FireEye Hacked

FireEye was hacked by — they believe — “a nation with top-tier offensive capabilities”:

During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.

We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.

We have seen no evidence to date that any attacker has used the stolen Red Team tools. We, as well as others in the security community, will continue to monitor for any such activity. At this time, we want to ensure that the entire security community is both aware and protected against the attempted use of these Red Team tools. Specifically, here is what we are doing:

  • We have prepared countermeasures that can detect or block the use of our stolen Red Team tools.
  • We have implemented countermeasures into our security products.
  • We are sharing these countermeasures with our colleagues in the security community so that they can update their security tools.
  • We are making the countermeasures publicly available on our GitHub.
  • We will continue to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with our security partners.

Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly.

From the New York Times:

The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were purloined in 2016 by a still-unidentified group that calls itself the ShadowBrokers. That group dumped the N.S.A.’s hacking tools online over several months, handing nation-states and hackers the “keys to the digital kingdom,” as one former N.S.A. operator put it. North Korea and Russia ultimately used the N.S.A.’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates ­- at a cost of more than $10 billion.

The N.S.A.’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons. FireEye’s Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.

Russia is presumed to be the attacker.

Reuters article. Boing Boing post. Slashdot thread. Wired article.

Posted on December 9, 2020 at 6:36 AM26 Comments


Who? December 9, 2020 9:48 AM

FireEye was hacked by — they believe — “a nation with top-tier offensive capabilities”

Or a script kittie that got access to a vulnerable computer hosting an arsenal of tools proudly hoarded by a nation with top-tier offensive capabilities. How can we know for sure?

Anders December 9, 2020 11:37 AM


That Reuters article has one interesting and
important part:

“Beyond the tool theft, the hackers also appeared to be interested in a subset of FireEye customers: government agencies.”

Clive Robinson December 9, 2020 11:43 AM

@ Who?

Or a script kittie that got access to a vulnerable computer

Yes or a contractor, the Never Say Anything agency is keeping very quiet on the subject. However we know that atleast two contractors easily walked out with thousands or hundreds of thousands of pages of “secret and above” information.

One gave their trove to news agencies to blow the lid on excesses and probable illegal behaviour by the agency. Thr other apparently studying for a PhD was “collecting reference material” then went down a bit of a rabbit hole much like the agency and went into a fairly useless “Collect it all” mode of thinking and was just stacking it up where ever he had a space, to the point the stuff was just bulging out of the place…

There was a third who apparently had hacking tools on their computer that due to them not knowing about the Anti-Virus software sent the whole lot of to a Russian AV producer. The AV producer claimed they deleted it immediately which may or may not be true. But it’s a reasonably good bet the Russian SigInt and other agencies were watching the network much as the US agency does, and hovered the tools up.

If the supposed most well funded SigInt agency in the world haemorrhages sectey and above data / information like this what are we supposed to think?

WmG December 9, 2020 12:08 PM

@Clive Robinson wrote: most well funded SigInt agency in the world haemorrhages…

Was there a time when the agency was not suffering from leaks and breaches?

James Bamford’s books were rather revealing in suggesting that the answer would be No.

What are we supposed to think? is a good question.

Assumed December 9, 2020 12:21 PM

I’ve always assumed that FireEye was an “agency” corporation. At one point, they were helping decrypt hard drives that were infected with Ransomware for free. What kind of resources does that take? And who is capable? For free. Sounds like a govt cover to me.

Humdee December 9, 2020 12:29 PM

Aren’t we supposed to think whatever our masters want us to think?

Anyway, this seems to be the about as newsworthy as dog bites man. FE has an overinflated sense of its own value.

Clive Robinson December 9, 2020 1:06 PM

@ Assumed,

I’ve always assumed that FireEye was an “agency” corporation.

I don’t know about “before taking over Mandiant” but they certainly were afterwards.

Their “Red Team” has apparently done numerous “pentests” of Government agencies including very detailed enumeration of the “customer network and equipment”.

