Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)

Hacker Group 31337 Dumps Data Stolen From Mandiant Analyst

FireEye Confirms Breach After Hackers Launch 'Operation Leak the Analyst'
Hacker Group 31337 Dumps Data Stolen From Mandiant Analyst
Document included in the 31337 hacker group's data dump.

Cybersecurity firm FireEye has confirmed that the personal laptop of one of its Mandiant breach-investigation employees, as well as his social media accounts, were hacked by a group of self-professed black hat hackers, calling themselves "31337."

See Also: Gartner Guide for Digital Forensics and Incident Response

"We are aware of reports that a Mandiant employee's social media accounts and personal laptop have been compromised," a spokeswoman for California-based FireEye tells Information Security Media Group. "We are investigating this situation, and have taken steps to limit further exposure."

For now, however, it says the breach appears to be contained to the employee's laptop. "While our investigation is ongoing, there is currently no evidence that FireEye or Mandiant corporate systems have been compromised," FireEye's spokeswoman says.

The breach first came to light Monday via an anonymous post to Pastebin labeled "Mandiant Leak: Op. #LeakTheAnalyst." The post contains links to a 32 MB file that attackers claim contains details relating to Adi Peretz, a senior threat intelligence analyst at FireEye's Mandiant consulting services unit, which provides incident response services that the company is now presumably applying to itself.

The attackers also claim that the dump contains network topology - potentially for FireEye's malware analysis lab - as well as detail of FireEye licenses, contracts, and an extensive collection of Peretz's personal and business emails.

The attackers also defaced Peretz's LinkedIn account and say that they'd compromised his Windows Live - aka - Outlook.com - account.

"Hack locally, leak globally, expect us," the attackers wrote, in a riff on the infamous Anonymous credo.

Further Dumps Threatened

The 31337 hackers' name is a reference to leet - a shortening of "elite" - or what's also known as leetspeak, which is a form of symbolic writing born from 1980s bulletin board systems.

The group claims it had access to Peretz's system for more than a year. It says the data dump is a warning to Mandiant. "This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future," the group claims.

Excerpt from the 31337 group's Pastebin post.

The additional data, the attackers claim, includes details of "Mandiant internal networks and its clients data," as well as credentials for various accounts. The attackers also suggested that they had obtained data that relates to the Israeli prime minister's office, as well as Israel's Hapoalim Bank.

The 31337 hacking group says the data dump is the first in a series of what are meant to be retributory attacks against security analysts.

"For a long time we - the 31337 hackers - tried to avoid these fancy ass "analysts" [who are] trying to trace our attack footprints back to us and prove they are better than us. In the #LeakTheAnalyst operation we say [expletive] the consequence let's track them on Facebook, Linked-in, Tweeter, etc. let's go after everything they've got, let's go after their countries, let's trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data, as a side job of course."

FireEye Confirms Leaks

FireEye has confirmed that information relating to two unnamed customers has been leaked.

"Our top priority is ensuring that our customer data is secure," FireEye's spokeswoman says. "To date, we have confirmed the exposure of business documents related to two separate customers in Israel, and have addressed this situation with those customers directly," FireEye's spokeswoman says. "This in an ongoing investigation, and new or additional information may emerge as we continue looking into this matter."

FireEye says it will release further updates as its investigation continues.

Based on the data that's been dumped so far, Ido Naor, an Israel-based cybersecurity researcher who works for Moscow-based Kaspersky Lab, says that the "dump does not show any damage to core assets of Mandiant."

Meanwhile, digital forensics researcher Brian Baskin, a senior threat researcher for Massachusetts-based Carbon Black, says that the attack so far only appears to be a "reputation hack" aimed at the Mandiant security analyst, and by extension Mandiant and FireEye.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.