The security world was shaken up this week when FireEye announced it had been breached by a highly sophisticated foreign nation-state attack that compromised its Red Team tools. A person familiar with the matter said Russia is the leading suspect.
The attack used infrastructure not previously seen in attacks elsewhere and appeared very deliberately targeted at FireEye. "This was a sniper shot that got through," a source involved in the response said.
Cyber experts weighed-in on the incident:
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions:
“If a nation-state, with all of its resources, targets an organization, the chances are very high that the adversary will be successful. Intelligence agencies can accomplish their missions, so defenders ultimately have to fall back to detection and response. Any organization can be compromised; it is how you respond to an intrusion that determines its severity.
The stolen tools give the attackers another method to compromise government targets. They can reserve their top-tier tools for "hard targets", like the Department of Defense, and potentially leverage these new tools against "soft targets" like civilian government agencies.
Hopefully, these tools don't make their way into the public's hands. We have seen the damaging impact of Hacking Team and the NSA's EternalBlue tool leaks/disclosures. If these tools become widely available, this will be another example of the attackers' barrier to entry getting lower and lower. The bottom line here: these tools making into the wrong hands will make defenders' lives more challenging.”
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services:
“At this point, if information relevant to a specific customer, or that customer data, could be leveraged in a significant way, then they have a responsibility to disclose that immediately. Maybe they have and we just don't get to know. I don't think that access to toppling used by customers would be a surprise to the adversary gaining this information. I suspect most of the techniques in those tools were created by studying adversary toolkits. The interesting thing here is that this kit likely has a wider variety of tools by combining financially motivated adversary techniques with nation state adversary techniques. It's also important to note that if whomever obtained this kit releases it to the rest of the threat actor community there will be a significant rise in activity. This will lead to low level capability actors having access to better tools than ever before. The reason they would do that is to help cover their tracks when they use it for their purposes, misdirection in a sense.
I do think it is critical, at this point, that FireEye release a broad swath of information about their toolkit so the world at large can protect itself. This includes descriptions of tools, metadata, tool and technique fingerprints, and the underlying data that drives it. This is likely what comprises the countermeasures CISA is referring to.”