I wouldn’t be surprised if they exfiltrated enough from FireEye to make it worth it. It’s another premier security solution used by a larger number of highly likely targets. It will be interesting to se what FireEye vulnerabilities we see come out in the near to long term future. What kind of vulnerabilities can you find if you have the device source code?
Especially because FireEye doesn't have anything intrinsically valuable. Spend the time and/or money to buy/develop the security tools and holes FireEye has - or some equivalent.
As always, a chain is only as strong as its weakest link.
If hacking an antivirus will gain the attacker complete control over millions of potential targets, than the weakest link in millions of machines is also a bug in that antivirus software. There is a reason many experts recommending against installing anything besides Defender.
In retrospect, Solarwinds seems to have been a relatively weak link, but perhaps no less than Microsoft teams or other common enterprise software that are known to take security lightly.
And of course, less than any IoT device that might be practical to attack en masse.
These will continue to be targeted, and it is silly to say that anyone is "breaking norms".
Not every server is useful, I guess. People used to use backdoored servers to send spam, but that's harder and harder to do from untrusted IP addresses.
Not every server is useful for gathering intelligence on a nation either it seems.
Thinking about it, if you want secret information by definition only a tiny fraction of the networks out there are going to have it— anything most of them have wouldn’t be a secret anymore. So any attackers are going to focus the majority of their energy on exfiltrating data from the most likely/productive extreme minority of their infiltrated networks.
State level actors wouldn’t typically do that. Better to leave a low value target unexploited to increase the useful lifespan of the exploit rather than find some minor utility for low value hosts.
It used to be that botnets for ddos were valuable, too, and you'd think some sort of low-effort crypto miner could be uploaded or something. Seems odd even without the email benefit that they'd just not follow up at all.
Low effort cryptominer or ddos drone sounds exactly like the kind of thing that'll get you caught early. Even if you are actually after profit (and not other goals one would assume with what's claimed to be state-associated hackers), that might not be a good idea.
Readit News
It seems like the operation was run on the cheap.
Deleted Comment
If hacking an antivirus will gain the attacker complete control over millions of potential targets, than the weakest link in millions of machines is also a bug in that antivirus software. There is a reason many experts recommending against installing anything besides Defender.
In retrospect, Solarwinds seems to have been a relatively weak link, but perhaps no less than Microsoft teams or other common enterprise software that are known to take security lightly.
And of course, less than any IoT device that might be practical to attack en masse.
These will continue to be targeted, and it is silly to say that anyone is "breaking norms".
https://en.wikipedia.org/wiki/Equation_Group
Thinking about it, if you want secret information by definition only a tiny fraction of the networks out there are going to have it— anything most of them have wouldn’t be a secret anymore. So any attackers are going to focus the majority of their energy on exfiltrating data from the most likely/productive extreme minority of their infiltrated networks.
Dead Comment