Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Hackers Compromise Accounts of FireEye Threat Intelligence Analyst

A hacker or group of hackers claimed today to have breached FireEye’s Mandiant. In a Pastebin post, they claimed, “It was fun to be inside a giant company named ‘Mandiant’… ‘Mandiant’ knows how deep we breached into its infrastructure.”

A hacker or group of hackers claimed today to have breached FireEye’s Mandiant. In a Pastebin post, they claimed, “It was fun to be inside a giant company named ‘Mandiant’… ‘Mandiant’ knows how deep we breached into its infrastructure.”

The “proof” of the breach was somewhat limited information about one Mandiant/FireEye employee, Adi Peretz (FireEye purchased Mandiant for $1 billion in January 2014). Peretz is described in the Pastebin post as ‘Victim #1’, a ‘Senior Threat Intelligence Analyst at Mandiant.’ There is no evidence of a breach deep into Mandiant’s infrastructure, and a FireEye spokesperson told SecurityWeek that the company network has not been breached.

There does not appear to be anything sensitive on Pastebin (Pastebin’s policy is to remove any such data). Instead there is a link to the full dump on megafileupload.com, from where a 32 MB zipped file can be downloaded. The content, however, is not awe-inspiring — embarrassing for Peretz, but hardly damaging to FireEye. It includes personal details from Peretz (such as a rather small Outlook contact list), emails, and freely available PDF documents such as a Cylance-produced PDF description of Cylance Protect.

This highlights a fundamental contradiction in the Pastebin announcement. The hacker announces, “This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future.” Yet from the evidence presented, there is little more than a breach of Peretz’s LinkedIn and other personal accounts.

The LinkedIn account has since been removed, but not before the hackers defaced it with the picture of a bare backside and language to suit.

In a statement emailed to SecurityWeek, FireEye confirms the apparently limited nature of the breach. “We are aware of reports that a Mandiant employee’s social media accounts were compromised. We immediately began investigating this situation and took steps to limit further exposure. Our investigation continues, but thus far we have found no evidence FireEye or Mandiant systems were compromised.”

Although the hacker says he has more, and might leak more in the future, that is not described as the primary drive behind the breach. Effectively, the hacker describes this as the first success (‘Victim #1’) of a new project: Op. #LeakTheAnalyst. The motivation is to embarrass security analysts, not to breach major companies. 

“In the #LeakTheAnalyst operation,” says the hacker, “we say fuck the consequence let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field.” For a long time, he says, “we – the 31337 hackers – tried to avoid these fancy ass “Analysts” whom trying to trace our attack footprints back to us and prove they are better than us.” No more. “Let’s unleash hell upon them.”

Advertisement. Scroll to continue reading.

The clue is in the Op name: LeakTheAnalyst. The question is whether this really is a new, well-resourced hacker campaign, and that more analysts have been compromised and will be embarrassed in the future — or did one hacker get lucky, get into Peretz’s accounts, and is now trying to make it seem like a planned and coordinated campaign?

The hacker or hackers are currently unknown. The poster uses the term, ‘we — the 31337 hackers’; but that is probably a generic usage simply claiming ‘I am one of the elite hackers’.

The leakage is probably not the treasure trove of hugely sensitive internal information claimed by some. It should not, for example, surprise anyone that FireEye/Mandiant meets with the Israeli Defense Force; while a FireEye Threat Intelligence Summary from June 2016 is hardly critical.

Nevertheless, it would be a mistake to believe that the dump contains nothing of value to attackers; and at the very least it is a huge embarrassment for a senior security analyst within a major security firm. Must do better should now be his motto. It appears that he had been owned for upwards of a year — and for the moment, we cannot be certain that additional data has not been lifted.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.