cyber attack

FireEye Red Team Tools Stolen

FireEye, one of the premiere global threat intelligence and cybersecurity companies, had its offensive security tools stolen by hackers, the company announced.

In a blog posted Tuesday, CEO Kevin Mandia said the company was recently attacked “by a highly sophisticated threat actor” that reflects the techniques, discipline and operational security of one of the nation state hacking groups FireEye regularly tracks for its customers. The company alerted the Securities and Exchange Commission in a filing the same day.

“I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia wrote. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

Their target was apparently the company’s coveted red team kits, a set of offensive security tools the company uses to mimic threat actors and test the security of its client networks. None used zero day exploits – or publicly unknown software vulnerabilities without a patch. As a result, Mandia said the company has implemented countermeasures in their products and publicly released internal research that can be used to detect the use of FireEye tools in the wild.

Mandia believes the motive for the attack was espionage, particularly information around FireEye’s work with government agencies. As of now there is no indication that customer information or data from the company’s incident responses were stolen, though firms like FireEye are often the first to warn that it can be difficult to definitively assess that in the immediate aftermath of an attack.

Threat intelligence firms often say a company’s threat model – or who in the cybercriminal or APT ecosystem has the means, motive and capability to target your organization – matters just as much as your security. By that logic a company like FireEye, which responds to hundreds of intrusions and penetrations across its customer base each year, would hold information that is valuable to many foreign governments.

More information on the detection signatures available can be found in the GitHub repository.

