FireEye/SolarWinds: Taking Action and Staying Protected

To Our Customers, Prospects, Partners, and the Cybersecurity Community:

Update: on Sunday, Dec 13, it was reported that SolarWinds was the subject of a sophisticated supply chain attack targeting SolarWinds Orion Platform software, their enterprise IT monitoring solution. According to public and private sources, this supply chain attack is linked to FireEye and other US federal entities being targeted.

In the released IOCs associated with both the FireEye and SolarWinds breaches, SentinelOne customers are protected. In the SolarWinds attack, dubbed “SUNBURST,” SentinelLabs research has confirmed that devices with SentinelOne agents deployed are specifically exempt from the malicious payload used in the reported IOCs. As presented in the SolarWinds attack, SUNBURST does not trigger malicious activities on devices protected with SentinelOne.

Following the SolarWinds supply chain attack:

  1. SentinelOne’s Singularity Cloud blocks all reported IOCs
  2. All SentinelOne customers have access to a new hunting pack which includes custom Deep Visibility hunting queries for the latest SUNBURST and FireEye breach IOCs

Our recommendation to customers and the community-at-large is to follow SolarWinds’ security advisory instructions. In addition, please incorporate best practice countermeasures including:

  • Resetting all credentials used by or stored in SolarWinds software
  • Resetting service account passwords if service accounts were used with SolarWinds software
  • Referencing FireEye’s SUNBURST countermeasures

The SentinelOne team stands ready to assist in these times of uncertainty. Ensuring you’re informed and protected is key to staying secure. Our experts are available to speak on these events and your cybersecurity readiness by contacting us here.


It’s not every day we see a fellow cybersecurity company, especially one with a significant presence serving the federal government, as the subject of a breach. On December 8, FireEye disclosed a sophisticated attack which led to the “unauthorized access of their red team tools.” The statement went on to say the company does not know whether the attacker intends to use the stolen tools themselves or publicly disclose them.

We are sad to hear the news; all cybersecurity vendors at some level share a unified purpose of making the world a more secure place. Our thoughts are with our colleagues at FireEye and with their customers. SentinelOne’s commitment to keep customers protected remains unwavering. We innovate to raise the cybersecurity bar to defend our digital way of life.

In this blog, we update on the actions SentinelOne has taken across our SentinelLabs security research team, Vigilance MDR team, and product team in response to the FireEye breach. Our platform is able to detect the known malware samples associated with the FireEye breach. 

Detection is Foundational to Visibility & Protection

We continue to monitor and hunt for relevant IOCs and artifacts related to the breach. We can also confirm that all assets that are seen so far in the wild are detected by the SentinelOne agents, with no upgrade needed. If there are parts of your network that are not protected with SentinelOne, we encourage you to close that gap, even if you need to exceed the number of licenses you have at the moment. We recommend the use of our Rogue system detection to identify the systems that should have an agent deployed. Below this blog, please find a list of hashes based on FireEye’s reporting and our own research that we confirm are covered.

Hunting Pack Released for Every SentinelOne Customer

We’ve already released a bespoke and ready-to-use hunting pack in every customer’s SentinelOne console for retrospective hunting missions. SentinelOne’s industry-leading data retention periods enable lengthy lookbacks for thorough investigations. This customized hunting package enables our customers to know if any of the artifacts related to this breach exist – or have existed – within your enterprise.

We’re Here to Help

SentinelOne is committed to doing the right thing – and we stand by ready to help at no cost. Here are several actionable steps our team suggests:

  1. SentinelOne Customers: if you’re a Core, Control, or Complete customer and desire custom hunting assistance, our Vigilance MDR team and our Customer Success organizations stand ready to assist. If you need additional agents, we’re ready to assist with rapid deployment. Our 24/7/365 team is ready to help via phone or console.
  2. Non-SentinelOne Customers: if you need assistance conducting a risk assessment as it relates to the FireEye breach or securing unprotected devices, SentinelOne is ready. We can deploy in minutes without business interruption or restarts. Our team of experts can help quickly determine if any traces of the FireEye breach are in your environment for compliance and executive briefing purposes.

We’re here to help. We’re here to protect. We’re in this together.

