Security Market Segment LS
Wednesday, 09 December 2020 09:53

Crown jewels gone: FireEye Red Team tools stolen by unknown actor Featured

Crown jewels gone: FireEye Red Team tools stolen by unknown actor Image by Hans Braxmeier from Pixabay

Cyber security vendor FireEye has a considerable amount of egg on its face after the tools used by its Red Team — an attack unit — have been stolen by a group that it claims is a "highly sophisticated state-sponsored adversary".

The company offered no evidence for its claim in a statement published on Tuesday. It said it was offering counter-measures in a GitHub repository.

"We do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them," the company said.

"[Because of this] FireEye is releasing hundreds of counter-measures... to enable the broader security community to protect themselves against these tools."

Unknown attackers stole a trove of exploits from the NSA and exposed them on the Web in 2016. To date, despite an investigation that was going for 15 months in November 2017, the NSA has no idea about who stole its wares.

One of those exploits, known as EternalBlue, turned up in a number of malware attacks after the theft, including WannaCry, the ransomware that spread globally in May 2017.

FireEye, which is valued at about US$3.5 billion (A$4.72 billion), lost about 7% of its value on the stock market in trading after hours.

FireEye chief executive Kevin Mandia said: "We have incorporated the countermeasures in our FireEye products — and shared these countermeasures with partners, government agencies — to significantly limit the ability of the bad actor to exploit the Red Team tools."

Mandia, who owned Mandiant, an incident response firm which was acquired by FireEye in 2014, and one of those in the security industry who is never backward in attributing attacks to different countries, did not make any attribution this time.

The statement said: "We have been performing Red Team assessments for customers around the world for over 15 years. In that time, we have built up a set of scripts, tools, scanners, and techniques to help improve our clients’ security postures. Unfortunately, these tools were stolen by a highly sophisticated attacker.

"The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit.

"Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.

"Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team."

FireEye attempted to play down the theft by saying the stolen tools did not contain zero-day exploits.

"The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.

"It’s important to note that FireEye has not seen these tools disseminated or used by any adversaries, and we will continue to monitor for any such activity along with our security partners."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News