It’s enough to send chills down the spine of any security analyst. Rather than keeping an eye on the hackers, the hackers keep an eye on you, infiltrating your network and stealing your data, before unleashing it to the world in a very public, and very embarrassing way.
That nightmare scenario became reality for the Virginia-based Mandiant Security and one of its employees, Adi Peretz, after hackers spent a year inside of his computer.
Peretz, who works as a Senior Threat Intelligence Analyst, has become the victim of “Operation #LeakTheAnalyst,” and appears to be collateral damage in a backlash against the legitimate security industry. The hackers dumped the contents of his email inbox, as well as several internal Mandiant and FireEye documents.
Mandiant primarily focuses on digital forensics, and was acquired by FireEye in 2014 for roughly $1 billion.
The dump is an treasure trove of hugely sensitive internal information. Included are network topologies, threat intelligence profiles for the Israeli Defence Forces, and company worksheets.
Much of the dump focuses on Peretz. In one folder, for example, we can see the attackers tracked Peretz through the Windows Find My Device feature, linked to his Surface Pro laptop.
The hackers also apparently broke into, and defaced, his LinkedIn page.
LinkedIn profile of a Mandiant employee. :| pic.twitter.com/3WpWiXGjvs
— Rickey Gevers (@UID_) July 31, 2017
Peretz’s profile has since been deleted.
At the bottom of the pastebin announcing the leak, the attackers write:
Nobody understands the amount of dedication it takes to break into a highly secured network, to bypass every state of the art security measure installed to make a targeted network unbreakable, to code and hack not for the money but for the pleasure of being somewhere no one can be in, to be addicted to pain.
From time to time there is a know-it-all security professional tries to read your sick mind and blow your breach plan up to hell.
For a long time we – the 31337 hackers – tried to avoid these fancy ass “Analysts” whom trying to trace our attack footprints back to us and prove they are better than us. In the #LeakTheAnalyst operation we say fuck the consequence let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data, as a side job of course ;).
While it’s not unheard of for researchers and analysts to find themselves in the firing line, the attack against Mandiant and Peretz has spooked some in the security industry, and calls have amplified for researchers to harden their machines and environments.
#leakTheAnalyst is a new operation by a group of hackers, trying to leak researchers data. Make sure you harden your machines and research.
— Ido Naor (@IdoNaor1) July 31, 2017
We’ve reached out to Mandiant, and will update this post when we hear more.
UPDATE: Mandiant’s parent company, FireEye, just issued a statement.
We are aware of reports that a Mandiant employee’s social media accounts were compromised. We immediately began investigating this situation, and took steps to limit further exposure. Our investigation continues, but thus far, we have found no evidence FireEye or Mandiant systems were compromised.