As a red teamer I want to clear up why we build "hacking tools" and why FireEye did nothing wrong here.
For example take the tool mimikatz [1], which is publicly available and well known. It can dump stored passwords out of Windows memory. But if you download mimikatz and try to run it every single antivirus/endpoint protection solution will light up like a christmas tree. However, the underlying technique isn't being blocked - just the specific implementation. This is why we build our own tools: to demonstrate to defenders that while they are blocking a specific implementation they have not addressed the underlying vulnerability.
I do want to call out FireEye for doing an amazing job recovering from this situation. They did the responsible thing and released fingerprints [2] that could be used to detect every single one of their tools. They effectively burned their entire catalog and put them in to the class of "public" tools that are easily identified. I've browsed over the list of signatures and didn't see anything that popped out as giving a malicious attacker any advantage other than saving them work of building it themselves (of course I don't have access to look at the actual tools so YMMV).
Also, everyone gets hacked. No matter how good you are or how many cyber security engineers you have on staff... there is still Matthew in accounting that will open that invoice attachment so he can pay it.
We (as in the IT Sec industry including me) prefer to blame Matthew. Or my 80 year old mother for not installing the latest Adobe patches in real time.
With 30 years of daily experience in this field, I am ashamed about how we fail Matthew & my mother in the sense that they can still not just enjoy the internet and open random emails without one of us blaming them for how stupid they are.
That analogy doesn't work in my opinion, because to even be allowed to drive, an extensive amount of training is required.
I think we need to start very early. There should be more mandatory comouter science and information security classes at schools because we are all confronted with these topics everyday.
Most people can work systems such as washing machines, vacuum cleaners and so on, the problems arise when the internet (or other forms of connectability) comes into the picture. But the reality is that most such systems will probably soon be connected in some way, so the challenge grows.
So I think it is very important that we push for more information/education instead of going into the direction of more locked down, closed off and proprietary systems because these can easily "not respect" the end user.
I blame the way we design our computer systems. For some reason, every program a user runs on a desktop computer has full access to every file saved by every other program. And full network access, and a slew of other permissions. In seconds a single malicious program can make a right mess of things, or exfiltrate sensitive data. A ransomware attack hit a large aged care provider in Australia recently and encrypted the files listing which medication to administer. How? I’d guess that every program on every computer in their network has full write access to their network shares. We made these attacks easy to pull off with our insecure by default designs.
It’s like we’ve given every Tom, Dick and Harry a F1 supercar then we blame them when they crash the thing. The mistake is ours for not making better security models. Desktop apps should be sandboxed by default, and isolated like we isolate phone apps. For all the justifiable fear people have about apple’s control over what software can run on their machines, I think the app sandboxing and signing security model they’re working towards is the right one for 95% of computer users.
I'm sad to agree. Having watched my own family, and my older parents, it would absolutely be better for them if everything worked that way.
They don't understand the concept of files as separate from applications. They just don't. They understand the concept of sharing -- that seems to be intuitive enough -- but not of files as objects in themselves.
A system which works this way would, of course, be completely rage-inducing to myself.
I disagree. Anyone with minor observation can get behind a wheel and drive. Will they do it well? No (same with a computer) Is it legal? No, but thats because we all decided that as a group. The danger is different, but I think it's still an interesting analogy.
I think we need to all realize that most people aren't cut out for computer science, per se, but most people are cut out to learn to responsibly use a computer.
Well, put it this way. Let's say that most people is cut out to learn to responsibly use a computer; I don't disagree with this fact.
As a matter of fact though, the same people do _not_ use computers responsibly. What do you do, then? Metaphorically jail them?
There are lots of areas where as humans, it's easy to reach a "sufficient" level, _and_ the dangers of an insufficiency are well known. Punishments or strict measures just don't work.
Everybody knows that they can be sufficiently and with little effort fit, but especially, that unsufficient fitness leads to sicknesses and earlier death. In this sense, which punishment can be worse? Yet, this doesn't work.
You can't compare this. There are much less bad actors in mobile traffic that constantly try to steal your keys, try to suck gas from your gas tank, hide in your trunk or trick you into insurance fraud...
The invoice shouldn’t have to be a PDF and shouldn’t have to be sent via e-mail. Sadly those are still the best tools we have.
It would be really cool to have an invoice format that contains payment and tax information in a machine readable way and a way to send that information around with a verifiable channel.
pdf.js lacks capabilities to extract the XML or verify signatures, so the usual way will be to use Acrobat Reader or the usual bunch of "industry-standard" invoice-processing crap that now suddenly has to deal with malicious input.
The idea to do it differently might be nice in theory, but is lacking a smooth way to change over from the old paper-invoice ways. PDF will be the thing for some decades and we will have to deal with it.
Having implemented rudimentary ZUGFeRD support at $dayjob a few years ago (our main product is sending, receiving and validating invoices for energy companies in Germany), I don't see ZUGFeRD becoming relevant anytime soon. At least for b2b invoices, nothing has changed since the release of ZUGFeRD. They prefer sticking to EDI formats (many with some custom edge cases for their SAP monstrosities, e.g. putting the `-` sign for negative numbers _after_ the number like `10-` for `-10`...)
Quite possible, yes. But the alternatives to zugferd look quite similar, due to requirements from the relevant laws:
https://de.wikipedia.org/wiki/Elektronische_Rechnung
translated excerpt:
an electronic invoice must be [...]
3. human readable
4. origin of the invoice must be guaranteed (digital signature or internal controls)
5. integrity of the invoice must be guaranteed
[...]
This means that while you might be able to use something other than PDF for the human-readable part, I don't think anything other than PDF will be used. All the other stuff (XML with embedded SVG or PNG, Word, plaintext) will have acceptance problems in one form or the other.
EDI is big business to big business, as evidenced by you mentioning SAP. There, you may be completely right, I don't know.
That totally makes sense. It also suggests that it could kickstart someone's effort to make their own tools which avoid the signature detector which is sad.
A technique we used at Blekko (and hopefully you guys do as well) was logging/tracing statistical traffic flows for normal cluster operations such that we could alert on atypical traffic (which in our case meant something was likely kinda broken but limping along and needed to be fixed/replaced.). We also didn't have to deal with APTs before we were acquired so the stakes were way lower.
Agreed that getting hacked is inevitable if the prize is worth it, always interested in adding new ways to instrument the world to detect sniffing or attacks.
If I understand your comment correctly - even though the fingerprints are published, the attacker can still reverse eng the implementation from the tools and bypass antivirus systems at least in the near future?
Also fingerprints will only stop the lowest level of attackers. You can easily change binaries in a way the fingerprint is changed but the functionality remains the same. Reorder functions, add some garbage data, etc.