Which as @Anders points out the reports of which are probaly more valuable than the 300 odd tools that allegedly only use “known attack vectors” that in theory any one could write exploits for.

@ ALL,

But not realy mentioned is apparently APT28/29 used a totally new attack vector that neither FireEye or those they had talked to had seen used before…

If it was a new zeroday then in effect it’s been burned, so what did it in effect cost for what was gained?

However as @SpaceLifeForm pointed out over on the Friday Squid, it could be a below CPU ISA level in the stack hardware attack on the CPU microcode or UEFI or below. In which case the attack may not realistically be “patchable”…

Anders December 9, 2020 4:21 PM

@Clive @SpaceLifeForm @ALL


Ehud Gavron December 9, 2020 4:23 PM

This is definitely a relevant story, but the takeaway isn’t “Oh hey look, another company got hacked” or even “A state sponsored hacking group did it.”

The real takeaway is “STOP BEING COMPLACENT!!!” You can be the elite of the elite of the anti-hacking pro-security NSA-backed groups but IF YOU CAN’T SECURE YOUR OWN SH1T you have no business pretending to secure others.

Hubris. Laurel crown butt pillows. In an arms RACE you don’t sit down and fold your hands and say “We did it!”.


Argo December 9, 2020 5:35 PM

Ehud, you are right but isn’t cybersecurity business with its firms, industry and academic researchers and their counterparts withing certain government agencies part of the same massive confidence game? Its been known forever that offense is pretty easy compared to effective defense. A lot of peoples livelihoods and reputations are wrapped up in the success of the cybersecurity con. But, who dares say it?

Clive Robinson December 9, 2020 7:22 PM

@ Argo,

But, who dares say it?

Well… Depending on how long you’ve been around you might have noticed I say it from time to time… But how you chose to say it, is what makes the big difference.

That is identifing a solution to a problem as you describe the problem especially if the solution is not product specific is a more gentle way of saying the truth, and keep the shirt on your back.

Sadly there is a lot of things out there I can not give you a solution for. In the past I used to just be truthfull but blunt. But there are two reasons why I don’t mention many of the solutionless failings I know,

1, The right people do not want to know (those who can fix it).

2, The wrong people do want to know (those who can exploit it).

Because of the first the second tends to get free reign if you give to much detail on failings. Some claim this makes you “An Accomplice” or even “A Provocateur” especialy if they are the first group, and think legal sanctions are beter than fixing problems… Especially if the person baying for your blood is the “Head of Goverment” in the country in which you live…

ResearcherZero December 9, 2020 9:35 PM

“In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”

In the probing of the utility sector in the United States, the Russians were placing “implants,” or malware that could be activated at a later date.

lurker December 9, 2020 10:43 PM


1, The right people do not want to know (those who can fix it).

2, The wrong people do want to know (those who can exploit it).

So in spite of @SpaceLF conjectures about microcode or UEFI, we’re back to a basic people problem. No need for Red Team tools, just ole fashioned gum-shoes, and to finish the job maube a shrink and/or ahangman.

SpaceLifeForm December 9, 2020 11:15 PM

FireEye has their web infrastructure behind CloudFlare.

A few interesting subdomains: securefiles, mil-cloud, and docs.

Clive Robinson December 10, 2020 3:00 AM

@ lurker,

So in spite of @SpaceLF conjectures about microcode or UEFI, we’re back to a basic people problem.

Don’t confuse “Methods and Sources” the tools and attack vectors are usually technical “methods”, however the “actors” on both sides might be “sources”, non technical “methods”, or both.

That is, it is “the directing mind” be it a human, committee or these days even an AI system, that makes the initial origin of information. The information then travels out, where it is copied and diverted to an opponent is technically the “source”, even though the copying and diverting may be both a “method” and a “source”.

Thus the initial point of origin of information is the “directing mind” or principle that give a direction or order which has an intended destination. At some point along that chain the information is copied and diverted to the opponent, this is where the actual source is (usually). Though anything back from that point to and including the principle can be refered to as a source.

