Late Sunday evening, someone posted details alleged to have come from a compromised system maintained by Adi Peretz, a Senior Threat Intelligence Analyst at Mandiant.
The leaked records expose the analyst from both a personal and professional level, but Sunday’s post also suggested a much larger incident and the possibility of additional Mandiant leaks in the future.
Sunday’s post went up just hours after thousands of hackers ended a week of education and hijinks in Las Vegas, where the annual conferences Black Hat, BSides Las Vegas, and DEF CON were held. It claims that sometime in 2016, continuing until recently in 2017, the threat intelligence firm was fully compromised.
“This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future,” the post said.
The bulk of the leaked data is a 337MB PST file containing the analyst’s emails.
In addition to that are images detailing the compromise of their One Drive account, Live account, LinkedIn account, geo-tracking of personal devices for at least a year, billing records and PayPal receipts, credentials for an engineering portal at FireEye, WebEx and JIRA portals, as well as Live and Amazon accounts. There are also records related to an alleged customer, Bank Hapoalim, and internal documentation and presentations, including one for the IDF (Israel Defense Forces) from 2016.
“It was fun to be inside a giant company named ‘Mandiant’ we enjoyed watching how they try to protect their clients and how their dumb analysts are trying to reverse engineer malwares and stuffs. Now that ‘Mandiant’ knows how deep we breached into its infrastructure its so-called threat analysts are trying to block us. Let's see how successful they are going to be :D,” Sunday’s post taunted.
The leak appears to center on a single analyst, and a single set of systems used by Peretz. However, because of the wide-reaching compromise of both business and personal accounts, the risk (and real fear) is that the attackers have extended their reach beyond a single employee.
The threat of additional leaks is something to take serious, and it’s clear at least one analyst was compromised. However, unless Mandiant confirms the scale and scope of the incident, it’s going to be difficult to determine if the claims made on Sunday are completely true.
What the post does make clear though, is that the overall target isn't the security firms - it's their analyst teams and researchers. So if the claims are legit, then Peretz is just the first analyst to be targeted, signaling to others that they need to take care of their personal security and use caution while working.
Salted Hash has reached out to the analyst and Mandiant for comment, we’ll update this story should they respond. In a statement shared by Motherboard's Joseph Cox, the company says they're aware of Sunday's post and investigating.
"At this stage, it appears that an employee's personal social media accounts have been compromised. We have not found evidence FireEye or Mandiant systems were compromised."
Steven Booth, the CSO of FireEye has posted a response regarding the hacker's claims. FireEye says they're false, and that nothing was hacked. In fact, the only thing they've discovered are a number of failed access attempts in various logs.
The blog post by Booth outlines a number of items in the investigation, but the key takeaway is how the analyst was compromised:
"We confirmed the Victim’s passwords and/or credentials to his personal social media and email accounts were among those exposed in at least eight publicly disclosed third party breaches (including LinkedIn) dating back to 2016 and earlier. Starting in September 2016, the Attacker used those stolen passwords and/or credentials to access several of the Victim’s personal online accounts, including LinkedIn, Hotmail and OneDrive accounts."
FireEye also says the documents leaked by the hacker came only from the analyst's personal accounts, and that some of them were previously available to the public. Otherwise, the attacker simply shared screenshots of the items themselves.
"The Victim supports a very small number of customers. Two customer names were identified in the Victim’s personal email and disclosed by the Attacker. We believe these are the only two customers impacted by this incident," the post goes on the state.