The biggest advantage is that it would allow orgs to audit all applications that have been fingerprinted within their org and see if they might have been attacked as well.
Some of the fingerprints are easily gotten around by fudging the binaries a bit. Others, like snort rules, look at things like network traffic that might not always be so easily disguised.
A nation-state actor likely already knows most of (if not all) of the techniques being used by FireEye. If they were really a nation-state actor then they were likely after the insight into sensitive networks rather then the tools imo.
- The CFO doesn't understand why we need separate server infrastructure (and the associated licensing and maintenance costs) for accounting and engineering.
- Software vendors can't answer the most basic questions about how their software communicates to allow network ops to build reasonable access control lists for network segmentation.
- The network gear doesn't have sufficient horsepower to do wire-speed stateful packet filtering because, apparently, that's still an exciting new idea in 2020, and we can't slow everybody's access down.
- Individual departments have end-run IT by using "cloud" offerings that effectively bridge different segments of the network together at layer 7.
- Everybody has to be able to open their email and click random links on any PC.
The network gear doesn't have sufficient horsepower to do wire-speed stateful packet filtering because, apparently, that's still an exciting new idea in 2020, and we can't slow everybody's access down.
The problem with any defence based on filtering is that first you have to decide what to filter. In an enterprise-scale network, this is not an easy problem, despite the number of shiny and expensive tools available that are selling the hope that it is.
Individual departments have end-run IT by using "cloud" offerings that effectively bridge different segments of the network together at layer 7.
This might be the most challenging problem for modern IT security, perhaps along with BYOD. The software and equipment accessible by staff might no longer be fully controlled by the organisation. That changes the emphasis for IT security from "just" securing your own software and systems to also somehow securing your data against unauthorised transfer to other systems. And this is a hugely complicated problem with (at least) technical, legal and management dimensions.
Airgaps are certainly intended to protect against every skill level hacker. The ideal strategy is the multi-layered, Swiss cheese approach. A slice for RBAC (LDAP, AD, MFA, etc.); a slice for email phishing filters and user awareness training; another for network segmentation and isolation (Firewalls, proxies); another for network filters (ping DDOS attacks, etc.); and on and on. The APT attack strategy uses every tool in the arsenal and hunts for a path through the cheese layers, hopefully never finding one to the real prize behind.
But only because someone plugged a USB drive into the centrifuge computers.
If the networks were air gapped, it wouldn't be Matthew's fault. Someone who had access to the engineering network would need to screw up. Which is of course perfectly possible—engineers make mistakes too. (Furthermore, if they were hacked by a nation state... for all we know it really could have been done without any user action at all.)
Email seems simple to you, but in fact it's an incredibly complicated protocol, so software treating it is likely to have many (exploitable) bugs. Also, there are attachments. Those are the classical way to hack many places.
Even if you got all of the issues caused by e-mails figured out, somehow you have to transfer them from one network to another. You'll either have to poke holes into your firewall or use USB sticks.
My point is: even in airgapped networks you usually want to exchange some data. The moment you want to exchange data, you have a path where a virus can be smuggled in.
I mean email is a vector too. And remember that 0 day no touch iOS exploit that was discovered by project zero? Surely that could have been vector too. After that use a compromised iOS device to do something similar by exploiting some bluetooth vulnerability.
I'd argue that many/most instances of the "dropped USB stick in parking lot" infiltration technique are also failings of airgapping as a total security measure.
Whats your opinion of open source tools and distributions of them (like Kali) in this space and the tradeoff between open sourcing your red team tools vs reimplementing tools that are already out there.
A vulnerability that is secret is the biggest threat to security. Publishing tools makes them public knowledge that can be defended against.
If you are doing penetration testing and basic security work, there is no value in having private tools. It becomes important in red team work because you are trying to emulate a real attacker that has access to non-public tools.
The point in them re-implementing some of the public tools is so sites like totalvirius or a hash based antivirus does not pick up on what the program is.
If they didn’t have a binary that looked reasonably different to those that already exist, then it would instantly get triggered. It is worth noting that there are tools to obfuscate sourcecode/bins.
> How did the author figure out where in memory the prints are?
Microsoft provided him a nifty protocol for that.
> Mimikatz first became a key hacker asset thanks to its ability to exploit an obscure Windows function called WDigest. That feature is designed to make it more convenient for corporate and government Windows users to prove their identity to different applications on their network or on the web; it holds their authentication credentials in memory and automatically reuses them, so they only have to enter their username and password once. While Windows keeps that copy of the user's password encrypted, it also keeps a copy of the secret key to decrypt it handy in memory, too. "It’s like storing a password-protected secret in an email with the password in the same email," Delpy says.
The Mathew in accounting is why you have to fill out expense reports. Accounting used to not require them until they started getting fake invoices in the mail. This attack predates the internet.
...and a binary at all should not be able to be downloaded from the internet or pass through and email server. Additionally the only binary files running on any system should be known binaries. Least Privileged systems with tight change control don’t get hacked.
Senior leadership would take an incredibly dim view when this inevitably shuts down accounting and purchasing after they can't use their PDFs and other executable-code documents anymore.
and that untrusted source could look a lot like his superior's email (boss@c0mpany.com vs boss@company.com)
And depending on the resources of the hacker, the email could be stylised just for him, talking about something important that's (perhaps something bad) happening now and the notBoss is telling him to check this months info, and kindly providing him with a pdf that Mathew hastily opens with his latest version of Adobe Acrobat with a zero day vulnerability that hasn't been discovered yet.
Yeah agreed, combining social engineering with technical exploits and you can get really good results. I almost fell into one trap myself one day: Basically I was having an argument with a service provider, and somehow I received an email talking about the same type of issue (just high level, without the minute details) with a link attached. I had to check it many times to make sure that it was a fraud email...
Presumably he opened an Office document containing macros. Macros are able to execute system commands and load malicious PowerShell code.
Executable files are blocked by pretty much all corporate e-mails systems. Zero-days for PDF viewers are rare. After all, most hacking attacks are things like ransomware campaigns, where everyone is a potential victim and phishing mails are sprayed all over the internet. A zero-day would be burnt pretty quickly.
However, many users legitimately need office macros and also need to open office documents to collaborate with contractors or customers. Many times, the phishing mail comes from a legitimate address because the other company has been compromised already.
The solution would be to only allow signed macros, but depending on the size of the organization, that can be costly.
Matthew in accounting should be given an ipad pro instead of a laptop or pc, with a glued in lightning cable that can only do power.