The copy and divert process can be both pasive and distant such as radio intercept and decoding or active and close in such as an informant/agent meeting their controller just around the corner from the office of the principle that gave the order. In the former case the source and technical methods are easy to distinguish but the latter case? An informant/agent whilst being a source may be willing, unwilling, or unknowing. How they became a source is also a method though not usuall a technical one, even though it might be blackmail, faux romance or just listening in on their bedroom and hearing what they say to their spouse. Be it by a human agent, or a technical device etc the actual method is eavespropping.

Thus at times knowing which is which can be just a point of perspective, but as in the latter case of a human eavesdropping at the bedroom key hole, if it’s a servant on the make they are technicaly the source, but if they are a placed agent then they are the method. Confused? Yup it gets that way especially when third parties such as “contractors” or other organisations such as a telephone company are involved.

Clive Robinson December 10, 2020 4:34 AM

@ ALL,

Even though FireEye did mention in one of their public statments that their tools were for finding known vulnerabilities, and not realy any different from those used by the pentest industry in general, the press has done an “OMG” type presentation.

Well because FireEye has released ways to detect the “Red Team Tools” in use, this actually tells you quite a bit about the tools.

Including the fact that many are “open Source” and freely available.

Well somebody has done a nice little analysis,

Make your own mind up as to how much of a “Tempest in a teapot or not” the reporting on the tool theft is.

It certainly makes the point that the unknown to FireEye and those they have spoken to attack method and attack was very probably for some other reason. What that might be is not yet known and may never be but we can make some deductions.

Firstly is the FancyBear / CosyBear attribution anytging other than an assumption?

The attack method is claimed to be new so attribution by refrence to earlier attacks of this sort would not be possible. So attribution by the “components” becomes awkward as those components have been used before and are we can surmise in the hands of a lot of people. Which raises the posability this attack is not by Russia but some one who wishes Russia to be blaimed. This would not be the first time public misatribution had happened. Russia attacked the Olympics because their athletes had been banned due to dopping. At the time certain US investigating organisations claimed it was North Korea… Who were at the time the US “Cyber-exponential-threat” of choice. So the fact that Russia is the current US “Cyber-exponential-threat” might have a lot more to do with the attribution than people think.

Remember in a very Orwellian way, the US can only have one “Cyber-exponential-threat” at a time from their “list of Four” which would make the job of anyone running a False Flag attack much much easier. Especially as a US Government Agency lost a whole bunch of tools especially designed to run “Cyber-False-Flag” campaigns.

Secondly how credible is the “They done it for revenge” motive some are putting out? Think about it for the moment, whilst Russia can be that petty (olympics) why would they waste a new advanced and thus nearly undeyectable attack method. Put simply if you want revenge you want the recipient to know it, not for it to go so covertly that it’s not even noticed…

Thus whilst not revenge they might be “Sending a Message” in that they are saying not only can they p155 higher up the wall than the US can they are not afraid to do so. Effectively the same as walking into a bar and challenging the person who thinks they are “The best man in the house.” by turning your glass upside down on the bar.

But again why waste a new covert attack method? You can do the same thing any number of ways. Which brings on the question of “Why FireEye?” if the target for revenge / message is the US Gov why go after an non governmental organisation?

I have a feeling that the answer may be in this area, that is,

“What is special about FireEye that a still unknown Nation State Level attacker would go after them in particular?”

Because it certainly was not for a bunch of mainly open source pentest tools, even though journalists or their editors might say so because it has a “Chicken Little” style effect on the populous that brings in the cash.

Oh one last thing to think about, it appears to be taking the spotlight off of the Trump Court cases etc… That might not be coincidental, and could go in a couple of directions. One being used to start further court cases because there is now evidence of this big new scarry attack that must have been used to “steal the election”. Or if nothing else being used to say it proves Trump was never in league with Russia. Or some other crazy crazy to keep the faithfull sending in the cash to Trump’s grifting fund…

The whole thing is a big cartoon bomb with a fizzing fuse that’s going to get passed around likeva hot potato the two questions are, “In whose face will it go bang?” and “Will we ever find out the reason behind it unless someone talks?”.

