FireEye Breach: Leaked Red Team Toolkit Detection

This week the cybersecurity community was struck by the news that one of the top security firms was compromised by an unnamed sophisticated APT group. Adversaries were interested in Red Team tools used by FireEye to test their customers ’security and looked for information related to government customers. An investigation is ongoing and F.B.I. Cyber Division is involved. Although no official information about the suspected hackers was reported, according to The New York Times, the involved F.B.I. agents are specializing in investigating Russia-related matters, so there is no question of who the main suspect is.

It will be very interesting to know the details and results of this investigation since it is not often that hackers manage to compromise such well-protected organizations. Florian Roth posted in his Twitter account: “The FireEye breach isn’t really about red team tools or customer data. It’s about possibly stolen confidential data on high profile threat groups. I mean, they know more about some actors than most states’ intelligence apparatus. ” And it really may be so. Having received intelligence data on other threat groups, hackers will be able not only to disguise their actions or effectively use “other people’s” tools but even “hijack” someone else’s infrastructure or use it for their campaigns.

FireEye supposes that the stolen tools will be used in cyberattacks, so they shared countermeasures and IOCs on their GitHub account. Snort, Yara, ClamAV, and HXIOC rules were published, and our content team converted the convertible HXIOC rules into Sigma format so that they can be translated to the rules for multiple security platforms. Community rules to detect possible abuse of FireEye Red Team tools are available at Threat Detection Marketplace.

Thanks to Sittikorn Sangrattanapitak, Emir Erdogan, and Osman Demir, active participants in the Threat Bounty Program, who published their rules for detecting leaked Red Team tools.