250 comments

[ 2.1 ms ] story [ 255 ms ] thread
This demonstrates two major points that many people not familiar with security may not understand:

The first is that anyone -- really, anyone -- can get hacked. I often joke with our CIO that security would be a lot easier if he just powered down our production infrastructure. Security is a game played in layers (often called "defense in depth"), but at the end of the day, it's almost impossible to prevent a breach with any high degree of certainty.

The second is that bad actors (of wildly varying skill) are very active on the Internet. The threat of hackers used to be curious teenagers trying to learn more about computer systems; it didn't take long for that to devolve into criminal activity and "hacktivism." Now, the intelligence services of major nations regularly attack public and private organizations across the Internet.

It's the job of contemporary security teams to defend against any and all threats -- but many (if not all) private organizations are ill equipped to defend against a well-organized intelligence agency in an attack such as this.

I didn't see any what the attack vector used against FireEye might have been, but those same attackers are now very well "armed" with FireEye's red team arsenal. It's going to be an interesting future for security teams as we learn what and whom these adversaries will attack next.

You missed the third major point that most people do not know which is that these attacks are not just possible, they are easy. Every single one of these articles always mentions "nation-state actors" to imply that only a nation-state with billions of dollars and thousands of people can pull off such a "sophisticated" "novel" attack. That is unequivocal garbage. I have never had a CISO (or any other high-level security executive) of a multi-billion dollar company ever answer the question: "How much would it cost to critically compromise your systems and do an unrecoverable amount of damage?" with a number higher than $1,000,000. $1,000,000 is a rounding error to these companies. $1,000,000 is a rounding error in a rounding error to a sizable nation-state. These systems are not just insecure against nation-state attackers, they are insecure against organizations with the staggering weight of 3-10 people. Or, to use a quote from the recent Project Zero blogpost on the iOS exploit said: "one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with." That is a far cry from being secure against credible threats to a multi-billion dollar business by any stretch of the imagination.

Are systems more secure now than they were in the past? Maybe. A targeted attack against an arbitrary target would generally take a few 10 to 100s of thousands of dollars. This is probably orders of magnitude more than the past of teenagers hacking for giggles. But, there are like 6-8 orders of magnitude between teenagers hacking for giggles and a "nation-state actor" and about 3 orders of magnitude between a random company/organization and a nation-state. The best systems deployed systems are about as close to adequate as a house is to a skyscraper.

>Every single one of these articles always mentions "nation-state actors" to imply that only a nation-state with billions of dollars and thousands of people can pull off such a "sophisticated" "novel" attack.

While this is true for e.g., Equifax (see https://ciexinc.com/blog/quick-assessment-of-a-companys-secu...), if FireEye (aka Mandiant) says it, I tend to believe it to be quite true.

I would expect that hacking them would be far from easy.

One of the big questions I'd have is exactly how these tools were leaked. Red team tools are by nature more exposed since they're using them with their clients, presumably on a large scale, and I would hope that there's a very large difference in the number of people who have access to those tools and the number of people who have access to their production infrastructure, code-signing, or software update mechanism.
First, FireEye was one of the companies who worked to secure Equifax prior to the breach as mentioned by the CSO of Equifax on page 4 of this FireEye white paper from 2012 [1] that FireEye has since retracted [2][3].

Second, that is kind of a non-sequitur. I did not say that a nation-state did not pull off the attack, my gripe is that they are implying, like every other company that gets breached, that only a nation-state has the resources to pull off such an attack with their wording. These attacks are extremely cheap and easy, that is why we see governments running literally hundreds to thousands of such attacks/programs in parallel as evidenced by the CIA Vault 7 leaks. A single branch of the US government was literally developing hundreds of independent tools/programs that could successfully compromise anything they cared to target.

Third, define "easy". I define easy as ~$1,000,000-$10,000,000 since almost any moderately-sized corporation, of which there are millions, could fund such an operation. To put it in perspective, $10,000,000 is only ~1% of FireEye's revenue. I define "only a nation-state" at 1,000x more at ~$1,000,000,000-~$10,000,000,000 since although it is still technically doable for a large multinational or organized crime, it is unlikely to be profitable outside of theoretical large-scale extortion attacks.

Do you think a penetration test of 3 engineers working fulltime for a year would fail to materially breach FireEye's corporate systems? Almost every penetration test by a competent company takes a fraction of that effort even against well-funded security teams. And 3 engineers for one year is only 3 engineer-years which at $300k/engineer-year is ~$1,000,000, the bottom end of "easy" and 1,000x less than "only nation-states can pull it off". If engineer-years is too abstract, the Google ProjectZero case I mentioned earlier was a zero-click iOS RCE from zero starting understanding in 0.5 engineer-years. So, doing some sloppy extrapolation, is it easier to find 6 zero-click iOS RCEs or breach FireEye's corporate systems?

