By Bhabesh Raj Rai, Associate Security Analytics Engineer

On Tuesday, December 8, FireEye disclosed that they were compromised by a highly sophisticated nation-state group, most likely Russian, that used novel techniques to exfiltrate their red team tools. The FireEye hack is now considered the biggest known theft of cybersecurity tools since the NSA was hacked by ShadowBrokers.

The FBI confirmed that the intrusion was the work of a nation-state but declined to comment further. FireEye has not disclosed the extent of the intrusion and so, for now, experts can only speculate about the damage. Many people in the infosec community have stated their opinions on the hack and floated various theories, such as the hackers didn’t steal red team tools or customer data but rather confidential intelligence data on high-profile threat groups.

Offensive cyber tools in the hands of threat groups have serious implications. The use of stolen offensive cyber tools disrupts the attribution game and enables nation-state sponsored groups to cover their origins.

However, FireEye clarified that the stolen red team tools did not contain zero-day exploits and only contain well-known and documented methods used by red teams all around the globe. Even though FireEye said they do not believe the theft will greatly advance the attacker’s overall offensive capabilities, they have worked to build countermeasures to protect their customers and the broader infosec community. To empower organizations to detect the use of stolen tools, FireEye has published countermeasures consisting of hundreds of signatures for readily available technologies like OpenIOC, Yara, Snort, and ClamAV.

LogPoint customers can use the released Snort rules to detect if the offensive tools are used against them.

(norm_id=Snort OR norm_id=SuricataIDS) message IN FEYE_RED_TOOLS_SIGS

Security researcher Florian Roth has released the list of matches of FireEye’s YARA rules. LogPoint customers can use the hashes as IOCs to look them up with Sysmon’s process creation events.

norm_id=WindowsSysmon label="Process" label=Create hash IN FEYE_RED_TOOLS_HASHES

Apart from endpoints, LogPoint can correlate the IoC hashes with other sources, including firewalls and antivirus.

hash IN FEYE_RED_TOOLS_HASHES

If Sysmon is not deployed in the environment, customers can use the process names instead, but this yields many false positives and is not recommended. 

norm_id=WinServer label="Process" label=Create "process" IN FEYE_RED_TOOLS_NAMES

In effect, customers can use three lists: FEYE_RED_TOOLS_SIGS that consists of IoC snort rules names, FEYE_RED_TOOLS_HASHES that consists of hashes and FEYE_RED_TOOLS_NAMES that consists of process names.

A high-profile hack on a cybersecurity company has further solidified the notion that no company is safe from nation-state threat actors and it’s only a question of when companies are compromised. The unlimited resources and time available to the nation-state groups can thwart the defenses of even well-defended enterprises.

The infosec community is now awaiting a detailed writeup on the incident and upon release, all enterprise defenders must be ready to add detections for any new TTPs used by the nation-state group.