Security Market Segment LS
Wednesday, 09 December 2020 09:53

Crown jewels gone: FireEye Red Team tools stolen by unknown actor Featured

Crown jewels gone: FireEye Red Team tools stolen by unknown actor Image by Hans Braxmeier from Pixabay

Cyber security vendor FireEye has a considerable amount of egg on its face after the tools used by its Red Team — an attack unit — have been stolen by a group that it claims is a "highly sophisticated state-sponsored adversary".

The company offered no evidence for its claim in a statement published on Tuesday. It said it was offering counter-measures in a GitHub repository.

"We do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them," the company said.

"[Because of this] FireEye is releasing hundreds of counter-measures... to enable the broader security community to protect themselves against these tools."

Unknown attackers stole a trove of exploits from the NSA and exposed them on the Web in 2016. To date, despite an investigation that was going for 15 months in November 2017, the NSA has no idea about who stole its wares.

One of those exploits, known as EternalBlue, turned up in a number of malware attacks after the theft, including WannaCry, the ransomware that spread globally in May 2017.

FireEye, which is valued at about US$3.5 billion (A$4.72 billion), lost about 7% of its value on the stock market in trading after hours.

FireEye chief executive Kevin Mandia said: "We have incorporated the countermeasures in our FireEye products — and shared these countermeasures with partners, government agencies — to significantly limit the ability of the bad actor to exploit the Red Team tools."

Mandia, who owned Mandiant, an incident response firm which was acquired by FireEye in 2014, and one of those in the security industry who is never backward in attributing attacks to different countries, did not make any attribution this time.

The statement said: "We have been performing Red Team assessments for customers around the world for over 15 years. In that time, we have built up a set of scripts, tools, scanners, and techniques to help improve our clients’ security postures. Unfortunately, these tools were stolen by a highly sophisticated attacker.

"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.

"Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.

"Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team."

FireEye attempted to play down the theft by saying the stolen tools did not contain zero-day exploits.

"The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.

"It’s important to note that FireEye has not seen these tools disseminated or used by any adversaries, and we will continue to monitor for any such activity along with our security partners."

Read 2863 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News