FireEye (now Mandiant) was one of the first and most notable victims of the SUNBURST supply chain attack via SolarWinds Orion. Unlike most SUNBURST victims, FireEye was specifically targeted for follow-on attack by the Russian SVR (Cozy Bear / UNC2452). Attackers exfiltrated FireEye’s ‘Red Team tools’ — a collection of custom offensive security tools and exploits used by FireEye’s Red Team for authorized penetration testing. The stolen tools were not zero-days but were highly sophisticated implementations of known techniques. FireEye detected the breach through an unusual MFA registration attempt (an attacker tried to register a second device on an employee’s account; FireEye’s IT security flagged it). FireEye’s disclosure on December 8, 2020 was the first public indication of the broader SolarWinds supply chain compromise, which was announced by Microsoft and US government agencies days later. FireEye also published countermeasures (detection rules) for the stolen tools. The breach was notable as an adversary successfully targeting a top-tier cybersecurity company and as the incident that unraveled one of the most significant intelligence operations in cyber history. See also: 2020-12_solarwinds-sunburst.yaml.