Let's say we moved up an order of magnitude to 1% of FireEye's revenue at $10,000,000 which is the high end of "easy" and is 2 orders of magnitude less than the bottom end of "only nation-states can pull it off". That would be enough to fund 30 engineers working fulltime for a year or 10 engineers working fulltime for 3 years. Do you think FireEye could prevent a material breach? I have literally never heard of a single person in enterprise security who has ever dared to make such a remark on the record that was not instantly taken down for a fraction of that. I know of no competent engineers in that space who would support making such a statement to anybody who could and would test it. Just think if FireEye announced a $10,000,000 prize at DefCon to breach their systems by the end of the year, do you think they would even last the month?

[1] http://www.cnmeonline.com/myresources/fireeye/fireeye-cso-le...

[2] https://web.archive.org/web/20120610031926/https://www.firee...

[3] https://www.fireeye.com/CSO_WP_LP.html

>my gripe is that they are implying, like every other company that gets breached, that only a nation-state has the resources to pull off such an attack with their wording.

I feel that with respect to FireEye, that it isn't just an implication; more that they would claim this with strong evidence. They are about attribution.

I think this argument is making some false equivalence. Just because every other company that was breached (e.g. Equifax) claims "Wow State Actor Sophisticate Beyond Anything Before Seen By Man" for something as simple as failure to update your software leaves a yawning hole has tarnished the dialog for those who know what they are doing.

While CSO at Relativity, and now for my clients, I strongly suggest that you don't use the phrase "Security is Very Important to us" since that is the first thing out of the mouth of companies who didn't until they got hacked.

>Do you think a penetration test of 3 engineers working fulltime for a year would fail to materially breach FireEye's corporate systems?

Bluntly, yes. I expect that their defenses are much better than most companies, including security companies.

>I have literally never heard of a single person in enterprise security who has ever dared to make such a remark on the record

Enterprise security is in a different category altogether. Few non-security enterprises will withstand much of an attack. FireEye is in a different category altogether.

If you are interested in the topic, a useful book to read is https://www.amazon.com/Incident-Response-Computer-Forensics-.... I think this is more informative than these BOEC cost calculations.

FireEye literally did the incident response for the Equifax hack, so I do not see how you can claim: "FireEye does accurate and honest attribution." but then also claim "Equifax likely made stuff up." unless you are claiming that FireEye was involved in incident response, but was somehow not involved in attribution, or that they made a true discovery-able report, but knowingly lied.

It is hardly a false equivalence. If everybody constantly fails with little to no evidence of any success by anyone ever despite continuous assurances of success by everyone, there is exactly zero evidence that a layperson should trust any statement on that topic without good, solid, objective evidence to the contrary. Given the track record in the industry, there is no reason to give the benefit of the doubt to any company. The burden of proof is on them to demonstrate their claims in a relatively objective, quantitative manner. If they have no means of proving a quantitative claim in a relatively objective manner, there is no reason to believe their claims given their track record. To provide an analogy, if somebody you trust to not be malicious asks you to follow them, but they can not justify why, then the smart thing to do is judge them based on their track record as that provides some part of an objective statistical basis for evaluating their prevailing success rate.

If you really must have evidence of a trend of insecurity amongst security companies. Then we can look no further than McAfee, Symantec, and Trend Micro all being breached between 2017-2019 that was attributed to "fxmsp" [1][2], a private Russian hacking group that was selling the contents of the breaches for a few $100k which demonstrates how easy it must have been for it to be profitable at that price point (to be fair they could sell it multiple times, but I doubt they sold it hundreds of times). So, what justification do you have for why FireEye's security should be any different than other companies or even other security companies?

Also, you only provided an answer to the low end of "easy" rather than the high end at 30 engineers for a year or 10 engineers for 3 years which would be needed to pull them out of the "easy" category by my standards. If you do claim they can survive that, can you provide either some reasonably quantitative evidence or public statements to that effect or the same for literally any other company in the world you think can do so as I have not once ever heard of a single company ever justifying such a claim in any verifiable manner. Thank you.

[1] https://gdpr.report/news/2019/05/15/mcafeesymantec-trend-mic...

[2] https://www.zdnet.com/article/fxmsp-hacker-indicted-by-feds-...