SpaceLifeForm December 11, 2020 3:10 PM

The IOC data shows the hackers are based in Kraken, New Nevada, and/or Kraken, New California.

SpaceLifeForm December 11, 2020 4:29 PM

Apparently, the hackers have a datacenter in Lousiana.

On information and belief, the ISP involved is named Architeuthis dux, LLC.

Parent company headquarters is in San Francisco.

It’s a conspiracy I tell you!

Random Internet User December 12, 2020 1:43 PM

Thinking of the unusual or not seen method that they fell foul of, it must fall within a few categories. Infection method/the way it hid and avoided triggering alarms/how they pivoted around the network or how data was exfiltrated.

With a company like FireEye, I suspect the issue for hackers is not gaining a foothold in the network but moving around it and exfiltration of any data without triggering any alarms or hitting any traps setup.

If I had to have some far out extreme guesses, I would love to hear something along the line of a core switch being owned and port mirroring used to send data passively along a vlan avoiding half their protections.

Or my favourite dream of an automated CD/DVD making plant/company where the hackers use the system to burn/press the internal data and their systems send it out physically to a P.O Box or empty house.

Very slim chance a normal company you would find a blank or multi-session disk in a drive of a machine on the network,but if you did and could email someone asking them to get it and send it. Bingo! Lots needs to fall in place but that would be great to see. Username logged in to the PC with the disk is JoeBloggs@companydomain….so email to someone in same department (thanks LinkedIn) asking them to mail you the disk in Joe’s pc as you need it urgently.

Now where is this thing called sleep I hear some people get on a regular basis….

CyberNull December 13, 2020 7:27 PM

Well, the current claim is that the attack vector was a vulnerability in Solarwinds.

“The apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. government agencies who will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.”

hxx ps://

Cranky Observer December 14, 2020 6:34 AM

Every time one of my systems or applications auto-updates – particularly but not only security applications – I think to myself that compromising the central update servers would be the best possible use of a cracker’s time and resources.

Clive Robinson December 14, 2020 7:16 AM

@ Cranky Observer,

I think to myself that compromising the central update servers would be the best possible use of a cracker’s time and resources.

That or at the router just one step up stream of it.

The simple fact used to be that all your traffic went through that router in plaintext, and as you could not see any other port on the router an attack there was just about invisable to you. Which is why the NSA and other SigInt agencies “love routers”.

However one of the upsides of HTTPS is they don’t get to see plain text dirrectly any more, so they have an increased workload. The problem is that unless they are putting a very great deal into cracking RSA or AES one way or another[1] they have to switch from “passive to active” attacks, therefore the SigInt agencies can get outed.

At the worst they actually have to “come to your door and go in” via a “black bag job” or “rogue employee / insider”.

Thus changing public keys and token seeds regularly –say once a week– is going to be a big head ache for them.

@ ALL,

Although nobody has said directly this attack on FireEye looks like it’s going to be based on either,

1, Stolen KeyMat.
2, Insider Attack.

On a company in the US, which is a little bold for most Russian Crims/Crackers, who if caught might be looking at 50+ years as the US has unresolved issues with Russian hackers that will demand “show trial” type sentencing.

Whilst not past a Government agency, the Russians have been “caught in the act” before, and a couple of times in the fairly recent past their “diplomats” have been caught with a car full of hacking kit… Thus they might be reluctant to be doing it again (though how far back in time they might have aquired the KeyMat is unknown).

But it might not even been the Russian Crim/Crackers, but others working on their own or for another national government.

I guess time will tell how, who ever it was, managed to use / obtain the code signing key…

[1] One option is to steal peoples authentication be it the seed and algorithm in a token device, or the private key for the remote services you use. But thos involves getting close to the target to compromise their “KeyMat” which gives them problems…

Den December 14, 2020 8:21 AM


It looks like supply chain attack.

Random Internet User December 14, 2020 2:27 PM

A supply chain attack isn’t a novel technique on its own these days but using a trusted top tier monitor apps own protocol to talk to a C2 and possibly exfiltrate data is.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.