^ This is the solution I have been mulling if and when I am responsible for an org where security is kinda important. Sure, iOS is still hackable, but hopefully we put more hindrance steps between the attacker and the org, and move the exposure more to the cloud services (like box). Curious if this is feasible.
Why is that a mark of a shit company exactly? Because we should continue allowing a threat model that continues to plague essential services like hospitals with "ransomware", the fact that such a threat is allowed to continue suggests we need to take a hard look at how much we should take highly customisable computers for granted in work situations.
A magnetic lightning connector glued in should do fine[0], but if your threat model really takes into account checkm8, you could also just buy the newest ipad which will have a patched SecureROM.
This demonstrates two major points that many people not familiar with security may not understand:
The first is that anyone -- really, anyone -- can get hacked. I often joke with our CIO that security would be a lot easier if he just powered down our production infrastructure. Security is a game played in layers (often called "defense in depth"), but at the end of the day, it's almost impossible to prevent a breach with any high degree of certainty.
The second is that bad actors (of wildly varying skill) are very active on the Internet. The threat of hackers used to be curious teenagers trying to learn more about computer systems; it didn't take long for that to devolve into criminal activity and "hacktivism." Now, the intelligence services of major nations regularly attack public and private organizations across the Internet.
It's the job of contemporary security teams to defend against any and all threats -- but many (if not all) private organizations are ill equipped to defend against a well-organized intelligence agency in an attack such as this.
I didn't see any what the attack vector used against FireEye might have been, but those same attackers are now very well "armed" with FireEye's red team arsenal. It's going to be an interesting future for security teams as we learn what and whom these adversaries will attack next.
You missed the third major point that most people do not know which is that these attacks are not just possible, they are easy. Every single one of these articles always mentions "nation-state actors" to imply that only a nation-state with billions of dollars and thousands of people can pull off such a "sophisticated" "novel" attack. That is unequivocal garbage. I have never had a CISO (or any other high-level security executive) of a multi-billion dollar company ever answer the question: "How much would it cost to critically compromise your systems and do an unrecoverable amount of damage?" with a number higher than $1,000,000. $1,000,000 is a rounding error to these companies. $1,000,000 is a rounding error in a rounding error to a sizable nation-state. These systems are not just insecure against nation-state attackers, they are insecure against organizations with the staggering weight of 3-10 people. Or, to use a quote from the recent Project Zero blogpost on the iOS exploit said: "one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with." That is a far cry from being secure against credible threats to a multi-billion dollar business by any stretch of the imagination.
Are systems more secure now than they were in the past? Maybe. A targeted attack against an arbitrary target would generally take a few 10 to 100s of thousands of dollars. This is probably orders of magnitude more than the past of teenagers hacking for giggles. But, there are like 6-8 orders of magnitude between teenagers hacking for giggles and a "nation-state actor" and about 3 orders of magnitude between a random company/organization and a nation-state. The best systems deployed systems are about as close to adequate as a house is to a skyscraper.
>Every single one of these articles always mentions "nation-state actors" to imply that only a nation-state with billions of dollars and thousands of people can pull off such a "sophisticated" "novel" attack.
First, FireEye was one of the companies who worked to secure Equifax prior to the breach as mentioned by the CSO of Equifax on page 4 of this FireEye white paper from 2012 [1] that FireEye has since retracted [2][3].
Second, that is kind of a non-sequitur. I did not say that a nation-state did not pull off the attack, my gripe is that they are implying, like every other company that gets breached, that only a nation-state has the resources to pull off such an attack with their wording. These attacks are extremely cheap and easy, that is why we see governments running literally hundreds to thousands of such attacks/programs in parallel as evidenced by the CIA Vault 7 leaks. A single branch of the US government was literally developing hundreds of independent tools/programs that could successfully compromise anything they cared to target.
Third, define "easy". I define easy as ~$1,000,000-$10,000,000 since almost any moderately-sized corporation, of which there are millions, could fund such an operation. To put it in perspective, $10,000,000 is only ~1% of FireEye's revenue. I define "only a nation-state" at 1,000x more at ~$1,000,000,000-~$10,000,000,000 since although it is still technically doable for a large multinational or organized crime, it is unlikely to be profitable outside of theoretical large-scale extortion attacks.
Do you think a penetration test of 3 engineers working fulltime for a year would fail to materially breach FireEye's corporate systems? Almost every penetration test by a competent company takes a fraction of that effort even against well-funded security teams. And 3 engineers for one year is only 3 engineer-years which at $300k/engineer-year is ~$1,000,000, the bottom end of "easy" and 1,000x less than "only nation-states can pull it off". If engineer-years is too abstract, the Google ProjectZero case I mentioned earlier was a zero-click iOS RCE from zero starting understanding in 0.5 engineer-years. So, doing some sloppy extrapolation, is it easier to find 6 zero-click iOS RCEs or breach FireEye's corporate systems?
Let's say we moved up an order of magnitude to 1% of FireEye's revenue at $10,000,000 which is the high end of "easy" and is 2 orders of magnitude less than the bottom end of "only nation-states can pull it off". That would be enough to fund 30 engineers working fulltime for a year or 10 engineers working fulltime for 3 years. Do you think FireEye could prevent a material breach? I have literally never heard of a single person in enterprise security who has ever dared to make such a remark on the record that was not instantly taken down for a fraction of that. I know of no competent engineers in that space who would support making such a statement to anybody who could and would test it. Just think if FireEye announced a $10,000,000 prize at DefCon to breach their systems by the end of the year, do you think they would even last the month?
>my gripe is that they are implying, like every other company that gets breached, that only a nation-state has the resources to pull off such an attack with their wording.
I feel that with respect to FireEye, that it isn't just an implication; more that they would claim this with strong evidence. They are about attribution.
I think this argument is making some false equivalence. Just because every other company that was breached (e.g. Equifax) claims "Wow State Actor Sophisticate Beyond Anything Before Seen By Man" for something as simple as failure to update your software leaves a yawning hole has tarnished the dialog for those who know what they are doing.
While CSO at Relativity, and now for my clients, I strongly suggest that you don't use the phrase "Security is Very Important to us" since that is the first thing out of the mouth of companies who didn't until they got hacked.
>Do you think a penetration test of 3 engineers working fulltime for a year would fail to materially breach FireEye's corporate systems?
Bluntly, yes. I expect that their defenses are much better than most companies, including security companies.
>I have literally never heard of a single person in enterprise security who has ever dared to make such a remark on the record
Enterprise security is in a different category altogether. Few non-security enterprises will withstand much of an attack. FireEye is in a different category altogether.