1M is a rounding error to almost any nation state regardless of size that would want to hack into systems. The internet has democratized everything, even hacking and disinformation. For a couple hundred million, an industrious nation state can sow discord in its largest and most powerful competitors while at the same time stealing all their IP. It's the Innovators Dilemma at the nation state level.
This part of the story is intriguing:

> In the FireEye attack, the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.

What does it mean to "create an internet protocol address," in this context? Did they use VPNs? VMs on cloud services? Residential proxies, luminati-style? Something else?

Also how do you validate an address has never been used in an attack?
You only need to validate it to the depth that your target can validate it, which likely means via (among other sources) paid-for IP Reputation services.
I would guess that is a little bit of journalistic summarization, and what the author means is that the IPs used in the attack had a reasonable reputation. That's what made me wonder whether they were talking about residential proxies.
Probably just a journalist's summary of "not on existing IOC lists".
The reporter meant 'used'. I have never heard the use of 'created' and if there is a meaning to that that I don't know about it's not widely used and should not have been used by the writer.

The 'many inside the US' is kind of laughable. I mean what would you do to pull this off use IP addresses in China or Russia just to draw attention?

I mean if you want to pull off a burglary in a residential neighborhood you don't drive in with an auto that draws attention you go with an auto that looks like many others that have been seen before and isn't noticed.

Like using a Zil or a Lada or a Trabant as a getaway car in the USA, perhaps. Or a Citroën 2CV.
The problem with these articles is the cloak and dagger nature of these stories and the lack of healthy skepticism.

While not necessarily the case here, every big tech company puts blame on an APT aka a nation state actor.

In fact, the very same FireEye attributed the Sony Pictures hack to North Korea on extremely flimsy grounds. By those same measures one could have implicated East Palo Alto High School.

You never regain your credibility for attribution and provenance once you have committed such a public blunder.

https://en.wikipedia.org/wiki/Sony_Pictures_hack#Doubts_abou...

It is the same as Crowdstrike going back on their wild claims while their CEO testified under oath.

https://www.realclearinvestigations.com/articles/2020/05/13/...

Is sworn testimony the only way we will get them to tell the truth?

Maybe you should try to gain a basic understanding of what you're talking about before posting this /pol/ conspiracy theory stuff?

There exists very little doubt that NK was behind the Sony hack, there's even a federal indictment.

>It is the same as Crowdstrike going back on their wild claims while their CEO testified under oath.

This is a complete fabrication by you, utterly unsupported by the link you shared which only contains meaningless bickering regarding forensic traces of data exfiltration.

Here is the congressional sworn testimony of Shawn Henry, the CEO of Crowdstrike, specifically saying that there is no concrete evidence of Russian hacking of the DNC.

https://intelligence.house.gov/uploadedfiles/sh21.pdf

You can peruse the whole pdf or jump straight to the money quote on page 32.

As for federal indictment on North Korea, that means nothing on the merits or dubiousness of the North Koreans hacking Sony. In fact, there was a smoking gun to a disgruntled ex employee. On a side note Sony and Sony entities were publicly hacked over 18 times prior to this as “revenge” for the PS lawsuit against the hacker who exposed encryption keys of the Playstation.

https://www.wired.com/2014/12/evidence-of-north-korea-hack-i...

https://en.wikipedia.org/wiki/Sony_Pictures_hack#Doubts_abou...

https://www.wired.com/2014/12/evidence-of-north-korea-hack-i...

>Here is the congressional sworn testimony of Shawn Henry, the CEO of Crowdstrike, specifically saying that there is no concrete evidence of Russian hacking of the DNC.

It feels like you're being deliberately dishonest. Your "money quote" is about whether there were was concrete evidence of the hackers exfiltrating data from the DNC, not about "Russian hacking of the DNC" .

What Shawn Henry is saying there is that they have evidence of the hackers preparing data for exfiltration, but no concrete evidence of the data being transferred out. Unless the malware used by the hackers stores detailed logs, this is to be expected. It would be unreasonable to doubt that the exfiltration happened on this basis.

>In fact, there was a smoking gun to a disgruntled ex employee

There wasn't. None of your links substantiate this claim.

The wikipedia section consists of uninformed clowns like Sabu and hilarious quotes like "State-sponsored attackers don't create cool names for themselves like 'Guardians of Peace' and promote their activity to the public.". There's no genuine attempt at convincing criticism of the NK attribution to be found here.

>As for federal indictment on North Korea, that means nothing on the merits or dubiousness of the North Koreans hacking Sony

The federal government has a pretty good track record of getting these things right. The DOJ certainly believes that NK did the Sony hack.

I have respect for Kim Zetter, but in a hard-core discussion about who hacked Sony, I'm going to tend more to believe FireEye.

> ... FireEye attributed the Sony Pictures hack to North Korea on extremely flimsy grounds.