APT_Backdoor_MacOS_GORAT_168acf11f5e456744262ff31beae58526
APT_Backdoor_Win_DShell_1152fc2320790aa16ef9b6126f47c3cca
APT_Backdoor_Win_DShell_2e0683f8ee787313cfd2c61cd0995a830
APT_Backdoor_Win_DShell_3cf752e9cd2eccbda5b8e4c29ab5554b6
APT_Backdoor_Win_GORAT_166cdaa156e4d372cfa3dea0137850d20
APT_Backdoor_Win_GORAT_2f59095f0ab15f26a1ead7eed8cdb4902
APT_Backdoor_Win_GORAT_3995120b35db9d2f36d7d0ae0bfc9c10d
APT_Backdoor_Win_GORAT_4f59095f0ab15f26a1ead7eed8cdb4902
APT_Backdoor_Win_GORAT_5cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
APT_Backdoor_Win_GoRat_Memory3b926b5762e13ceec7ac3a61e85c93bb
APT_Builder_PY_MATRYOSHKA_125a97f6dba87ef9906a62c1a305ee1dd
APT_Builder_PY_REDFLARE_1d0a830403e56ebaa4bfbe87dbfdee44f
APT_Builder_PY_REDFLARE_24410e95de247d7f1ab649aa640ee86fb
APT_Builder_Win64_MATRYOSHKA_18d949c34def898f0f32544e43117c057
APT_Controller_Linux_REDFLARE_179259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e
APT_Downloader_Win32_REDFLARE_105b99d438dac63a5a993cea37c036673
APT_Downloader_Win64_REDFLARE_19529c4c9773392893a8a0ab8ce8f8ce1
APT_Dropper_Win_MATRYOSHKA_1edcd58ba5b1b87705e95089002312281
APT_Dropper_Win64_MATRYOSHKA_1edcd58ba5b1b87705e95089002312281
APT_HackTool_MSIL_ADPassHunt_16efb58cf54d1bb45c057efcfbbd68a93
APT_HackTool_MSIL_ADPassHunt_26efb58cf54d1bb45c057efcfbbd68a93
APT_HackTool_MSIL_DNSOVERHTTPS_C2_1dd8805d0e470e59b829d98397507d8
APT_HackTool_MSIL_DTRIM_1dd8805d0e470e59b829d98397507d8
APT_HackTool_MSIL_FLUFFY_111b5aceb428c3e8c61ed24a8ca50553e
APT_HackTool_MSIL_FLUFFY_211b5aceb428c3e8c61ed24a8ca50553e
APT_HackTool_MSIL_GPOHUNT_1dd8805d0e470e59b829d98397507d8
APT_HackTool_MSIL_JUSTASK_1dd8805d0e470e59b829d98397507d8
APT_HackTool_MSIL_LUALOADER_1dd8805d0e470e59b829d98397507d8
APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1db0eaad52465d5a2b86fdd6a6aa869a5
APT_HackTool_MSIL_NOAMCI_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_PRAT_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_REDTEAMMATERIALS_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_REVOLVER_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPDACL_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPDNS_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPGOPHER_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPNATIVEZIPPER_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPNFS_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPPATCHCHECK_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPSACK_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPSQLCLIENT_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPSTOMP_183ed748cd94576700268d35666bf3e01
APT_HackTool_MSIL_SHARPSTOMP_283ed748cd94576700268d35666bf3e01
APT_HackTool_MSIL_SHARPTEMPLATE_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPWEBCRAWLER_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_SHARPZIPLIBZIPPER_1dd8805d0e470e59b829d98397507d8c2
APT_HackTool_MSIL_TITOSPECIAL_14bf96a7040a683bd34c618431e571e26
APT_HackTool_MSIL_WMISPY_23651f252d53d2f46040652788499d65a
APT_HackTool_Win64_EXCAVATOR_16a9a114928554c26675884eeb40cc01b
APT_HackTool_Win64_EXCAVATOR_24fd62068e591cbd6f413e1c2b8f75442
APT_Keylogger_Win32_REDFLARE_1d7cfb9fbcf19ce881180f757aeec77dd
APT_Keylogger_Win64_REDFLARE_1fbefb4074f1672a3c29c1a47595ea261
APT_Loader_MSIL_PGF_1a495c6d11ff3f525915345fb762f8047
