Cybersecurity firm FireEye has been hacked by a state-sponsored APT Group

December 11, 2020
FireEye Data Breach Cozy Bear Russian APT Hacking Group

FireEye, one of the leading cybersecurity companies, has released a statement that they were hacked by a government-backed hacking group threat actor/s.

The published statement is that the cyber attackers were able to get their hands on Red Team assessment tool that FireEye uses to assess and test the client’s security systems. The tool was designed to mimic the tools that several threat actors use to discover open vulnerabilities and penetrate their target’s defenses.

Going back, FireEye is not the only security firm that has their data compromised by an information-stealing attack with Trend Micro announcing a Breach last May 2019, Avast and Symantec in 2019, Kaspersky back in 2015 and RSA Security way since 2011. Google has also been breached by an APT group that is linked to the Chinese government.

According to security researcher sources, the APT hacking group behind the attack is the Russian state-backed hacking group APT29 aka Cozy Bear.

The group is linked to cyber-attacks on government and commercial organizations in South Korea, Uzbekistan, Germany and USA, including the attack on The Pentagon, Democratic National Committee and the White House back in 2014.

CEO and Board Director Kevin Mandia stated on filing with the Securities and Exchange Commission:

FireEye hacked breached Cozy Bear APT29 Group


The collaborative investigation of the cybersecurity firm, Federal Bureau of Investigation and other security partners like Microsoft on the current breach is still ongoing while drawing the conclusion that they had been a victim of a highly sophisticated state-sponsored cyber-attackers.


The government-backed APT group have stolen Red Team tool by FireEye

FireEye stated that the Red Team tools that were stolen ranges from basic scripts used to automate reconnaissance to the customer’s entire frameworks which have similarity to the publicly available software such as Metasploit and CobaltStrike.

Many of the tools were publicly available and were distributed to the security community as part of the CommandoVM open-source virtual machine.

Based on the data collected since the incident, the Red Team tools that got stolen has not been used for exploit as FireEye took measures to defend and protect against possible attacks using the tools. The countermeasures include the detection or blocking of the use of the stolen tools and security updates. The countermeasures were also shared to the cybersecurity community and are made available publicly on Github.


The cybersecurity firm, FireEye, was founded in 2004 with HQ in Milpitas, California. They currently serve more than 8,500 clients and customers in 103 countries globally with more than 3,200 employees.

About the author

Leave a Reply