FireEye literally did the incident response for the Equifax hack, so I do not see how you can claim: "FireEye does accurate and honest attribution." but then also claim "Equifax likely made stuff up." unless you are claiming that FireEye was involved in incident response, but was somehow not involved in attribution, or that they made a true discovery-able report, but knowingly lied.
It is hardly a false equivalence. If everybody constantly fails with little to no evidence of any success by anyone ever despite continuous assurances of success by everyone, there is exactly zero evidence that a layperson should trust any statement on that topic without good, solid, objective evidence to the contrary. Given the track record in the industry, there is no reason to give the benefit of the doubt to any company. The burden of proof is on them to demonstrate their claims in a relatively objective, quantitative manner. If they have no means of proving a quantitative claim in a relatively objective manner, there is no reason to believe their claims given their track record. To provide an analogy, if somebody you trust to not be malicious asks you to follow them, but they can not justify why, then the smart thing to do is judge them based on their track record as that provides some part of an objective statistical basis for evaluating their prevailing success rate.
If you really must have evidence of a trend of insecurity amongst security companies. Then we can look no further than McAfee, Symantec, and Trend Micro all being breached between 2017-2019 that was attributed to "fxmsp" [1][2], a private Russian hacking group that was selling the contents of the breaches for a few $100k which demonstrates how easy it must have been for it to be profitable at that price point (to be fair they could sell it multiple times, but I doubt they sold it hundreds of times). So, what justification do you have for why FireEye's security should be any different than other companies or even other security companies?
Also, you only provided an answer to the low end of "easy" rather than the high end at 30 engineers for a year or 10 engineers for 3 years which would be needed to pull them out of the "easy" category by my standards. If you do claim they can survive that, can you provide either some reasonably quantitative evidence or public statements to that effect or the same for literally any other company in the world you think can do so as I have not once ever heard of a single company ever justifying such a claim in any verifiable manner. Thank you.
One of the big questions I'd have is exactly how these tools were leaked. Red team tools are by nature more exposed since they're using them with their clients, presumably on a large scale, and I would hope that there's a very large difference in the number of people who have access to those tools and the number of people who have access to their production infrastructure, code-signing, or software update mechanism.
1M is a rounding error to almost any nation state regardless of size that would want to hack into systems. The internet has democratized everything, even hacking and disinformation. For a couple hundred million, an industrious nation state can sow discord in its largest and most powerful competitors while at the same time stealing all their IP. It's the Innovators Dilemma at the nation state level.
Will there be any public proof or evidence this is a state actor? The blog post has no details and the overuse of adjectives to describe the attacker as extremely competent sounds more like an excuse for their own weaknesses.
I mean, FireEye has a pretty good reputation for attribution and investigation of nation state intrusions. This doesn't seem like the type of thing they would just make up. Bot saying we should take them 100% at their word, but investigating intrusions is their entire reason for existence
They have a reputation for making up salacious stories based on totally inconclusive, inadequate "evidence". No wonder they turned it up to 11 when it was themselves getting breached.
Documentation verifiably obtained from the attacker about the intent to attack, the methods used, the results and people involved. Preferrably with means to tie everything to a plausible timeline.
Attribution is hard to impossible. What passes for attribution these days is laughable.
Would you require this level of certainty when prosecuting crimes domestically? Why or why not?
Short of a full written confession, is there any way whatsoever to gain an understanding of who perpetrated an attack? Or are you saying it’s impossible to even begin to build evidence?
That is pretty much the level of certainty required for prosecuting crimes domestically, yes, or very close to it. Time-frame, proof of intent, and motive.
There is of course a way of doing so, as long as the attacker made a mistake. If they didn't, then it very well might be completely impossible to know who did it, and that's just how it is.
Timeframe, proof of intent, and motive are not what the commenter I replied to said, and they most certainly have those three pieces of information when attribution takes place generally speaking.
That's how I understood their comment, and in general, no, concordance of time frame and proof of intent are not proven. I think you underestimate the "proof" part of proof of intent. You not only have to prove conclusively that they did it, but back it up by proving that they intended to do so.
That's not a bar that's reached in the vast majority of criminal cases tried in the United States, or anywhere else for that matter, so it seems odd (approaching disingenuous) to try and establish that level of certainty here.
If the American justice system doesn't attempt to prove that the person actually conclusively commited the crime and has mens rea as well as a motive and a congruent time-frame to commit it, then something is terribly wrong.
> The blog post has no details and the overuse of adjectives to describe the attacker as extremely competent sounds more like an excuse for their own weaknesses
This was precisely my read of it as well. Exaggerated usage of superlatives coupled with no actual explanation suggests trumping up an adversary's capabilities to excuse one's own security lapses. Like claiming a highly sophisticated burglar broke into your home, while neglecting to mention you left a window open.
Well they could pretty easily demonstrate that only a state actor could pull off an attack like this in an objective manner. If it takes state-level resources to breach their systems, then they can just announce and put out an open prize for anybody who can breach their systems that pays out less than state-level resources. If it actually takes state-level resources to breach their systems, but pays out less than that, then it would be unprofitable for people to claim their prize and provide pretty good evidence for their security. However, if somebody does claim the prize, then we can reasonably assume that their security level is less than the prize as it is profitable for somebody to claim the prize despite the unknown level of risk involved in a blind uncontracted penetration test.
So, what do we all think would be a level of resources that only a state could support? I think we can just start somewhere pretty low like $1,000,000,000. Fortune 500 companies and many criminal organizations could reasonably afford that, but the total number of organizations is still pretty limited, so it is probably a good lower bound. I do not think we can go much lower because if we drop down to $100,000,000 then even FireEye, which is not a Fortune 500 company, could theoretically fund such a venture with its revenue of $890,000,000.
Okay, so starting with "only a state" resource level of $1,000,000,000, we should probably divide it by 10 to make it highly unlikely people will do it just to prove they can even if it is unprofitable to get the prize. That leaves us with a simple open prize of $100,000,000 for the first person to demonstrate that they can breach their systems. If nobody claims the prize, then it is highly likely that this attack would take a state-level actor. If somebody does claim the prize, then it is probably doable by somebody who is not a state-level actor. This would provide an unbiased answer about the truth of their implications. If they think such a prize is too high, then they can just set it to a lower X that will give us an unbiased answer to the question: "Does it take more than X resources to breach their systems?"
Indeed. It would, however, provide very strong evidence for most such claims. The primary problem with actually implementing it in general is the risk of getting unlucky if you have a very large payout. Say you claim $100,000,000,000. Even if it is an accurate assessment, somebody could randomly luck into a vulnerability that would normally actually take $100,000,000,000 to find and suddenly you are dead since it is highly unlikely you are one of the few companies that can actually survive such a payout. You could alleviate that to some degree with insurance in the middle range, but it is highly unlikely that would work at the very high payouts. Luckily, in this case, a payout of $100,000,000 is actually within FireEye's reach given their revenue and market cap. In fact, they lost more in market cap on this breach news than such a payout. So, if their claims are actually true, this is an entirely feasible and useful demonstration to run.
