On the 8 December 2020, prominent US-based cybersecurity company FireEye announced on its blog that they had been the victims of a cyber-attack. The nature of the attack has led to experts to theorise that it was carried out by a state-sponsored hacking group, currently believed to be Cozy Bear (also known as APT29).

California-headquartered FireEye, which was founded in 2004, has been involved previously in the detection and prevention of major cyber-attacks (including taking down the Mega-D botnet). The company offers a wide range of services, hardware, and software to investigate and protect against cyber-attacks.

Notably, FireEye provides a whole suite of so-called ‘red team’ services. The purpose of a ‘red team’ is to carry out imitation cyber-attacks on an organisation using the tools and techniques that a hacker would use. Once an objective has been agreed between the two parties, the work carried out by the ‘red team’ will show the organisation being tested the vulnerabilities in its cybersecurity.

A ‘red team’ is usually externally hired by an organisation and has little or no inside knowledge of the cybersecurity in place. This ensures the attack that it performs will be completely realistic with the ‘red team’ performing the techniques that would be used in a real attack.

According to FireEye CEO Kevin Mandia, the highly sophisticated attack used tools specifically designed to countermand FireEye's security protocols. The attack began with the injection of the SUNBURST backdoor trojan. This was transmitted through updates to the SolarWinds Orion software platform, where the updates had been hijacked and altered to include the malware (in something known as a supply-chain breach). Utilising this backdoor, the bad actors were able to access FireEye's internal servers and extract data and ‘red team’ tools used by FireEye.

The nature of the attack has caused a high level of alert around the globe, as many companies and institutions (including 425 of America's Fortune 500 companies, as well as the Pentagon and the White House) will have found themselves vulnerable to the SUNBURST trojan. Whilst, for now, it appears that FireEye was the ultimate target of this attack, the fact remains that for three months in early 2020, multiple updates to the Orion platform were infected with the SUNBURST trojan.

While FireEye has not disclosed the nature of any of the data extracted, it is reported that for the 2 weeks prior to the announcement on 8 December the company had been changing user access credentials. What has been disclosed is the suite of ‘red team’ tools that had been stolen. FireEye has made available a large number of countermeasures to these tools on their GitHub repository.

The fact that these tools were extracted by the bad actors implies that they may be planning further attacks using these tools. As Cozy Bear, the suspected perpetrator of the attack, has recently been linked to organised efforts to steal research relating to the development of a Covid-19 vaccine, it should be considered that they intend to carry out further attacks of this nature.

Whilst FireEye’s action of releasing countermeasures to the tools will have mitigated the risk of these tools being used maliciously, it is still of the utmost importance that affected bodies take action immediately. Furthermore, it is deeply troubling that a cybersecurity organisation at the level of FireEye can still be affected by hack such as this.