Has Cozy Bear been at it again?
“Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack,” Kevin Mandia, FireEye’s CEO, wrote in a press release. “They used a novel combination of techniques not witnessed by us or our partners in the past.”
FireEye said that the hackers primarily sought information related to certain government customers, though it’s unclear how successful they were. There is no evidence that the attackers stole customer information from the company’s incident response or consulting businesses or any data from its threat intelligence systems.
The attackers did, however, access Red Team assessment tools used to test customers’ network defenses. While FireEye says none of the tools contain zero-day exploits, it’s concerning to know that an already skilled group of hackers now has access to these stolen Red Team tools.
“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools,” added Mandia.
FireEye limits its description of the attackers to being sponsored by a nation-state, but the New York Times writes that the FBI has handed the investigation over to its Russian specialists, while the Washington Post said the incident was the work of the Russian SVR intelligence service. That would make the hackers part of the same Cozy Bear group that infiltrated the Democratic National Committee in 2016 and has been trying to steal coronavirus vaccine research from the US and UK.
Main image credit: Michael Vi