After leaking data stolen from an analyst working for Mandiant, a hacking group or individual going by the name “31337” is threatening to victimize other cybersecurity experts in similar fashion.
According to multiple accounts, shortly after midnight on Monday, an adversary set up a Pastebin page and doxxed information obtained by reportedly breaching the personal laptop of a senior threat intelligence analyst at Mandiant. The attacker also compromised several of the researcher’s online accounts, including Hotmail, OneDrive, Outlook and LinkedIn, the latter of which resulted in webpage defacement.
Reports are stating that the doxxed information may have included details on Mandiant’s network topology, licenses, and business contracts, as well as the victimized researcher’s emails and account credentials. The Pastebin posting has since been removed.
A spokesperson from FireEye, which owns and operates Mandiant as a subsidiary, released an updated statement to SC Media, noting that an ongoing investigation “has so far found no evidence that [Mandiant’s] corporate network was compromised or that the employee’s personal systems were compromised.” The latter part of this statement would seem to contradict a reported earlier statement from FireEye that acknowledged a laptop was specifically breached.
“Thus far, it appears at least two customers were impacted, and we have addressed this situation with each customer directly,” the statement continues. “The documents exposed were labeled with these customer names, but did not contain any customer confidential information.”
Based on news accounts of the Pastebin post, these two customers may have been the Israeli prime minister’s office and Israel’s Hapoalim Bank.
The post, reportedly titled: “Mandiant Leak: Op. #LeakTheAnalyst,” included a message from the culprit, implying that the attack was just the opening salvo in a string of future attacks intended to embarrass and discredit analysts whose work may have thwarted malicious campaigns.
“For a long time we — the 31337 hackers — tried to avoid these fancy ass ‘analysts’ [who are] trying to trace our attack footprints back to us and prove they are better than us,” the Pastebin posting read, reportedly. “In the #LeakTheAnalyst operation we say **** the consequence let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data, as a side job of course.”
The attacker, whose name 31337 is code for “Elite,” also warned that it might not be finished with Mandiant: “This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future,” the Pastebin message threatened.
But other researchers and analysts were dubious that the hacker or hackers can carry through on these threats.
“Only one workstations [sic] seems to be infected during #leakTheAnalyst. Dump does not show any damage to core assets of #Mandiant,” tweeted Ido Naor, researcher at Kaspersky Lab, adding that the data breach was likely just “beginner’s luck.” Nevertheless, Naor cautioned fellow researchers to “harden your machines and research.”
Steve Morgan, founder of Cybersecurity Ventures, told SC Media that he believes FireEye handled the breach responsibly. “This is an isolated incident at FireEye and should not reflect poorly on the firm. They are one of the most trusted breach and incident responders in the industry,” said Morgan.