Personally, I think if they actually announced a $100,000,000 prize they would be breached within a week on the outside. At $100,000,000 people can burn dozens to hundreds of zero-days to be the first to get the payout and still come out ahead. Even at $10,000,000 I doubt they would last more than 1 month. At $10,000,000 the prize would be the most attractive bounty in the entire industry by a factor of 3-10x and people could still burn some zero-days and still come out ahead.
Because you can use statistics to analyze random events. A claim that your system requires resources on the order of $100,000,000 to breach can be converted, assuming a rate of $300,000/engineer-year to a statement like: "Your system will require on average 300 engineer-years to breach." If the first person who tries is able to breach your system after 1 engineer-year that is an indication that maybe your calculations are incorrect. If it happens again after 1 engineer-year then you have almost absolutely incorrectly determined your true failure rate. If it repeatedly happens over and over again then you are wrong and, conveniently, you will promptly go out of business as people arbitrage your lies. If, however, your analysis is correct, then the probability of getting unlucky multiple times relative to your true failure rate is highly unlikely and the outcomes will stabilize in the long run. Assuming you did not set the payout so high as to be instant death, which I did suggest in FireEye's case as FireEye can, in fact, support a $100,000,000 payout, it provides a relatively sound, objective, statistical basis for inferring the actual cost.
Ah. The premise of "let people hack you, and pay out a bounty, not just once but dozens of times so you get decent statistics" was not explicit in your proposal, but definitely makes it even less attractive.
I believe not a single cyber offensive op performed by a nation state had a budget of $1B. I'd say $1M is an upper bound here. Cyber warfare is used because it's cheap.
My comment is not arguing whether a state actor breached FireEye, but whether only a state actor could breach FireEye as they are implying as nobody else could fund or develop such a "sophisticated" or "advanced" attack. If it is at most $1M as you say, then you are actually agreeing with me as that would hardly constitute something that only a "state actor" could do given that literally any mid-sized business, of which there are millions, could support such an expense. To actually demonstrate that it is so difficult to develop that "only a state actor" has the resources to develop/deploy such an attack should require demonstrating that it is out of reach for all but a state actor for which a $1B budget is likely a good bottom-end as only a very small number of non-state entities can actually support such an effort. I hope that clarifies my point.
Licensing costs for law enforcement "remote access tools" (state trojans) can be millions (distributed among dozens of uses, but IMHO easy to see spending as much on a high-value single use).
From the wiki article about the iPhone-encryption debate: "On April 7, 2016, FBI Director James Comey said that the tool used can only unlock an iPhone 5C like that used by the San Bernardino shooter, as well as older iPhone models lacking the Touch ID sensor. Comey also confirmed that the tool was purchased from a third party but would not reveal the source,[59] later indicating the tool cost more than $1.3 million and that they did not purchase the rights to technical details about how the tool functions"
Yes, Stuxnet probably cost more. But Stuxnet was a higher level op, the target was also a nation state.
In this case they went after the tools to avoid detection and/or attribution in future ops. They could instead contract a company like their victim to develop such tools from scratch for about $10M.
Also, we're talking about nation states other than US.
It reads like a brochure written by a marketing department, "top-tier offensive capabilities... world-class... operated clandestinely... They used a novel combination of techniques not witnessed by us or our partners in the past... nation-state cyber-espionage".
Of course it was written by a marketing department. They're a $3B public company with 3,400 employees. And you're proposing they faked a security breach and lied to the FBI so they could get media attention? Please be joking.
> Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers.
If this was the primary objective of the attackers, why is it buried in the seventh paragraph of FireEye's blogpost, after a lengthy discussion of the attackers targeting -- though apparently not primarily targeting -- FireEye's internal tooling?
Because the tooling getting out impacts everyone and thus warrants a public post. Some government information being stolen only impact those customers and only warrants notifying those customers.
Which would be the responsibility of the government customer to disclose to those impacted. FireEye is likely under many contracts that prohibit it from giving out any details on what client data was stolen. Without those details the information is essentially worthless to the public. Who knows if they got the pin number to the VA men's bathroom or all your social security records.
I found an XSS on FireEye's website when I was a pentester. Good times.. It took all night, too. Was worried it'd be the first gig I wasn't able to get a medium severity on.
I'm not sure anything can protect against a targeted attack from a nation-state. It's tempting to think that you can. But the warfare is asymmetric; they have all the time in the world to become certain that they can breach your outer defenses. One slip up, one old server version, is all it takes. I've seen it.
In this case, it's a security company, so I'm sure the irony seems a bit thick. But it's helpful to recall that security companies are companies. And no one is immune to security threats.
Honestly, system user education/awareness goes even further. Iran nuclear facilities used an airgap but it was social engineering that was the weakest attack vector for Stuxnet to exploit. Same with the South Korean Winter Olympics; a phishing email with a macro embedded Word doc got them in there.
A great book on Russian, state-backed hacking group was by a senior Wired writer, Andy Greenberg, called "Sandworm" [0]
Airgaps are certainly intended to protect against every skill level hacker. The ideal strategy is the multi-layered, Swiss cheese approach. A slice for RBAC (LDAP, AD, MFA, etc.); a slice for email phishing filters and user awareness training; another for network segmentation and isolation (Firewalls, proxies); another for network filters (ping DDOS attacks, etc.); and on and on. The APT attack strategy uses every tool in the arsenal and hunts for a path through the cheese layers, hopefully never finding one to the real prize behind.
If FireEye, ostensibly full of competent people, can be hacked, what hope does the government have for protecting access to legally mandated backdoors in encryption? The silver lining of these events is it shows how ridiculous mandating backdoors would be. It’s begging other nations to attack us.
I genuinely hope your point is not lost on the decision makers. The steady push towards the 'ease' of accessing w/e you want as long as it is by 'good guys' ignores this argument and quickly pivots to cp, aml, and terrorism ( basically whatever currently works ). It is genuinely maddening.
Is anyone getting the sense that there are a lot of weird comments in this thread? Why are there so many comments doubting the idea that FireEye could have been hacked by a nation state actor? It's just really weird that so many people are saying similar things without directly contributing. Not to be paranoid, bit it's the type of behaviour I would expect from a nation state trying to place doubt in the narrative that they were hacking commercial companies...
