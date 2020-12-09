If US authorities or companies fall victim to a cyber attack, they will often turn to the US security company Fireeye. The US foreign intelligence service, the CIA, is involved. Fireeye herself was now being attacked.

Fireeye chief Kevin Mandia wrote in a blog on Tuesday (local time) that the identity of the attackers had not yet been clarified, but their approach suggested a state-organized attack. The hackers were after information about government customers and the company’s diagnostic applications. According to the company, the “Red Team” applications, which the company itself works with, were stolen, thus mimicking the behavior of attackers in order to detect vulnerabilities in the systems.

In the past, Fireeye has discovered a number of North Korean hacker attacks on banks and uncovered targeted disinformation campaigns from Russia and Iran. The company’s shares fell significantly after the report. How the attack should be classified, explains Johannes Krupp from the Cispa Helmholtz Information Security Center.

Mr. Krupp, does anything suggest a state actor in this attack? And if so, which ones?

It can be safely assumed that an IT security company such as Fireeye will protect its own systems in particular, and that the attack was only possible in a targeted and with great effort. Fireeye himself suspects the attacker of a “state actor with first-class offensive abilities.” Without further information, everything beyond it remains a mere conjecture.

What options do the captured tools offer?

During the attack, so-called red team tools were stolen. These are primarily tools that can detect and exploit known vulnerabilities. These tools are used, for example, to simulate a cyber attack on a company as part of a security scan and then to fix vulnerabilities found. However, according to Fireeye, the tools can only exploit known vulnerabilities for which the manufacturer already has security patches.

How does a company like Fireeye even get into such offensive tools?

On the one hand, there are a large number of freely available open source tools, such as the well-known Metasploit, which can be extended and adapted as needed. On the other hand, the “countermeasures” published by Fireeye suggest that many tools were also developed by themselves, for example to simulate the behavior of observed malware.

What do companies need to consider now?

Companies should primarily install all available security patches and keep their systems up to date. For example, a list published by Fireeye shows that the tools captured are mainly Microsoft Active Directory and Exchange, as well as some VPN solutions. However, it must also be said that the threat situation has not changed as a result of the attack, all relevant security patches have been available for a long time and could be imported. One thing: you can now find the tools to exploit these gaps in other hands as well.

What are the dangers for private users, such as protecting their Amazon or GMX accounts?

Captured tools do not pose a threat to private users. However, it also applies in the private sector: Install security updates immediately and use a separate password for each service, a better password manager. Government actors are not needed if you only secure your Amazon account with your last name and year of birth.