On-Demand Webinar: Communicating With Your Team & Leadership
The FireEye Breach

Latest FireEye Indicators of Compromise (IOCs)

00f866a2d0eda84ed2488ead86bc8acaa3700b3f
049f5f5ec6e34d2e40e445c0bc188be420e287c6
066954007501c38187ffa0877b02013a4d4dc0ba
092cbf66bd6a548d7baf6f8b215c2a3483a2564c
0bbe8738281328778b4cf5404cc866ebedbe4ca1
0e0aede7d4f97f0d054733baba3c8313864e187f
0f923286d803aaade3bf28fdb923f6917ebb0b20
1049eb7d4ddfbc895848a3680fa332f0fec10def
218651ac5b575c3f9642c2e9a5928aa22fab8483
22109552d6af71d392de199e21ae272009db608a
23b1e73bf4cc07cd31b92a8c294b341740484d3e
23e93aa315f9a1268077131d68429055ac102b25
28a15a0b532c47110297aa6f4f46bad4d72235a2
2a5b9098d073406ecb3fffe8d6cba6b5ed26ce5a
32687a64efe5246f9b7284b5ae9adedc31605fdc
345da4a23cf56c22d218301ec461bfc3ca8e2cc2
390496bbd3f71d1ba08d7c86867d62b67597257d
43268f6f01a1aab72b62b63211ec1daef7ce34c0
46a6c17e1ec6d3aa4e931247c38a9219d71977a5
472af2b122c23bf0ca10c78d389a5a7f030a3536
5179d4d2fb102427e73ccd0cffa54a64405f41fb
562f4a310f37fafd5f66f460f79dc80912d2dad1
58cdc7d8e6175ef48d85a1b0602ed4024bf75019
599b70211175f44e7c651f0322cdc11084cc838e
5a69157821b615d11820036feb64d479009f6970
5adc9856172203858f5b93f67f4bf5814ad0df8a
5d358567e549a6f8e471697f7c78bc8bdf2a6534
5e6a5c287c9a8c412f1868b6f86bc23b75e1d1b9
6d44aa3772738143f26493caa6996dbdd1dcc048
7358ef9186c6fdf11016739496af19c5d3ecc193
73b98fd25755cd509ad5e4db4332ea18b651a0b5
780b6854d2d97834a068220e9060a874434161be
81ae80a486081e626a853d8759b37cdb36683f1a
82739c78f7b351bbe80a582fd46b0ba4f1c8c02b
8ae7c7830eb38b19c516df52db98b8abdb3df68d
8c58a1918f24473e55c7b239ca0f890f78fc17b9
8ec6fedc9ac60ee42ca93cc0aebfa55f572a1473
903de96e966183883ae1c1ccaa0d30e8684ad0d9
9577be0570e464af72f385479bae9ee9c2a082d4
9c21dc8726acd445b4defccfdecc14fad6e6ac78
9f595dc903e24c6a03ba95a701037b6532050667
a199a5b6584f1ce713753d1b2767d02f166948a4
aded10ffd74bc07e1aa622911389a31d3bee605a
b2d98ac491b2a60f29991bd858f62594b85ddcfb
b98cded462dfd80c682c953830e3df744cac756d
ba8f4a2c864ea2031f95c49c43dd7f1cc22d72f5
c1a031b4725cd740df986d29c3e94992813fccc8
c47021b5fc733b1a21e837fd34f849e0559b1ace
c7d1f8ad918ae32c5eee34ed4571775aa00cf3ad
c968672b966086fb9fa8b5e6b7124dec6a4119f3
cc542c0f873470b3eb292f082771eec61c16b3d7
cd3bb41346fdc37053dc6b5a83f2c77fe4e2c3bf
d04afd993d41fe68d31a7a9848d9ab31f7933991
d16c01db635b05a219ae8eef3728fae55adfcb4e
d535de08875cef1c49bfa2532281fa1254a8cb93
daedb9d53501dcb655044ce4cbb5d39a645070b4
e384c7371f681af5d4fc167f3f66bf68ac1f3bdb
e4fbc8961cb54d27d834f5789c7b4d1f4819fd34
e54f5737847287e49a306f312995c9aba38314d4
f590b00fd30a653a833be42974f9f714d3c8d595
f871d7a9fd37f2250db8658beb6b5ef6e794a08b
f9881d2380363cb7b3d316bbf2bde6c2d7089681