Hackers Compromise Accounts of FireEye Threat Intelligence Analyst

A hacker or group of hackers claimed today to have breached FireEye’s Mandiant. In a Pastebin post, they claimed, “It was fun to be inside a giant company named ‘Mandiant’… ‘Mandiant’ knows how deep we breached into its infrastructure.”

The “proof” of the breach was somewhat limited information about one Mandiant/FireEye employee, Adi Peretz (FireEye purchased Mandiant for $1 billion in January 2014). Peretz is described in the Pastebin post as ‘Victim #1’, a ‘Senior Threat Intelligence Analyst at Mandiant.’ There is no evidence of a breach deep into Mandiant’s infrastructure, and a FireEye spokesperson told SecurityWeek that the company network has not been breached.

There does not appear to be anything sensitive on Pastebin (Pastebin’s policy is to remove any such data). Instead there is a link to the full dump on megafileupload.com, from where a 32 MB zipped file can be downloaded. The content, however, is not awe-inspiring — embarrassing for Peretz, but hardly damaging to FireEye. It includes personal details from Peretz (such as a rather small Outlook contact list), emails, and freely available PDF documents such as a Cylance-produced PDF description of Cylance Protect.

This highlights a fundamental contradiction in the Pastebin announcement. The hacker announces, “This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future.” Yet from the evidence presented, there is little more than a breach of Peretz’s LinkedIn and other personal accounts.

The LinkedIn account has since been removed, but not before the hackers defaced it with the picture of a bare backside and language to suit.

In a statement emailed to SecurityWeek, FireEye confirms the apparently limited nature of the breach. “We are aware of reports that a Mandiant employee’s social media accounts were compromised. We immediately began investigating this situation and took steps to limit further exposure. Our investigation continues, but thus far we have found no evidence FireEye or Mandiant systems were compromised.”

Although the hacker says he has more, and might leak more in the future, that is not described as the primary drive behind the breach. Effectively, the hacker describes this as the first success (‘Victim #1’) of a new project: Op. #LeakTheAnalyst. The motivation is to embarrass security analysts, not to breach major companies. 

“In the #LeakTheAnalyst operation,” says the hacker, “we say fuck the consequence let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field.” For a long time, he says, “we – the 31337 hackers – tried to avoid these fancy ass “Analysts” whom trying to trace our attack footprints back to us and prove they are better than us.” No more. “Let’s unleash hell upon them.”

The clue is in the Op name: LeakTheAnalyst. The question is whether this really is a new, well-resourced hacker campaign, and that more analysts have been compromised and will be embarrassed in the future — or did one hacker get lucky, get into Peretz’s accounts, and is now trying to make it seem like a planned and coordinated campaign?

The hacker or hackers are currently unknown. The poster uses the term, ‘we — the 31337 hackers’; but that is probably a generic usage simply claiming ‘I am one of the elite hackers’.

The leakage is probably not the treasure trove of hugely sensitive internal information claimed by some. It should not, for example, surprise anyone that FireEye/Mandiant meets with the Israeli Defense Force; while a FireEye Threat Intelligence Summary from June 2016 is hardly critical.

Nevertheless, it would be a mistake to believe that the dump contains nothing of value to attackers; and at the very least it is a huge embarrassment for a senior security analyst within a major security firm. Must do better should now be his motto. It appears that he had been owned for upwards of a year — and for the moment, we cannot be certain that additional data has not been lifted.