Black Hats VS Computer Security Companies – One Time Incident or Prolonged Campaign?

In late July 2017, hackers referring to themselves as “31337” initiated a campaign that posted sensitive personal data on Pastebin, an online bulletin board where hostile actors have been observed dumping sensitive information for public consumption.  The group released a 32 MB file titled “Mandiant Leak: Op. #LeakTheAnalyst,”claiming that the data was taken from a senior threat intelligence analyst at a well-known computer security vendor.  The company has asserted that none of its internal networks were penetrated by the hackers, although three corporate documents and two customers were exposed via the victim’s personal social media accounts.

Dump posted on Pastebin

The threat analyst’s online credentials had been released into the wild as a result of eight data breaches of third parties that had occurred previously.  Any evidence of corporate compromise, such as screen grabs that purposefully intimated a network breach was manufactured, according to a company statement.  Regardless, according to news reports, company stock felt an immediate impact, dropping 5 percent after the incident was made public.

Private security companies have gained prominence for their efforts in detecting and identifying hostile cyber activity, particularly those perpetuated by suspected nation state or state-affiliated actors.  Notably, another private company – and not the Federal Bureau of Investigation or the Department of Homeland Security – led the mitigation and remediation efforts after the 2016 breach into the Democratic National Committee networks.  Indeed, law enforcement and private sector companies are proving to be a positive collaboration.  Private sector companies have the resources and connections to proactively report criminal activity and support investigations with digital forensics and malware reverse-engineering.  In several instances, both groups have joined forces in an effort to disrupt cybercriminal businesses with ransomware connections.

However, this recent incident is notable as it is one of the first instances where hostile actors have deliberately targeted security and intelligence analysts at private security firms with the intent of revealing their identities for further damage.  In its post advertising the LeakTheAnalyst Op, the group’s motivation is rooted in revenge.


“In the #LeakTheAnalyst operation we say ****

the consequence let’s track them on Facebook,

Linked-in, Tweeter, etc. let’s go after everything

they’ve got, let’s go after their countries, let’s

trash their reputation in the field. If during your

stealth operation you pwned an analyst, target

him and leak his personal and professional data,

as a side job of course.”


In essence, it may be a harbinger of things to come where hostile cyber actors are seeking to turn the tables on their white hat counterparts.


From a larger perspective, companies must consider the negative ramifications of the doxing of their employees and how that potentially affects company branding.  Take for instance the unfortunate events surrounding DigiNotar.  In 2011, DigiNotar’s system was tricked into issuing more than 500 fraudulent digital certificates for top Internet companies. This caused such severe damage to the company’s image and business that confidence was unrecoverable. The company ultimately went bankrupt.


While the group intimates that more doxes are to follow, there is some skepticism that the group will or even has the skill set required to conduct more sophisticated attacks to exploit systems and retrieve more sensitive information.  The fact that it appears the group gave off the false impression that it had compromised the company’s networks certainly suggests they may have limited capabilities in this capacity.


While the incident demonstrates that even security professionals are subject to targeting and victimization, the greater concern is whether this will be an isolated incident or the beginning of something more serious.  Media attention given to private sector computer security firms in exposing advanced persistent threat (APT) actors or cybercriminals operating in the dark web has certainly gotten the attention of these groups and individuals.  With the recent targeting, it now has placed them in the cross-hairs of at least some of these same entities.


It is uncertain if the publicity this incident has generated will entice other more skilled hostile actors – such as APT-affiliated or nationalistic actors – to join in the crusade.  Several suspected APT actors have been “outed” by private security companies, and ongoing coverage has negatively highlighted the activities of patriotic hackers (e.g., the distributed denial-of-service attackers observed against Estonia in 2007, and against U.S. banks during Operation Ababil), and recently, those of Russian Internet trolls during the 2016 U.S. Presidential election.  Where aggrieved unsophisticated hackers pose at most a modest threat, a more motivated and advanced actor set seeking revenge on the very organizations that have established their reputations from their exposure is a different adversary altogether.  Attacking brand image and eroding public confidence puts security company solvency at risk.


A bugle has inadvertently been sounded; it remains to be seen if that call is answered.


This is a guest post written by Emilio Iasiello.


Tags: , , , , , ,