Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)
Hacker Group 31337 Dumps Data Stolen From Mandiant Analyst
FireEye Confirms Breach After Hackers Launch 'Operation Leak the Analyst'Cybersecurity firm FireEye has confirmed that the personal laptop of one of its Mandiant breach-investigation employees, as well as his social media accounts, were hacked by a group of self-professed black hat hackers, calling themselves "31337."
See Also: Gartner Guide for Digital Forensics and Incident Response
"We are aware of reports that a Mandiant employee's social media accounts and personal laptop have been compromised," a spokeswoman for California-based FireEye tells Information Security Media Group. "We are investigating this situation, and have taken steps to limit further exposure."
For now, however, it says the breach appears to be contained to the employee's laptop. "While our investigation is ongoing, there is currently no evidence that FireEye or Mandiant corporate systems have been compromised," FireEye's spokeswoman says.
The breach first came to light Monday via an anonymous post to Pastebin labeled "Mandiant Leak: Op. #LeakTheAnalyst." The post contains links to a 32 MB file that attackers claim contains details relating to Adi Peretz, a senior threat intelligence analyst at FireEye's Mandiant consulting services unit, which provides incident response services that the company is now presumably applying to itself.
The attackers also claim that the dump contains network topology - potentially for FireEye's malware analysis lab - as well as detail of FireEye licenses, contracts, and an extensive collection of Peretz's personal and business emails.
The attackers also defaced Peretz's LinkedIn account and say that they'd compromised his Windows Live - aka - Outlook.com - account.
"Hack locally, leak globally, expect us," the attackers wrote, in a riff on the infamous Anonymous credo.
Further Dumps Threatened
The 31337 hackers' name is a reference to leet - a shortening of "elite" - or what's also known as leetspeak, which is a form of symbolic writing born from 1980s bulletin board systems.
The group claims it had access to Peretz's system for more than a year. It says the data dump is a warning to Mandiant. "This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future," the group claims.
The additional data, the attackers claim, includes details of "Mandiant internal networks and its clients data," as well as credentials for various accounts. The attackers also suggested that they had obtained data that relates to the Israeli prime minister's office, as well as Israel's Hapoalim Bank.
The 31337 hacking group says the data dump is the first in a series of what are meant to be retributory attacks against security analysts.
"For a long time we - the 31337 hackers - tried to avoid these fancy ass "analysts" [who are] trying to trace our attack footprints back to us and prove they are better than us. In the #LeakTheAnalyst operation we say [expletive] the consequence let's track them on Facebook, Linked-in, Tweeter, etc. let's go after everything they've got, let's go after their countries, let's trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data, as a side job of course."
FireEye Confirms Leaks
FireEye has confirmed that information relating to two unnamed customers has been leaked.
"Our top priority is ensuring that our customer data is secure," FireEye's spokeswoman says. "To date, we have confirmed the exposure of business documents related to two separate customers in Israel, and have addressed this situation with those customers directly," FireEye's spokeswoman says. "This in an ongoing investigation, and new or additional information may emerge as we continue looking into this matter."
FireEye says it will release further updates as its investigation continues.
Based on the data that's been dumped so far, Ido Naor, an Israel-based cybersecurity researcher who works for Moscow-based Kaspersky Lab, says that the "dump does not show any damage to core assets of Mandiant."
By accounts, a reputation hack only. So far limited to a single person's home box. Lack of additional suggests good backstopping by Mandiant https://t.co/u1byjjSpTb
— Brian Baskin (@bbaskin) July 31, 2017
Meanwhile, digital forensics researcher Brian Baskin, a senior threat researcher for Massachusetts-based Carbon Black, says that the attack so far only appears to be a "reputation hack" aimed at the Mandiant security analyst, and by extension Mandiant and FireEye.