Most of the comments seem to be doubting that the attack was as advanced as FireEye claim. IE not that they got hacked, but rather that it wouldn't necessarily have taken a nation-state to do it. And therefore that just about any nation-state who did want to could have.
Not sure if you work in the security industry or not, but often times people that work in the industry learn to understand it’s just not that hard to pop a majority of enterprise systems. Not sure if this due to knowing where all the bodies are buried or what.
It does seem paranoid to think that someone viewing something like this with scepticism makes them a state actor. I think there have been too many incidents of companies crying wolf for people to think otherwise. This is a forum for discussion and to accuse people with alternative views of being state actors probably just adds fuel to the fire.
But all of these comments are fundamentally not helpful either. They all basically boil down to calling FireEye unreliable, which is fine if you actually back it up with discussion. But that's not what they are doing. They just assert that FireEye can't be believed without any reasoning or evidence.
I think one reason is that easily-breached enterprises have used such language in many forms over the years to try to excuse themselves from being weak on security. So when one credibly gets hacked by an actual state actor, the words conjure up the false claims.
I'm not tied in any way to a nation state hacking group, and through my albeit limited experience in cybersecurity it's clear to me that most attacks attributed to nation state actors could probably have been done by private ventures.
And there is, of course, very strong incentive to make such claims.
I'd imagine my experience isn't unique, and that many people came to the same conclusion.
I'd say that your conclusion isn't warranted.
There have been comments stating with high detail why exactly it's probably not a nation state actor, but ultimately it's a case of the burden of proof being on the party that makes the claim, and generally those parties just can't substantiate it.
Huge target on their back no matter what. Like those movies where the tough guy is tested when he gets to prison.
This is where it does not pay to be a public company. If they weren't a public company they wouldn't have to disclose this or acknowledge it and there most likely would not be a credibility damaging story which is easy to find. Sure the story could have gotten out but it would not be easy findable and would not be broadcast widely. An event like this makes major papers and nightly news.
Read that again. There is nothing that says you need to air your dirty laundry. That's not a business or legal principal (other than whatever the public company requirements might be and I am not even 100% certain this was needed but I don't know).
Also as others have pointed out indicating that it was a state sponsored actor is to me (for lack of an elegant way to put it) is 'chicken shit'. Why say that? Why not just say you were attacked and going to try and determine why and make any changes. All it does it sound like an excuse and further to say 'well others are not attacked like this and we can protect against them fine' doesn't fly.
> Why say that? Why not just say you were attacked and going to try and determine why and make any changes
Because they would be out of business tomorrow if they say they think it was a 13 year old from Ohio just fooling around on a Sunday.
This is FireEye marketing itself for the F500 by selling fear of an invisible adversary with unlimited resources that already deliver innovative black hat capabilities.
> if they say they think it was a 13 year old from Ohio
How could you read my comment and think that is what I thought they should say?? I said not to say anything. And why use hyperbole ie 'they would be out of business tomorrow'.
And no it's not marketing anymore than if a Karate expert airs that he was beat up in an alley and then says 'but the person was 9 feet tall that's why!'. (But sure to your point if they said 'by a 13 year old' that would not be better but once again I didn't say that.)
But your oneliner leaves that much range open for interpretation and if a company is not this specific journalist are going to speculate because even the FBI has had 13 year olds harvesting chaos in their ecosystem.
"They used a novel combination of techniques not witnessed by us or our partners in the past."
This is the scary part. FireEye and the others have been studying and watching APTXX nation-state teams for many years. They should have some idea by now. It is entirely possible that a new team is out there.
> FireEye CEO Mandia wrote that none of the red team tools exploited so-called “zero-day vulnerabilities,” meaning the relevant flaws should already be public.
Seems like a massive amount of energy to devote to stealing tools, that by and large, probably have public equivalents sitting around on GitHub.
That's interesting. My first thought was that the attacker wanted access to internal red team tools under the assumption that resulting indicators would be ignored by the blue team, making attacks against their customers less likely to be detected. Wanting to harm FireEye directly is certainly a more simple explanation.
Yeah, no. People say this every time an attack is attributed to a state-level adversary, and while attribution is imperfect, it's not based on the idea that you have to be GRU to write an exploit. There's much more that goes into it; attribution specialists collect and catalog indicators of compromise, like the C&C servers and protocols people are using, many of which are not widely known.
But nothing is known, we have to believe a company trying to master a PR shitshow right now, saying that the attackers were extremely sophisticated. Maybe it was, maybe they are "inflating" the sophistication of the attack to avoid looking bad.
Besides that, I care little about "attribution specialists" and what they say (sorry if anybody is in the audience :p). Evidence can be faked, it's all bits and bytes in the end (and some server locations, usually rented boxes) and things have been misattributed constantly in the past and will be in the future. I think the most you can infer is the general sophistication of the attackers and their resources, but that doesn't require an "attribution specialist". Attributing it to some specific nation state is guess work at best based on mistakes they made in their camouflage (if those mistakes aren't a deliberate or accidental red herring; e.g. [1]). And such "It was China/Russia/North Korea/underpants gnomes" claims are made by people claiming to be "attribution specialists" all the time. It's extremely rare that there is compelling evidence to supporting such attributions.
So if FireEye provided evidence or at least a reasonably detailed post mortem backing their claim of a sophisticated attack, then I'd probably believe them on that. If they made claims about a particular nation state (and so far they did not, as far as I can tell) then I would find that a dubious claim to make.
The FBI has confirmed the state-level adversary thing in a release today. There is no love lost between the outgoing administration and FireEye.
You're probably never going to get evidence that will satisfy a message board.
The Wikileaks post you cited repeats the fallacy I mentioned earlier --- the idea that analysts are simply attributing exploit code. I think if you stop and think about it, you can probably rattle off a number of things besides exploits that a single attacker group will share in common across its attacks.
To fake the evidence we're discussing, you have to know what it looks like. A bored teenager doesn't.
I think it's unlikely that you can derive the entire practice of attribution axiomatically from your own intuitions about how attacks work, unless you've had some real exposure to IR and forensics as a practitioner.
No, I am not saying a bored teenager can create evidence like that, but the sophisticated nation states surely can, and probably some other larger orgs, too.
Code can be faked, meta data can be faked, MO can be imitated, and so on. And the nation states at the very least - and their contractors and (former) employees in the areas of concern - will know what it has to look like. Motive isn't always clear, and quite often there are multiple parties with motives.
>unless you've had some real exposure to IR and forensics as a practitioner.
I'll bite on your argumentum ad verecundiam... who says I didn't? ;)
But I agree, we'll likely never see evidence or a post mortem, and are expected to believe what FireEye and/or the FBI tells us.