What grounds are flimsy that they used? Do you have details about what FireEye actually saw?

> The U.S. Department of Justice issued formal charges related to the Sony hack on North Korean citizen Park Jin-hyok on September 6, 2018. ... The Department of Justice had previously identified Park and had been monitoring him for some time, but could not indict him immediately as much of the information around him was classified.
(comment deleted)
I found an XSS on FireEye's website when I was a pentester. Good times.. It took all night, too. Was worried it'd be the first gig I wasn't able to get a medium severity on.

I'm not sure anything can protect against a targeted attack from a nation-state. It's tempting to think that you can. But the warfare is asymmetric; they have all the time in the world to become certain that they can breach your outer defenses. One slip up, one old server version, is all it takes. I've seen it.

In this case, it's a security company, so I'm sure the irony seems a bit thick. But it's helpful to recall that security companies are companies. And no one is immune to security threats.

>I'm not sure anything can protect against a targeted attack from a nation-state.

hardware airgap can go a long way

Airgaps protect against low to medium level attackers. Nation state tools for bypassing airgaps are a dime a dozen.

One of the most common is interdiction of computers in shipping and installation of hardware implants.

Airgaps are certainly intended to protect against every skill level hacker. The ideal strategy is the multi-layered, Swiss cheese approach. A slice for RBAC (LDAP, AD, MFA, etc.); a slice for email phishing filters and user awareness training; another for network segmentation and isolation (Firewalls, proxies); another for network filters (ping DDOS attacks, etc.); and on and on. The APT attack strategy uses every tool in the arsenal and hunts for a path through the cheese layers, hopefully never finding one to the real prize behind.
Honestly, system user education/awareness goes even further. Iran nuclear facilities used an airgap but it was social engineering that was the weakest attack vector for Stuxnet to exploit. Same with the South Korean Winter Olympics; a phishing email with a macro embedded Word doc got them in there.

A great book on Russian, state-backed hacking group was by a senior Wired writer, Andy Greenberg, called "Sandworm" [0]

[0] https://www.amazon.com/Sandworm-Cyberwar-Kremlins-Dangerous-...

(comment deleted)
How do you get updates to your airgapped hardware? That's your attack vector.
Like, their Wordpress-esque page managed by their marketing team?
Will there be any public proof or evidence this is a state actor? The blog post has no details and the overuse of adjectives to describe the attacker as extremely competent sounds more like an excuse for their own weaknesses.
Assuming it was a state actor, what type of proof could they release? Presumably the FBI wouldn't want to disclose how it came to this conclusion
Seems like they are seeking attention more than anything.
They are seeking attention by saying they got hacked, when their entire reason for existence is to defend networks?
It reads like a brochure written by a marketing department, "top-tier offensive capabilities... world-class... operated clandestinely... They used a novel combination of techniques not witnessed by us or our partners in the past... nation-state cyber-espionage".

It's way over-the-top.

I mean, it's only over the top of it isn't true. Those are all words people have used to describe intrusions in the past, like Stuxnet or Sandworm.
Of course it was written by a marketing department. They're a $3B public company with 3,400 employees. And you're proposing they faked a security breach and lied to the FBI so they could get media attention? Please be joking.
(comment deleted)
I mean, FireEye has a pretty good reputation for attribution and investigation of nation state intrusions. This doesn't seem like the type of thing they would just make up. Bot saying we should take them 100% at their word, but investigating intrusions is their entire reason for existence
They have a reputation for making up salacious stories based on totally inconclusive, inadequate "evidence". No wonder they turned it up to 11 when it was themselves getting breached.
Can you describe what you'd consider adequate and conclusive evidence necessary for attribution of a cyberattack?
Documentation verifiably obtained from the attacker about the intent to attack, the methods used, the results and people involved. Preferrably with means to tie everything to a plausible timeline.

Attribution is hard to impossible. What passes for attribution these days is laughable.

Would you require this level of certainty when prosecuting crimes domestically? Why or why not?

Short of a full written confession, is there any way whatsoever to gain an understanding of who perpetrated an attack? Or are you saying it’s impossible to even begin to build evidence?

That is pretty much the level of certainty required for prosecuting crimes domestically, yes, or very close to it. Time-frame, proof of intent, and motive.

There is of course a way of doing so, as long as the attacker made a mistake. If they didn't, then it very well might be completely impossible to know who did it, and that's just how it is.

