Thoughts on the FireEye Hack

There is a full-court press underway — a Google search for “fireeye hacked” already returns 5,000,000 results — to understand the implications of the announcement published on Tuesday by Kevin Mandia, CEO of FireEye, acknowledging the company was the victim of a breach.

State-Sponsored Attack

Details of the breach were not disclosed in the announcement. However, The Washington Post has reported it believes the perpetrators were hackers from the Russian SVR intelligence, a group know as APT29 or Cozy Bear, who notably hacked the State Department and the White House during the Obama administration.

It’s not unusual for cyber security companies to be attacked. What is unusual about this instance is the level of sophistication. Knowing FireEye, it has a very high level of security in its environment. So for data to have been exfiltrated would mean the attack was highly targeted and very elaborate.

“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” wrote Mandia in his post. “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

How: Advanced Techniques

As a state-sponsored threat actor group, Cozy Bear has all the skills and resources to pull off a breach like with FireEye. Which begs the question, how is this possible? Let’s evaluate a couple of their advanced techniques …

PolyglotDuke Malware

The first example is its PolyglotDuke malware, appropriately named by ESET because it can decode command-and-control server domains encoded in Japanese katakana, Cherokee, and Chinese Kangxi radicals.

Instead of these domains being posted on a website, as is normally the case, PolyGlotDuke fetches this information from social media sites like Twitter, Reddit, and Imgur, just to name a few. Take a look at the tweet below: the command-and-control domain servers are encoded in Cherokee script!

Digital Steganography

Another advanced technique used by these threat actors is steganography — a word that originated in Greece and means “covered writing.” Digital steganography uses photo files like JPGs and changes the color values of the pixels to encode a secret message without changing the color of the pixel. So an unassuming photo of fireworks can contain a malicious script, hiding in plain sight.

The threat actors will post these image files on Dropbox and use them to control the malware. Would you be able to tell that the images below contain encoded messages that could be a Windows executable file, a Windows DLL, or a PowerShell script?

Although we don’t know if these were some of the techniques that were used to exfiltrate the data from FireEye, this does give insight into the capabilities of Cozy Bear and other state-sponsored groups like it.

What You Can Do

So, can we protect from these advanced threats?

Although nothing can be completely secure, there are actions every organization can take to minimize exposure and reduce risk. It all starts with the concept of defense in depth. There is no silver bullet that will solve all these cybersecurity problems. You must take a multilayered approach.

Defense in Depth

First, make sure your organization is getting the foundational things done, that being IT hygiene. These include enabling MFA, deploying patches, and vulnerability management, to name a few. This fundamental strategy will greatly reduce your initial risk.

Then, you overlay solutions to help mitigate areas that are regularly targeted by threat actors:

When done properly, your company’s risk will be dramatically reduced, and the impact of a breach can be greatly minimized.

Stay safe and healthy, physically and digitally.

Featured photo credit: Don Sniegowski via Flickr