A hacker group calling themselves the 31337 hackers recently claimed to have had access to the computer of a Mandiant senior threat intelligence analyst since 2016. The group is calling the attack Op #LeakTheAnalyst.
In a post on Pastebin, the hackers claim the data they obtained includes full access to the analyst's LinkedIn profile and Windows Live account, as well as his PayPal invoices.
More broadly, they claim to have compromised "Mandiant internal networks and its clients' data," as well as "credentials (Mandiant-FireEye Docs, Mandiant-FireEye WebEx, Mandiant-FireEye JIRA, staff emails, Amazon account, LinkedIn account, and much more)"
"This leak was just a glimpse of how deep we breached into Mandiant, we might published more critical data in the future," the hackers warned.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In a statement posted on Twitter, Mandiant parent company FireEye said the attack only hit the analyst's personal accounts and didn't breach Mandiant's systems.
"We are aware of reports that a Mandiant employee's social media accounts were compromised," the company stated. "We immediately began investigating this situation and took steps to limit further exposure. Our investigation continues, but this far we have found no evidence FireEye or Mandiant systems were compromised."
Kasperky researcher Ido Naor agreed, posting on Twitter, "Only one workstation seems to be infected during #LeakTheAnalyst. Dump does not show any damage to core assets of #Mandiant."
"The 'operation' #LeakTheAnalyst is probably just ... beginner's luck," Naor added.
Still, Webroot senior threat research analyst Tyler Moffitt told eSecurity Planet by email that the attack should serve as a warning to other analysts in the industry to remain cautious. "The nature of our job has us regularly working in infected environments, and a single lapse of judgement could cost an individual and his or her organization a whole lot of embarrassment," he said.
And Vectra Networks head of security analytics Chris Morales said the breach is a reminder that anyone can be a victim of a cyber attack. "This attack will have an impact on the FireEye Mandiant brand," he said. "The brazen attack demonstrates how any business is vulnerable, even those in the cyber security field."
In response, Morales said, companies need to make fundamental changes to their security mindset and assume they're already compromised. "By implementing automated threat hunting using AI, companies can quickly discover attacker behavior in their network," he said. "Preventing unwanted parties from operating within the network with impunity, waiting for the right time to strike, should be a top priority."
Security vs. Efficiency
While it's probably safe to assume an organization like Mandiant prioritizes key security measures like identity and access management (IAM) and network access control (NAC) to prevent attacks like these from compromising its entire network, a recent Bromium survey [PDF] of 175 security professionals found that 94 percent of respondents say users are more concerned with getting work done than with worrying about cyber security.
Strikingly, 64 percent of security professionals admitted having modified security to allow employees more freedom to get their work done in response to a request from leadership, and 40 percent admitted having turned security off entirely to accommodate a user's request.
"While it isn't a shock that users prioritize productivity and convenience over security, we've always assumed that IT security teams set the agenda when it comes to protecting IP, customer data and the network," Bromium president and co-founder Ian Pratt said in a statement. "But the results from this survey make it clear they are often overruled and executive leadership may not be aware given these competing priorities."