APT_Loader_MSIL_PGF_27c2a06ceb29cdb25f24c06f2a8892fba
APT_Loader_MSIL_TRIMBISHOP_1e91670423930cbbd3dbf5eac1f1a7cb6
APT_Loader_MSIL_TRIMBISHOP_2c0598321d4ad4cf1219cc4f84bad4094
APT_Loader_MSIL_WILDCHILD_16f04a93753ae3ae043203437832363c4
APT_Loader_Raw32_REDFLARE_14022baddfda3858a57c9cbb0d49f6f86
APT_Loader_Raw64_REDFLARE_15e14f77f85fd9a5be46e7f04b8a144f5
APT_Loader_Win_MATRYOSHKA_144887551a47ae272d7873a354d24042d
APT_Loader_Win_PGF_1013c7708f1343d684e3571453261b586
APT_Loader_Win_PGF_2226b1ac427eb5a4dc2a00cc72c163214
APT_Loader_Win32_DShell_112c3566761495b8353f67298f15b882c
APT_Loader_Win32_DShell_2590d98bb74879b52b97d8a158af912af
APT_Loader_Win32_DShell_312c3566761495b8353f67298f15b882c
APT_Loader_Win32_PGF_1383161e4deaf7eb2ebeda2c5e9c3204c
APT_Loader_Win32_PGF_204eb45f8546e052fe348fda2425b058c
APT_Loader_Win32_PGF_34414953fa397a41156f6fa4f9462d207
APT_Loader_Win32_PGF_44414953fa397a41156f6fa4f9462d207
APT_Loader_Win32_PGF_58c91a27bbdbe9fb0877daccd28bd7bb5
APT_Loader_Win32_REDFLARE_101d68343ac46db6065f888a094edfe4f
APT_Loader_Win32_REDFLARE_24e7e90c7147ee8aa01275894734f4492
APT_Loader_Win64_MATRYOSHKA_144887551a47ae272d7873a354d24042d
APT_Loader_Win64_MATRYOSHKA_27f8102b789303b7861a03290c79feba0
APT_Loader_Win64_PGF_12b686a8b83f8e1d8b455976ae70dab6e
APT_Loader_Win64_PGF_24326a7e863928ffbb5f6bdf63bb9126e
APT_Loader_Win64_PGF_33bb34ebd93b8ab5799f4843e8cc829fa
APT_Loader_Win64_PGF_43bb34ebd93b8ab5799f4843e8cc829fa
APT_Loader_Win64_PGF_5150224a0ccabce79f963795bf29ec75b
APT_Loader_Win64_REDFLARE_1f20824fa6e5c81e3804419f108445368
APT_Loader_Win64_REDFLARE_2100d73b35f23b2fe84bf7cd37140bf4d
APT_Trojan_Linux_REDFLARE_179259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e
APT_Trojan_Win_REDFLARE_1100d73b35f23b2fe84bf7cd37140bf4d,4e7e90c7147ee8aa01275894734f4492
APT_Trojan_Win_REDFLARE_29529c4c9773392893a8a0ab8ce8f8ce1,05b99d438dac63a5a993cea37c036673
APT_Trojan_Win_REDFLARE_39ccda4d7511009d5572ef2f8597fba4e,ece07daca53dd0a7c23dacabf50f56f1
APT_Trojan_Win_REDFLARE_4a8b5dcfea5e87bf0e95176daa243943d, 9dcb6424662941d746576e62712220aa
APT_Trojan_Win_REDFLARE_5dfbb1b988c239ade4c23856e42d4127b, 3322fba40c4de7e3de0fda1123b0bf5d
APT_Trojan_Win_REDFLARE_6294b1e229c3b1efce29b162e7b3be0ab, 6902862bd81da402e7ac70856afbe6a2
APT_Trojan_Win_REDFLARE_7e7beece34bdf67cbb8297833c5953669, 8025bcbe3cc81fc19021ad0fbc11cf9b
APT_Trojan_Win_REDFLARE_89c8eb908b8c1cda46e844c24f65d9370, 9e85713d615bda23785faf660c1b872c
Builder_MSIL_G2JS_1fa255fdc88ab656ad9bc383f9b322a76
Builder_MSIL_SharpGenerator_1dd8805d0e470e59b829d98397507d8c2
Builder_MSIL_SinfulOffice_1dd8805d0e470e59b829d98397507d8c2
CredTheft_MSIL_ADPassHunt_16efb58cf54d1bb45c057efcfbbd68a93
CredTheft_MSIL_ADPassHunt_26efb58cf54d1bb45c057efcfbbd68a93
CredTheft_MSIL_CredSnatcher_1dd8805d0e470e59b829d98397507d8c2
CredTheft_MSIL_TitoSpecial_14bf96a7040a683bd34c618431e571e26
CredTheft_MSIL_TitoSpecial_24bf96a7040a683bd34c618431e571e26
CredTheft_MSIL_WCMDump_1dd8805d0e470e59b829d98397507d8c2
CredTheft_Win_EXCAVATOR_1f7d9961463b5110a3d70ee2e97842ed3
CredTheft_Win_EXCAVATOR_26a9a114928554c26675884eeb40cc01b
Dropper_HTA_WildChild_13e61ca5057633459e96897f79970a46d
Dropper_LNK_LNKSmasher_10a86d64c3b25aa45428e94b6e0be3e08
HackTool_MSIL_CoreHound_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_HOLSTER_1a91bf61cc18705be2288a0f6f125068f