Timeframe, proof of intent, and motive are not what the commenter I replied to said, and they most certainly have those three pieces of information when attribution takes place generally speaking.
That's how I understood their comment, and in general, no, concordance of time frame and proof of intent are not proven. I think you underestimate the "proof" part of proof of intent. You not only have to prove conclusively that they did it, but back it up by proving that they intended to do so.
That's not a bar that's reached in the vast majority of criminal cases tried in the United States, or anywhere else for that matter, so it seems odd (approaching disingenuous) to try and establish that level of certainty here.
If the American justice system doesn't attempt to prove that the person actually conclusively commited the crime and has mens rea as well as a motive and a congruent time-frame to commit it, then something is terribly wrong.
> Documentation verifiably obtained from the attacker about the intent to attack, the methods used, the results and people involved.

Just to remind you where we started, as a contrast to the new goalposts you've established.

Well they could pretty easily demonstrate that only a state actor could pull off an attack like this in an objective manner. If it takes state-level resources to breach their systems, then they can just announce and put out an open prize for anybody who can breach their systems that pays out less than state-level resources. If it actually takes state-level resources to breach their systems, but pays out less than that, then it would be unprofitable for people to claim their prize and provide pretty good evidence for their security. However, if somebody does claim the prize, then we can reasonably assume that their security level is less than the prize as it is profitable for somebody to claim the prize despite the unknown level of risk involved in a blind uncontracted penetration test.

So, what do we all think would be a level of resources that only a state could support? I think we can just start somewhere pretty low like $1,000,000,000. Fortune 500 companies and many criminal organizations could reasonably afford that, but the total number of organizations is still pretty limited, so it is probably a good lower bound. I do not think we can go much lower because if we drop down to $100,000,000 then even FireEye, which is not a Fortune 500 company, could theoretically fund such a venture with its revenue of $890,000,000.

Okay, so starting with "only a state" resource level of $1,000,000,000, we should probably divide it by 10 to make it highly unlikely people will do it just to prove they can even if it is unprofitable to get the prize. That leaves us with a simple open prize of $100,000,000 for the first person to demonstrate that they can breach their systems. If nobody claims the prize, then it is highly likely that this attack would take a state-level actor. If somebody does claim the prize, then it is probably doable by somebody who is not a state-level actor. This would provide an unbiased answer about the truth of their implications. If they think such a prize is too high, then they can just set it to a lower X that will give us an unbiased answer to the question: "Does it take more than X resources to breach their systems?"

This is a very peculiar thought experiment.
Indeed. It would, however, provide very strong evidence for most such claims. The primary problem with actually implementing it in general is the risk of getting unlucky if you have a very large payout. Say you claim $100,000,000,000. Even if it is an accurate assessment, somebody could randomly luck into a vulnerability that would normally actually take $100,000,000,000 to find and suddenly you are dead since it is highly unlikely you are one of the few companies that can actually survive such a payout. You could alleviate that to some degree with insurance in the middle range, but it is highly unlikely that would work at the very high payouts. Luckily, in this case, a payout of $100,000,000 is actually within FireEye's reach given their revenue and market cap. In fact, they lost more in market cap on this breach news than such a payout. So, if their claims are actually true, this is an entirely feasible and useful demonstration to run.

Personally, I think if they actually announced a $100,000,000 prize they would be breached within a week on the outside. At $100,000,000 people can burn dozens to hundreds of zero-days to be the first to get the payout and still come out ahead. Even at $10,000,000 I doubt they would last more than 1 month. At $10,000,000 the prize would be the most attractive bounty in the entire industry by a factor of 3-10x and people could still burn some zero-days and still come out ahead.

> It would, however, provide very strong evidence

No it wouldn't, because--

> the risk of getting unlucky

-- oh, you do understand. Why are you proposing this again?

Because you can use statistics to analyze random events. A claim that your system requires resources on the order of $100,000,000 to breach can be converted, assuming a rate of $300,000/engineer-year to a statement like: "Your system will require on average 300 engineer-years to breach." If the first person who tries is able to breach your system after 1 engineer-year that is an indication that maybe your calculations are incorrect. If it happens again after 1 engineer-year then you have almost absolutely incorrectly determined your true failure rate. If it repeatedly happens over and over again then you are wrong and, conveniently, you will promptly go out of business as people arbitrage your lies. If, however, your analysis is correct, then the probability of getting unlucky multiple times relative to your true failure rate is highly unlikely and the outcomes will stabilize in the long run. Assuming you did not set the payout so high as to be instant death, which I did suggest in FireEye's case as FireEye can, in fact, support a $100,000,000 payout, it provides a relatively sound, objective, statistical basis for inferring the actual cost.
Ah. The premise of "let people hack you, and pay out a bounty, not just once but dozens of times so you get decent statistics" was not explicit in your proposal, but definitely makes it even less attractive.
I'd counter with the following argument.

