You must have heard of Adi Peretz, the Senior Threat Intelligence Analyst at Virginia-based Mandiant Security who bore the brunt of hackers' ire and had his computer squatted on for more than a year.
Yesterday, hackers dumped a huge amount of data from his computer while also hacking into his social media accounts to show that they weren't messing around when the #leaktheanalyst hashtag was created.
Adi Peretz was just collateral damage in the war between hackers and the mainstream cybersecurity industry. The Mandiant email dump that hackers made public included sensitive internal information, threat intelligence profiles as well as network topologies of clients.
Digital forensics business Mandiant was acquired by FireEye back in 2014 and is currently valued at over $1 billion. Hackers managed to use the Find My Device feature on Peretz' Surface Pro hybrid tablet to go through his personal files for a year. They also wrecked havoc on his LinkedIn profile, although this has now been deleted.
Matt Walmsley, EMEA director, Vectra said: “With hackers boasting to have had persistent access since 2016, it goes to show that nobody has fool proof defences. Organisations need a fundamental change in their security mindset to a default expectation of ‘we’re already compromised’ so that they are equipped to detect as well as deal with breaches quickly. By implementing automated threat hunting using AI, companies can quickly discover when a rogue third party has breached the network. Preventing unwanted parties from operating within the network with impunity, waiting for the right time to strike, should be first port of call.
Over on the pastebin dump of the data, hackers have written their side of the story too:
"Nobody understands the amount of dedication it takes to break into a highly secured network, to bypass every state of the art security measure installed to make a targeted network unbreakable, to code and hack not for the money but for the pleasure of being somewhere no one can be in, to be addicted to pain.
From time to time there is a know-it-all security professional tries to read your sick mind and blow your breach plan up to hell.
For a long time we – the 31337 hackers – tried to avoid these fancy ass “Analysts” whom trying to trace our attack footprints back to us and prove they are better than us. In the #LeakTheAnalyst operation we say fuck the consequence let’s track them on Facebook, Linked-in, Tweeter, etc. let’s go after everything they’ve got, let’s go after their countries, let’s trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data, as a side job of course ;).
While the case is enough to spook the most hardened cyber analysts, here at TEISS, we are staggered by the lack of separation between work and play that hackers have demonstrated in this instance.
Jeremy Swinfen Green, Head of Training and Consulting, TEISS said: "The hack on Adi Peretz, something that looks quite personal, makes one question the wisdom of cyber security analysts having social media profiles or indeed having computing devices that mix personal and business use.
"Just as people with smartphones they use for work should assume that they will lose them at some point (so any work data on them needs to be secure), so perhaps cyber security analysts should assume they will be hacked at some point.
"Opting out of social media would make their attack surface smaller (and reduce any reputational damage in the wake of a successful attack). Physically separating work and personal activities, especially if different personas are developed for both, could also be a useful, if less than convenient (although the continued reduction in the size of computers makes this less of an issue than it was 10 years ago)..
"Ultimately though cyber security analysts are putting themselves out there and no one should be surprised when occasionally one falls victim. Adi Perets deserves our sympathy."
A FireEye spokesperson said: "We are aware of reports that a Mandiant employee’s social media accounts and personal laptop have been compromised. We are investigating this situation, and have taken steps to limit further exposure. While our investigation is ongoing , there is currently no evidence that FireEye or Mandiant corporate systems have been compromised. Our top priority is ensuring that our customer data is secure. To date, we have confirmed the exposure of business documents related to two separate customers in Israel, and have addressed this situation with those customers directly. This in an ongoing investigation, and new or additional information may emerge as we continue looking into this matter. We will do our best to keep you up to date.