LockBit ransomware gang claimed that they had stolen Mandiant’s data. The gang posted a countdown on their data leak site earlier today. They claimed to have hacked the cybersecurity company and stolen 356,841 files from their network.
Mandiant stated it was investigating the matter at the time the countdown was posted:
“Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.”
“No Evidence of Breach”
The hacking claims came right after Mandiant’s reports regarding Evil Corp, LockBit saying, “All available data will be published.” It also seems timed with RSA Conference.
There was no evidence of a breach; furthermore, LockBit still hasn’t revealed any qualified data on its listing, so it’s still unknown whether the claims are valid. LockBit’s data leak listing only contains a 0-byte file named mandiantyellowpress[.]com.7z that is related to another domain (mandiantyellowpress[.]com, which redirects to ninjaflex[.]com). The domain has no sensitive data in-store.
LockBit might have brought up this incident only to protest against Mandiant’s reports (UNC2165, related to June 2nd) before RSAC. According to Brett Callow, the gang has made several false claims in the past, a threat analyst with cybersecurity firm Emsisoft who follows the ransomware ecosystem closely.
Update on the incident:
For the latest EvilCorp accusations, the LockBit ransomware organization chose to provoke and/or troll Mandiant.
The Mandiant “ransom” has been “released” by the LockBit ransomware organization. The “leaked document” is a note from LockBit debunking recent charges that he’s related to Maksim Yakubets, who was sanctioned by the Department of Justice (i.e., EvilCorp)
Could LockBit Be Threatening Mandiant?
Cybersecurity experts state that even if the attack was actual, it is not entirely possible to identify the actors who committed the breach. LockBit is a ransomware-as-a-service (RaaS) provider and can provide this service to anyone for a fee.
On the other hand, it is a remarkable detail that Mandiant is active in some critical issues in the field of cyber security. He contributed to detecting Chinese cyber espionage groups in 2013 and to the investigation of the SolarWinds incident in 2020. Recently, it has been watching Russia-based Evil Corp.
FireEye acquired Mandiant in December 2013 for $ 1 million. The hacking of FireEye in 2020 made a big splash, and Symphony Technology Group bought the company for $ 1.2 billion in June 2021. Then Google acquired Mandiant for $ 5.4 billion.
Technique ID Technique Description
T1107 File Deletion
T1055 Process Injection
T1112 Modify Registry
T1215 Kernel Modules and Extensions
T1060 Registry Run Keys / Start Folder
T1055 Process Injection
T1124 System Time Discovery
T1046 Network Service Scanning
T1083 File and Directory Discovery
T1016 System Network Configuration Discovery
T1012 Query Registry
T1082 System Information Discovery
T1057 Process Discovery
T1063 Security Software Discovery
T1047 Windows Management Instrumentation
T1035 Service Execution
T1075 Pass the Hash
SHA256 Compile TimeStamp
With SOCRadar® Free Edition, you’ll be able to:
- Prevent Ransomware attacks with Free External Attack Surface Management
- Get Instant alerts for fraudulent domains against phishing and BEC attacks
- Monitor Deep Web and Dark Net for threat trends
- Get vulnerability intelligence when a critical zero-day is disclosed
- Get IOC search & APT tracking & threat hunting in one place
- Get notified with data breach detection
Free for 12 months for one corporate domain and 100 auto-discovered digital assets. Get Free Access.