Cozy Bear threat actors suspected in ‘top-tier offensive’

Russian hacking group APT29 is rumored to be behind a nation-state hack on threat detection firm FireEye

Russian cybercrime group APT29 is rumored to be behind a “nation-state” hack on threat detection firm FireEye that resulted in the theft of red team tools.

FireEye, based in California, US, said it fell victim to foreign government-backed hackers with “top-tier capabilities” who infiltrated networks and stole detection and prevention tools.

So far, no group has claimed responsibility for the cyber-attack, though reports have pointed to Russian intelligence.

The Washington Post reported that APT29 – AKA Russian hacking group Cozy Bear – is the main suspect behind the incident, though this has not yet been validated by FireEye.


BACKGROUND Who is behind APT29? What we know about this nation-state cybercrime group


FireEye has not confirmed when the hack took place but said it has reset user passwords in the past fortnight.

The firm has also yet to confirm how the attackers gained access, though FireEye bosses noted it was via a “novel combination of techniques” that the company had not witnessed previously.

FireEye chief executive Kevin Mandia said in a statement: “I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities.

“This attack is different from the tens of thousands of incidents we have responded to throughout the years.”


Read more of the latest cyber warfare news


Mandia did note that the perpetrators “primarily sought information related to certain government customers”. FireEye’s client base includes US federal government agencies, alongside a number of high-profile businesses and organizations.

Nation-state threats

Cybersecurity researcher Martijn Grooten wrote on Twitter that it was “quite rare” for security companies to explicitly attribute an attack to state-sponsored adversaries.

He commented: “It’s quite rare for security companies to attribute threats to nation states (FireEye is a known exception), even rarer to make it the main takeaway of an analysis.”

Researcher Sean Wright wrote: “’No one is going to hack us’ or ‘no one can hack us’, the FireEye incident is a real world example of how this is not true. And not a dig at them, it simply shows ANYONE can have this happen to them.”

Russian hacking group APT29 is rumored to be behind a nation-state hack on threat detection firm FireEye

Incident response

The stolen tools include publicly available programs as well as custom red teaming tools that were built in-house.

They range from “simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit”, FireEye wrote in a second blog post.

None of the tools contained Zero-Day exploits, says FireEye.

Countermeasures for the stolen programs can be found on GitHub.

FireEye is also working in conjunction with the FBI and other “key partners”, including Microsoft, to investigate the incident.

The Daily Swig has reached out to FireEye for further clarification on the incident and will update this article accordingly.


READ MORE Twelve years a threat: State-sponsored attackers up the ante with new Taidoor malware strain