HackTool_MSIL_INVEIGHZERO_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_KeeFarce_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_KeePersist_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_PrepShellcode_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_PuppyHound_1eeedc09570324767a3de8205f66a5295
HackTool_MSIL_PXELOOT_182e33011ac34adfcced6cddc8ea56a81
HackTool_MSIL_PXELOOT_2d93100fe60c342e9e3b13150fd91c7d8
HackTool_MSIL_Rubeus_166e0681a500c726ed52e5ea9423d2654
HackTool_MSIL_SAFETYKATZ_445736deb14f3a68e88b038183c23e597
HackTool_MSIL_SEATBELT_1848837b83865f3854801be1f25cb9f4d
HackTool_MSIL_SEATBELT_29f401176a9dd18fa2b5b90b4a2aa1356
HackTool_MSIL_SharPersist_198ecf58d48a3eae43899b45cec0fc6b7
HackTool_MSIL_SharPersist_298ecf58d48a3eae43899b45cec0fc6b7
HackTool_MSIL_SharpHound_3eeedc09570324767a3de8205f66a5295
HackTool_MSIL_SharPivot_1e4efa759d425e2f26fbc29943a30f5bd
HackTool_MSIL_SharPivot_2e4efa759d425e2f26fbc29943a30f5bd
HackTool_MSIL_SharPivot_3e4efa759d425e2f26fbc29943a30f5bd
HackTool_MSIL_SharPivot_4e4efa759d425e2f26fbc29943a30f5bd
HackTool_MSIL_SharpSchtask_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_SharpStomp_183ed748cd94576700268d35666bf3e01
HackTool_MSIL_SHARPZEROLOGON_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_WMISharp_1dd8805d0e470e59b829d98397507d8c2
HackTool_MSIL_WMIspy_1dd8805d0e470e59b829d98397507d8c2
HackTool_PY_ImpacketObfuscation_10b1e512afe24c31531d6db6b47bac8ee
HackTool_PY_ImpacketObfuscation_2f3dd8aa567a01098a8a610529d892485
HackTool_Win32_AndrewSpecial_1e89efa88e3fda86be48c0cc8f2ef7230
HackTool_Win64_AndrewSpecial_14456e52f6f8543c3ba76cb25ea3e9bd2
Hunting_GadgetToJScript_17af24305a409a2b8f83ece27bb0f7900
Loader_MSIL_AllTheThings_1dd8805d0e470e59b829d98397507d8c2
Loader_MSIL_CSharpSectionInjection_1dd8805d0e470e59b829d98397507d8c2
Loader_MSIL_Generic_1b8415b4056c10c15da5bba4826a44ffd
Loader_MSIL_InMemoryCompilation_1dd8805d0e470e59b829d98397507d8c2
Loader_MSIL_NETAssemblyInject_1dd8805d0e470e59b829d98397507d8c2
Loader_MSIL_NetshShellCodeRunner_1dd8805d0e470e59b829d98397507d8c2
Loader_MSIL_RURALBISHOP_1e91670423930cbbd3dbf5eac1f1a7cb6
Loader_MSIL_RuralBishop_109bdbad8358b04994e2c04bb26a160ef
Loader_MSIL_RURALBISHOP_2e91670423930cbbd3dbf5eac1f1a7cb6
Loader_MSIL_SharPy_1dd8805d0e470e59b829d98397507d8c2
Loader_MSIL_TrimBishop_109bdbad8358b04994e2c04bb26a160ef
Loader_MSIL_WildChild_17e6bc0ed11c2532b2ae7060327457812
Loader_MSIL_WMIRunner_1dd8805d0e470e59b829d98397507d8c2
Loader_Win_Generic_17562ecbba043552d59a0f23f61cea0983
Loader_Win_Generic_18c74ebb6c238bbfaefd5b32d2bf7c7fcc
Loader_Win_Generic_193fb9341fb11eca439b50121c6f7c59c7
Loader_Win_Generic_205125979110847d35a338caac6bff2aa8
Methodology_OLE_CHARENCODING_241b70737fa8dda75d5e95c82699c2e9b
MSIL_Launcher_DUEDLLIGENCE_1a91bf61cc18705be2288a0f6f125068f
Tool_MSIL_CSharpUtils_1dd8805d0e470e59b829d98397507d8c2
Tool_MSIL_SharpGrep_1dd8805d0e470e59b829d98397507d8c2
Trojan_Macro_RESUMEPLEASE_1d5d3d23c8573d999f1c48d3e211b1066
Trojan_MSIL_GORAT_Module_PowerShell_1dd8805d0e470e59b829d98397507d8c2
Trojan_MSIL_GORAT_Plugin_DOTNET_1dd8805d0e470e59b829d98397507d8c2
Trojan_Raw_Generic_4f41074be5b423afb02a74bc74222e35d
Trojan_Win_Generic_1012e67c62bd0307c04af469ee8dcb220f2
Trojan_Win64_Generic_22f7d9961463b5110a3d70ee2e97842ed3
Trojan_Win64_Generic_23b66347ef110e60b064474ae746701d4a