I haven't yet, because all I have to go by is claims by FireEye and the FBI. I already said why I take what FireEye says with a grain of salt, and frankly, I also take what the FBI says with more than a grain of salt. The FBI is inherently political, and even when they are not, they are known to make up stuff when it suits them (e.g. "parallel construction").
That may be a rather untrusting/paranoid mindset that I employ, but it worked for me so far.
Asking sincerely: is there some particular reason it should matter to the rest of us whether your perspective on attack attribution has "worked for you so far"? What would the consequences to you have been had your intuition not "worked"?
Replying sincerely: It matters the same way as your own opinion matters to the rest of us.
And consequences? In this case, probably none. We're here for news and entertainment, and reasoning about topics such as this one is enjoyable to me. But lively discussions and their takeaways can inform future arguments and decisions.
But in more general terms, I am a member of the electorate in my country, and misattributions and/or bad or even fake evidence quite often have direct influence on policy. E.g. I was quite happy that I, along with a majority of my fellow citizens, did not believe the "conclusive" "evidence" of WMDs in Iraq the US had put forth, and stayed out of that war.
I salivate at the potential of seeing the industry turned on it's head and these tools being leaked. I know there are great firms out there, but a lot are snake oil nonsense.
Why spy on your own citizens when that makes them blackmail-able by foreign nation states?
Seriously, the quickest, cheapest, easiest way to spy on someone (edit= everyone) in the US (or any 5 eyes) is through our own "security" agencies, but I'm going to go with stupidity rather than malice on the NSA's part.
> Seriously, the quickest, cheapest, easiest way to spy on someone in the US (or any 5 eyes) is through our own "security" agencies, but I'm going to go with stupidity rather than malice on the NSA's part.
No. The quickest and easiest way is probably to send them a phishing message, the next easiest is probably figuring some of their password recovery answers using dossiers compiled by data brokers, maybe after that it's tapping into their phone line using SS7. Probably the hardest way is to first hack a security agency, which I'd imagine have some of the better intrusion detection out there.
You can get a database of everyone's metadata communications by sending them a phishing message? Certainly, I don't keep even all my information on my computer, or even a single phone, and I think phishing _everyone_ is harder than you're making out. On the other hand it's all sitting right there at the NSA et al. Your other attacks are similarly focused on individuals, although the credit and health agencies are prime surfaces for data mining, you're not going to get the metadata/connectivity needed.
I'm interested to know what you're proposing, but I suspect you simply misunderstood what I meant, and perhaps what your (and everyone else's) file at the TLAs looks like. It's a mighty plump target, and not comparably secure.
>>> Why spy on your own citizens when that makes them blackmail-able by foreign nation states?
>>> Seriously, the quickest, cheapest, easiest way to spy on someone in the US (or any 5 eyes) is through our own "security" agencies
> You can get a database of everyone's metadata communications by sending them a phishing message? Certainly, I don't keep even all my information on my computer, or even a single phone, and I think phishing _everyone_ is harder than you're making out.
You're moving the goalposts: before your ninja edit, you were only talking about the easiest way to spy on someone, not everyone.
If you phish someone, you can get the content. Why settle for just metadata? And what good is metadata for your blackmail use-case? The difference between metadata and content is the difference between knowing you communicate with your coworker and knowing you're cheating on your wife with her. Only one of those things is useful to a blackmailer.
Also, what exactly is a foreign power's use case for targeting everyone in the US, or being really interested mainly in metadata, when their goals mean they're mainly really interested in specific people and organizations and the content or systems they have access to?
As if ninjas wore neon... phishing and attacking a national database of compromises aren't opposite or even orthogonal they're a component. Not realizing that is scary.
Phishing provides a great avenue for escalation type attacks (both lateral and vertical). Might not give you what you’re looking for right then but it gives you a foot in the door.
The cheapest, easiest way to spy on everyone is through always-on, always sensing, always transmitting devices they'll crawl over their own grandmothers to own, social networking services self-supporting via $bilion$ in advertising, and a payments system with item-level detail captured to the penny dating back decades.
> During our investigation to date, we have found that the attacker targeted and accessed
did their best to bury the lede. they say they were targeted multiple times, but dont say they were breached until the fourth paragraph, something like 40% of the way through - even then the admission is intentionally mentioned vice announced. i understand fireeye is a security company, but pussyfooting is pussyfooting and weasel words are weasel words.
idk, politics is part of the game at the highest level. maybe im not destined for the c-suite.
Everyone knows they are being targeted. They would have no reason to even put a press release together if they weren't breached. The first three paragraphs are basically "we are under attack" then "it's an advance attack" then "we're investigating the attack." No one implies that how successful the attack was until the first sentence. This doesn't seem like they are minimizing or attempting to cover up the damage.
As someone who has done some work in the PR sector, it was established that it's crucial to ensure the correct narrative is delivered.
There can be times when the "factually accurate" narrative conflicts with the correct one, there's a reason why most corporations have dedicated resources for engaging with the public.
What one normally consider to be "weasel words" are often carefully chosen to polish the truth while alleviating harm to key stakeholders.
The problem with these articles is the cloak and dagger nature of these stories and the lack of healthy skepticism.
While not necessarily the case here, every big tech company puts blame on an APT aka a nation state actor.
In fact, the very same FireEye attributed the Sony Pictures hack to North Korea on extremely flimsy grounds. By those same measures one could have implicated East Palo Alto High School.
You never regain your credibility for attribution and provenance once you have committed such a public blunder.
Maybe you should try to gain a basic understanding of what you're talking about before posting this /pol/ conspiracy theory stuff?
There exists very little doubt that NK was behind the Sony hack, there's even a federal indictment.
>It is the same as Crowdstrike going back on their wild claims while their CEO testified under oath.
This is a complete fabrication by you, utterly unsupported by the link you shared which only contains meaningless bickering regarding forensic traces of data exfiltration.
Here is the congressional sworn testimony of Shawn Henry, the CEO of Crowdstrike, specifically saying that there is no concrete evidence of Russian hacking of the DNC.
You can peruse the whole pdf or jump straight to the money quote on page 32.
As for federal indictment on North Korea, that means nothing on the merits or dubiousness of the North Koreans hacking Sony. In fact, there was a smoking gun to a disgruntled ex employee. On a side note Sony and Sony entities were publicly hacked over 18 times prior to this as “revenge” for the PS lawsuit against the hacker who exposed encryption keys of the Playstation.
>Here is the congressional sworn testimony of Shawn Henry, the CEO of Crowdstrike, specifically saying that there is no concrete evidence of Russian hacking of the DNC.
