Cyber Incident Victim: Mandiant
Date:
Jul 2017
Location:
United States of America
Summary
Hackers breached a cybersecurity firm by compromising an employee's personal accounts, stealing and subsequently leaking internal documents and credentials in multiple data dumps. The attackers publicly mocked the firm via Pastebin posts, accusing it of dishonesty regarding the breach's scope and criticizing its financial priorities, while also targeting security researchers and journalists. The leaked materials included confidential third-party forensic reports and modified files bearing campaign hashtags, exposing sensitive data beyond the firm itself. The victim organization confirmed ongoing investigations but maintained no evidence of corporate network intrusions, attributing the theft to individual account compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late July 2017, anonymous hackers breached personal accounts belonging to Adi Peretz, a senior threat intelligence analyst at Mandiant, a subsidiary of cybersecurity firm FireEye. The attackers initially exfiltrated data from Peretz’s LinkedIn, Hotmail, and other online accounts, publishing the first cache of stolen documents by July 31. FireEye responded with a public statement asserting there was no evidence of compromise to internal corporate systems, attributing the incident solely to unauthorized access to an employee’s personal accounts. On August 14, the hackers released a second data dump containing approximately two dozen files totaling 3MB, including a confidential forensics report from Israeli security firm Illusive Networks, documents related to Israeli Bank Hapoalim, and files altered with the superimposed text “COOL! #LeakTheAnalyst”—a hashtag associated with their campaign. The attackers accompanied this release with a Pastebin post mocking FireEye’s initial response, accusing the company of lying to protect its stock price and customer relationships, and specifically targeting security researchers and journalists who had commented on the first breach.
The incident exposed sensitive documents not previously available publicly, as evidenced by Google searches failing to return results for excerpts from the marked “confidential” Illusive Networks report. While FireEye maintained its position that corporate infrastructure remained uncompromised, the hackers contested this claim, alleging broader access in their Pastebin communiqué. The breach impacted multiple external entities, including Illusive Networks and Bank Hapoalim, though neither organization provided immediate public commentary. FireEye initiated investigations into both data dumps, pledging updates to stakeholders, while the attackers emphasized financial motivations by referencing FireEye’s stock performance and disparaging corporate priorities. The compromised data’s scope and authenticity remained unverified by independent sources at the time of reporting, with FireEye’s ongoing inquiry representing the primary documented response action.