I believe not a single cyber offensive op performed by a nation state had a budget of $1B. I'd say $1M is an upper bound here. Cyber warfare is used because it's cheap.

Spezialized custom work is expensive.

I doubt Stuxnet cost only $1M.

Licensing costs for law enforcement "remote access tools" (state trojans) can be millions (distributed among dozens of uses, but IMHO easy to see spending as much on a high-value single use).

From the wiki article about the iPhone-encryption debate: "On April 7, 2016, FBI Director James Comey said that the tool used can only unlock an iPhone 5C like that used by the San Bernardino shooter, as well as older iPhone models lacking the Touch ID sensor. Comey also confirmed that the tool was purchased from a third party but would not reveal the source,[59] later indicating the tool cost more than $1.3 million and that they did not purchase the rights to technical details about how the tool functions"

Yes, Stuxnet probably cost more. But Stuxnet was a higher level op, the target was also a nation state.

In this case they went after the tools to avoid detection and/or attribution in future ops. They could instead contract a company like their victim to develop such tools from scratch for about $10M.

Also, we're talking about nation states other than US.

My comment is not arguing whether a state actor breached FireEye, but whether only a state actor could breach FireEye as they are implying as nobody else could fund or develop such a "sophisticated" or "advanced" attack. If it is at most $1M as you say, then you are actually agreeing with me as that would hardly constitute something that only a "state actor" could do given that literally any mid-sized business, of which there are millions, could support such an expense. To actually demonstrate that it is so difficult to develop that "only a state actor" has the resources to develop/deploy such an attack should require demonstrating that it is out of reach for all but a state actor for which a $1B budget is likely a good bottom-end as only a very small number of non-state entities can actually support such an effort. I hope that clarifies my point.
> The blog post has no details and the overuse of adjectives to describe the attacker as extremely competent sounds more like an excuse for their own weaknesses

This was precisely my read of it as well. Exaggerated usage of superlatives coupled with no actual explanation suggests trumping up an adversary's capabilities to excuse one's own security lapses. Like claiming a highly sophisticated burglar broke into your home, while neglecting to mention you left a window open.

More likely the FBI telling them not to speak publicly as to not impede an investigation.
Interesting that they don't even name the adversary.
According to Reuters, a Western security official claims similar companies have been affected in a similar way to FireEye [1].

It will be interesting to see how this plays out, and if true, this may be the first of many compromises to be revealed.

[1] https://twitter.com/Bing_Chris/status/1336431664478687239

I salivate at the potential of seeing the industry turned on it's head and these tools being leaked. I know there are great firms out there, but a lot are snake oil nonsense.
I wonder if the attackers could use what they stole to impersonate FireEye. As in, some org thinks they're contracted/working with FireEye, but they're actually working with this nation state doing intelligence against the org.
Why impersonate Fireeye even? Just start a legitimate company, gain customers and then use that as a basis to gather what you need. The employees wouldn't know this they'd think they are working for a legitimate company. The bad actors who set it up would just have access to whatever they needed to do what they needed to do. This would take years of work to pull off but could be done.
what does "None of the tools contain zero-day exploits" exactly mean? Does the tools contain knows zero-days but not non public zero days?
Or no exploits at all, ie. post exploitation frameworks, control channels etc. only.

EDIT: Nevermind they added something to the countermeasures repo that goes against that.

I would have thought it would mean that any exploits which are used have widely available patches.
Doesn't being known preclude them from being zero days by definition?
In the 'zero-day' and related terminology the days start counting from the time when a fix is available. It refers to how much time a defender has had to fix their systems, a zero-day implying that even the most prudent defender could not have prevented the attack; and a day-1 (or day-x) attack implying that the defender might have closed the vulnerability if they had been sufficiently fast in monitoring for the existence of the problem and fixing their systems.

So there certainly could be zero-day exploits for vulnerabilities that are known but not yet fixable, perhaps because the vulnerability did not seem easily exploitable and thus not urgent to the vendor.

It just means all the exploits are for vulnerabilities that have been published already.
Huge target on their back no matter what. Like those movies where the tough guy is tested when he gets to prison.

This is where it does not pay to be a public company. If they weren't a public company they wouldn't have to disclose this or acknowledge it and there most likely would not be a credibility damaging story which is easy to find. Sure the story could have gotten out but it would not be easy findable and would not be broadcast widely. An event like this makes major papers and nightly news.

Read that again. There is nothing that says you need to air your dirty laundry. That's not a business or legal principal (other than whatever the public company requirements might be and I am not even 100% certain this was needed but I don't know).

