Hackers leak info stolen from Mandiant analyst, threaten similar attacks

News by Bradley Barth

"This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future," 31337's Pastebin message reportedly warned.

After leaking data stolen from an analyst working for Mandiant, a hacking group or individual going by the name "31337" is threatening to victimise other cyber-security experts in similar fashion.

According to multiple accounts, shortly after midnight on Monday, an adversary set up a Pastebin page and doxxed information obtained by reportedly breaching the personal laptop of a senior threat intelligence analyst at Mandiant. The attacker also compromised several of the researcher's online accounts, including Hotmail, OneDrive, Outlook and LinkedIn, the latter of which resulted in webpage defacement.

Reports are stating that the doxxed information may have included details on Mandiant's network topology, licences, and business contracts, as well as the victimised researcher's emails and account credentials. The Pastebin posting has since been removed.

A spokesperson from FireEye, which owns and operates Mandiant as a subsidiary, released an updated statement to SC Media, noting that an ongoing investigation "has so far found no evidence that [Mandiant's] corporate network was compromised or that the employee's personal systems were compromised." The latter part of this statement would seem to contradict a reported earlier statement from FireEye that acknowledged a laptop was specifically breached.

"Thus far, it appears at least two customers were impacted, and we have addressed this situation with each customer directly," the statement continues. "The documents exposed were labelled with these customer names, but did not contain any customer confidential information."

Based on news accounts of the Pastebin post, these two customers may have been the Israeli prime minister's office and Israel's Hapoalim Bank.

The post, reportedly titled: "Mandiant Leak: Op. #LeakTheAnalyst," included a message from the culprit, implying that the attack was just the opening salvo in a string of future attacks intended to embarrass and discredit analysts whose work may have thwarted malicious campaigns.

"For a long time we -- the 31337 hackers -- tried to avoid these fancy ass 'analysts' [who are] trying to trace our attack footprints back to us and prove they are better than us," the Pastebin posting read, reportedly. "In the #LeakTheAnalyst operation we say **** the consequence let's track them on Facebook, Linked-in, Tweeter, etc. let's go after everything they've got, let's go after their countries, let's trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data, as a side job of course."

The attacker, whose name 31337 is code for "Elite," also warned that it might not be finished with Mandiant: "This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future," the Pastebin message threatened.

But other researchers and analysts were dubious that the hacker or hackers can carry through on these threats.

"Only one workstations [sic] seems to be infected during #leakTheAnalyst. Dump does not show any damage to core assets of #Mandiant," tweeted Ido Naor, researcher at Kaspersky Lab, adding that the data breach was likely just "beginner's luck." Nevertheless, Naor cautioned fellow researchers to "harden your machines and research."

Steve Morgan, founder of Cybersecurity Ventures, told SC Media that he believes FireEye handled the breach responsibly. "This is an isolated incident at FireEye and should not reflect poorly on the firm. They are one of the most trusted breach and incident responders in the industry," said Morgan.

"Lesson learned from this: don't deny it, or downplay it," Morgan continued. "Cyber-security companies will inevitably be involved with periodic data leaks. Not that they should. But it happens. When it does, if they handle the way FireEye has, it should be forgotten fairly quickly."

Tyler Moffitt, senior threat research analyst at Webroot commented in a email to SC: “This is very malicious behaviour even for common black hat hackers; although, I can understand why they wanted to attack an analyst. After all, analysts such as myself certainly make their job harder. That being said, I can sympathise with Adi. If a skilled group of hackers has a vendetta (personal or professional) against you, there is little to no room for a slip-up. This serves as a warning for other analysts in the industry to always be cautious. The nature of our job has us regularly working in infected environments and a single lapse of judgment could cost an individual and his or her organisation a whole lot of embarrassment.”

Andrew Clarke, an EMEA director for One Identity goes further, declaring, "This is a wakeup call to the entire security market.  Even the most aware security users get caught out – that only goes to show that companies cannot do enough to protect their users. For years, security experts have been espousing the need for organisations, private enterprise, non-profits and governments to increase focus and investment to security; to make security a board room level discussion.  But now it appears that even the experts and analysts have failed to heed our own warnings and are suffering from the “Cobbler's Kids” allegory. 

"The fact that hackers persisted with their attacks on this user for over a year is alarming since pro-active monitoring would catch unwanted behaviour.   Improved user administration would help – with strong access controls that validate specific actions to confirm that is really the intention could prevent accidental publication of information and of course create another barrier for potential attackers to overcome.   Improved management of social media accounts that takes advantage of the latest safeguarding tools to control and manage access to social media logins and access is also advised.

 He concludes: "As we tell our own customers - we have to be perfect every single time; the hackers need succeed only once."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews