Perhaps you could help us out and describe those tools in greater detail?
3. Fire-eye projects confidence nothing else was compromised, despite the use of tools which counter security tools and defy forensic examination. Does not seem to add up..
In the past, Mandiant (Fire-Eye) has always provided excellent reporting post-breach with details on what happened and recommendations for preventing breaches in the future. Anything less than a full accounting without spin would likely confirm someone made a mistake and this was not as hard as it is being made out to be.
In the past, Mandiant (Fire-Eye) has always provided excellent reporting post-breach with details on what happened and recommendations for preventing breaches in the future. Anything less than a full accounting without spin would likely confirm someone made a mistake and this was not as hard as it is being made out to be. ..... Not_Important
Not_Important,
Invariably, for reasons which are pretty bleeding obvious, there is as yet, insufficient data for a meaningful answer is always the answer to deflect attention away from a major breach vector which has no known available, or even possible future solution.
After you've played the security incident game for a while what you quickly come to realise is that the methods used are broadly the same, the only thing that makes the defence job hard is to spot the unique IOC for that particular time.
The tools judging by the names of the detections in the published Yara rules are just more of the same old same old.
It is also unlikely that Mandiant themselves have written these with static hashes, because that wouldn't be how the real heavy hitters roll. A decent attack toolset is configurable to create different hashes, different hooks, different C2 mechanisms etc.
If not, then Mandiant's tooling is not as good as Cobalt Strike.
PS I expect Mandiant to now offer to come and look for their tools on your network. For a fee of course. Wouldn't be the first dirty sales campaign from them.
Has nobody considered that FireEye may have planted the mother of all Trojan Horses/Honeypots? .... Ken Moorhouse
Would that make them liable for all losses and damages caused by the misuse and abuse of information/intelligence exfiltrated by others? With further liability added when shared with others who similarly abuse and misuse the intelligence and information?
Can you get insurance that removes that risk and protects against unwarranted unauthorised misuse and proprietary intellectual property abuse?
It's a hell of a risk and extensive expansive expense to not have covered and hedged and transferred to others.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