It feels like you're being deliberately dishonest. Your "money quote" is about whether there were was concrete evidence of the hackers exfiltrating data from the DNC, not about "Russian hacking of the DNC" .
What Shawn Henry is saying there is that they have evidence of the hackers preparing data for exfiltration, but no
concrete evidence of the data being transferred out. Unless the malware used by the hackers stores detailed logs, this is to be expected. It would be unreasonable to doubt that the exfiltration happened on this basis.
>In fact, there was a smoking gun to a disgruntled ex employee
There wasn't. None of your links substantiate this claim.
The wikipedia section consists of uninformed clowns like Sabu and hilarious quotes like "State-sponsored attackers don't create cool names for themselves like 'Guardians of Peace' and promote their activity to the public.". There's no genuine attempt at convincing criticism of the NK attribution to be found here.
>As for federal indictment on North Korea, that means nothing on the merits or dubiousness of the North Koreans hacking Sony
The federal government has a pretty good track record of getting these things right. The DOJ certainly believes that NK did the Sony hack.
> The U.S. Department of Justice issued formal charges related to the Sony hack on North Korean citizen Park Jin-hyok on September 6, 2018. ... The Department of Justice had previously identified Park and had been monitoring him for some time, but could not indict him immediately as much of the information around him was classified.
> Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities.
I wonder what nations possess “top-tier offensive capabilities” today. USA, China, Russia, Israel come to mind. Who else? Is there a list or metric to measure a nation’s cyber attack capabilities?
Very few companies will publicly attribute attacks to a specific government - both because it is hard and because of potential political blowback.
I would confidently say that the top 50 countries by GDP have a solid offensive capability. Some, like Japan, have very specific interests that don't align with what makes the news.
At some point you start getting in to the territory of Hacking Team, NSO Group, Gamma, VASTech, etc. Effectively combining the resources of many smaller governments in to a for-hire enterprise that can provide near-nation-state capabilities.
IANASecurityExpert. Claiming that an adversary is a state actor seems as much about magnifying the threat as a genuine finding. A high school kid exploiting their weaknesses will obviously leave them red faced. Seems like an natural position to take for anyone hacked.
Not saying it didn't happen, but it looks like it has become the goto defense in recent times.
I wonder if the attackers could use what they stole to impersonate FireEye. As in, some org thinks they're contracted/working with FireEye, but they're actually working with this nation state doing intelligence against the org.
Why impersonate Fireeye even? Just start a legitimate company, gain customers and then use that as a basis to gather what you need. The employees wouldn't know this they'd think they are working for a legitimate company. The bad actors who set it up would just have access to whatever they needed to do what they needed to do. This would take years of work to pull off but could be done.
How they handle it will impact their credibility more than anything. Honestly a company that gets popped and responds with urgency, gravity, transparency and integrity might even come out ahead.
It depends on how it happened, too. If it was a nation state deal and no more details come forth, I vote no. If this is a finphisher type hack and they get humiliated and db/source dumped, then yes.
I've been out of the security game for years now, but I would say no. A security company is still a company. And companies are vulnerable to security threats from nation states.
It probably depends whether (and how) they confirm it was a nation state, though.
Not necessarily. Realistically, you can't stop a nation state attack if they want to get in. If it turns out that the breach was caused by default credentials being used on a public server, then it's a different story.
> In the FireEye attack, the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.
What does it mean to "create an internet protocol address," in this context? Did they use VPNs? VMs on cloud services? Residential proxies, luminati-style? Something else?
That sounds like a reporter’s explanation of announcing space that had never been allocated by an RIR, or had been allocated but never previously announced.
The reporter meant 'used'. I have never heard the use of 'created' and if there is a meaning to that that I don't know about it's not widely used and should not have been used by the writer.
The 'many inside the US' is kind of laughable. I mean what would you do to pull this off use IP addresses in China or Russia just to draw attention?
I mean if you want to pull off a burglary in a residential neighborhood you don't drive in with an auto that draws attention you go with an auto that looks like many others that have been seen before and isn't noticed.
I would guess that is a little bit of journalistic summarization, and what the author means is that the IPs used in the attack had a reasonable reputation. That's what made me wonder whether they were talking about residential proxies.
You only need to validate it to the depth that your target can validate it, which likely means via (among other sources) paid-for IP Reputation services.
This is something I doubt. Zero-day exploits are the kind that software vendors have no awareness of and therefore have no fixes in place (think mimikatz). FireEye is the sort of company who, upon discovering one in the wild, would disclose it to the software vendor to protect their clients. NSA on the other hand has been proven to hoard zero-days--even from US companies.
You don't need to be good at attribution when you're on the same side as the press.
You can build a case on the flimsiest of IOCs, and anyone who questions you gets smeared as a foreign agent or cutout, without a shred of evidence. Really, quite neat.
In the 'zero-day' and related terminology the days start counting from the time when a fix is available. It refers to how much time a defender has had to fix their systems, a zero-day implying that even the most prudent defender could not have prevented the attack; and a day-1 (or day-x) attack implying that the defender might have closed the vulnerability if they had been sufficiently fast in monitoring for the existence of the problem and fixing their systems.
So there certainly could be zero-day exploits for vulnerabilities that are known but not yet fixable, perhaps because the vulnerability did not seem easily exploitable and thus not urgent to the vendor.
They could have seen evidence in logs that the hackers were searching for files that likely were associated with the government, but they didn't find any.
For example take the tool mimikatz [1], which is publicly available and well known. It can dump stored passwords out of Windows memory. But if you download mimikatz and try to run it every single antivirus/endpoint protection solution will light up like a christmas tree. However, the underlying technique isn't being blocked - just the specific implementation. This is why we build our own tools: to demonstrate to defenders that while they are blocking a specific implementation they have not addressed the underlying vulnerability.
I do want to call out FireEye for doing an amazing job recovering from this situation. They did the responsible thing and released fingerprints [2] that could be used to detect every single one of their tools. They effectively burned their entire catalog and put them in to the class of "public" tools that are easily identified. I've browsed over the list of signatures and didn't see anything that popped out as giving a malicious attacker any advantage other than saving them work of building it themselves (of course I don't have access to look at the actual tools so YMMV).
Also, everyone gets hacked. No matter how good you are or how many cyber security engineers you have on staff... there is still Matthew in accounting that will open that invoice attachment so he can pay it.
1. https://github.com/gentilkiwi/mimikatz 2. https://github.com/fireeye/red_team_tool_countermeasures/tre...
Edit: To be clear I do work on an internal red team - we hack ourselves. I don't work for FireEye or a competitor.
Edit 2: Don't pick on Matthew. :)