Also as others have pointed out indicating that it was a state sponsored actor is to me (for lack of an elegant way to put it) is 'chicken shit'. Why say that? Why not just say you were attacked and going to try and determine why and make any changes. All it does it sound like an excuse and further to say 'well others are not attacked like this and we can protect against them fine' doesn't fly.

> Why say that? Why not just say you were attacked and going to try and determine why and make any changes

Because they would be out of business tomorrow if they say they think it was a 13 year old from Ohio just fooling around on a Sunday.

This is FireEye marketing itself for the F500 by selling fear of an invisible adversary with unlimited resources that already deliver innovative black hat capabilities.

> if they say they think it was a 13 year old from Ohio

How could you read my comment and think that is what I thought they should say?? I said not to say anything. And why use hyperbole ie 'they would be out of business tomorrow'.

And no it's not marketing anymore than if a Karate expert airs that he was beat up in an alley and then says 'but the person was 9 feet tall that's why!'. (But sure to your point if they said 'by a 13 year old' that would not be better but once again I didn't say that.)

But your oneliner leaves that much range open for interpretation and if a company is not this specific journalist are going to speculate because even the FBI has had 13 year olds harvesting chaos in their ecosystem.
"They used a novel combination of techniques not witnessed by us or our partners in the past."

This is the scary part. FireEye and the others have been studying and watching APTXX nation-state teams for many years. They should have some idea by now. It is entirely possible that a new team is out there.

They are probably trying to make it look like they got hit by a clever attack, rather than SQLi or a XSS.
Yeah, details please. This is PR talk.

If it's something novel indeed, the entire industry would like to know please.

Since FireEye worked for Equifax before it was breached one could hope they have learned a thing or two, yes.
> During our investigation to date, we have found that the attacker targeted and accessed

did their best to bury the lede. they say they were targeted multiple times, but dont say they were breached until the fourth paragraph, something like 40% of the way through - even then the admission is intentionally mentioned vice announced. i understand fireeye is a security company, but pussyfooting is pussyfooting and weasel words are weasel words.

idk, politics is part of the game at the highest level. maybe im not destined for the c-suite.

As someone who has done some work in the PR sector, it was established that it's crucial to ensure the correct narrative is delivered.

There can be times when the "factually accurate" narrative conflicts with the correct one, there's a reason why most corporations have dedicated resources for engaging with the public.

What one normally consider to be "weasel words" are often carefully chosen to polish the truth while alleviating harm to key stakeholders.

Everyone knows they are being targeted. They would have no reason to even put a press release together if they weren't breached. The first three paragraphs are basically "we are under attack" then "it's an advance attack" then "we're investigating the attack." No one implies that how successful the attack was until the first sentence. This doesn't seem like they are minimizing or attempting to cover up the damage.
Glorius. One of the government's biggest contractors got pwned. And a security firm, no less.
Is anyone getting the sense that there are a lot of weird comments in this thread? Why are there so many comments doubting the idea that FireEye could have been hacked by a nation state actor? It's just really weird that so many people are saying similar things without directly contributing. Not to be paranoid, bit it's the type of behaviour I would expect from a nation state trying to place doubt in the narrative that they were hacking commercial companies...
Most of the comments seem to be doubting that the attack was as advanced as FireEye claim. IE not that they got hacked, but rather that it wouldn't necessarily have taken a nation-state to do it. And therefore that just about any nation-state who did want to could have.
Not sure if you work in the security industry or not, but often times people that work in the industry learn to understand it’s just not that hard to pop a majority of enterprise systems. Not sure if this due to knowing where all the bodies are buried or what.
It does seem paranoid to think that someone viewing something like this with scepticism makes them a state actor. I think there have been too many incidents of companies crying wolf for people to think otherwise. This is a forum for discussion and to accuse people with alternative views of being state actors probably just adds fuel to the fire.
But all of these comments are fundamentally not helpful either. They all basically boil down to calling FireEye unreliable, which is fine if you actually back it up with discussion. But that's not what they are doing. They just assert that FireEye can't be believed without any reasoning or evidence.
I think one reason is that easily-breached enterprises have used such language in many forms over the years to try to excuse themselves from being weak on security. So when one credibly gets hacked by an actual state actor, the words conjure up the false claims.
I'm not tied in any way to a nation state hacking group, and through my albeit limited experience in cybersecurity it's clear to me that most attacks attributed to nation state actors could probably have been done by private ventures.

And there is, of course, very strong incentive to make such claims.

I'd imagine my experience isn't unique, and that many people came to the same conclusion.

I'd say that your conclusion isn't warranted.

There have been comments stating with high detail why exactly it's probably not a nation state actor, but ultimately it's a case of the burden of proof being on the party that makes the claim, and generally those parties just can't substantiate it.

Fire sale on Fire Eye.
Why build hacking tools when you can steal them?

Or at least get an idea of what tools your target company was red teamed with.

Why spy on your own citizens when that makes them blackmail-able by foreign nation states?

Seriously, the quickest, cheapest, easiest way to spy on someone (edit= everyone) in the US (or any 5 eyes) is through our own "security" agencies, but I'm going to go with stupidity rather than malice on the NSA's part.

> Seriously, the quickest, cheapest, easiest way to spy on someone in the US (or any 5 eyes) is through our own "security" agencies, but I'm going to go with stupidity rather than malice on the NSA's part.

No. The quickest and easiest way is probably to send them a phishing message, the next easiest is probably figuring some of their password recovery answers using dossiers compiled by data brokers, maybe after that it's tapping into their phone line using SS7. Probably the hardest way is to first hack a security agency, which I'd imagine have some of the better intrusion detection out there.

Intercepting an sms message for 2FA is also easy nowadays via sim cloning.
Had a customer with an ex who did this.

Not fun.

You can get a database of everyone's metadata communications by sending them a phishing message? Certainly, I don't keep even all my information on my computer, or even a single phone, and I think phishing _everyone_ is harder than you're making out. On the other hand it's all sitting right there at the NSA et al. Your other attacks are similarly focused on individuals, although the credit and health agencies are prime surfaces for data mining, you're not going to get the metadata/connectivity needed.

I'm interested to know what you're proposing, but I suspect you simply misunderstood what I meant, and perhaps what your (and everyone else's) file at the TLAs looks like. It's a mighty plump target, and not comparably secure.

>>> Why spy on your own citizens when that makes them blackmail-able by foreign nation states?

>>> Seriously, the quickest, cheapest, easiest way to spy on someone in the US (or any 5 eyes) is through our own "security" agencies

> You can get a database of everyone's metadata communications by sending them a phishing message? Certainly, I don't keep even all my information on my computer, or even a single phone, and I think phishing _everyone_ is harder than you're making out.

You're moving the goalposts: before your ninja edit, you were only talking about the easiest way to spy on someone, not everyone.

If you phish someone, you can get the content. Why settle for just metadata? And what good is metadata for your blackmail use-case? The difference between metadata and content is the difference between knowing you communicate with your coworker and knowing you're cheating on your wife with her. Only one of those things is useful to a blackmailer.

Also, what exactly is a foreign power's use case for targeting everyone in the US, or being really interested mainly in metadata, when their goals mean they're mainly really interested in specific people and organizations and the content or systems they have access to?

Phishing provides a great avenue for escalation type attacks (both lateral and vertical). Might not give you what you’re looking for right then but it gives you a foot in the door.
The cheapest, easiest way to spy on everyone is through always-on, always sensing, always transmitting devices they'll crawl over their own grandmothers to own, social networking services self-supporting via $bilion$ in advertising, and a payments system with item-level detail captured to the penny dating back decades.
Does a story like this negativity impact FireEye's security credibility?
Probably. But it depends greatly on what happened and how they handle it.
I've been out of the security game for years now, but I would say no. A security company is still a company. And companies are vulnerable to security threats from nation states.

It probably depends whether (and how) they confirm it was a nation state, though.

How they handle it will impact their credibility more than anything. Honestly a company that gets popped and responds with urgency, gravity, transparency and integrity might even come out ahead.
It depends on how it happened, too. If it was a nation state deal and no more details come forth, I vote no. If this is a finphisher type hack and they get humiliated and db/source dumped, then yes.
Not necessarily. Realistically, you can't stop a nation state attack if they want to get in. If it turns out that the breach was caused by default credentials being used on a public server, then it's a different story.
FireEye worked for Equifax before Equifax was breached. I'm not sure their reputation can be harmed much when they are still here after that shitshow.
If FireEye, ostensibly full of competent people, can be hacked, what hope does the government have for protecting access to legally mandated backdoors in encryption? The silver lining of these events is it shows how ridiculous mandating backdoors would be. It’s begging other nations to attack us.
>...what hope does the government have for protecting access to legally mandated backdoors in encryption?

None. Both the CIA and NSA have been hacked too. The only entity that should hold private keys should be the person or organization using those keys.

I genuinely hope your point is not lost on the decision makers. The steady push towards the 'ease' of accessing w/e you want as long as it is by 'good guys' ignores this argument and quickly pivots to cp, aml, and terrorism ( basically whatever currently works ). It is genuinely maddening.