Uncover the Inside Story of Mandiant’s “Hack”
On June 6, 2022, Eastern Time, at the time of the opening of the RSA 2022 conference… The LockBit ransomware gang claimed on the dark web that it had breached Mandiant, the leading manufacturer of cyber security in the United States, and threatened to release tens of thousands of copies stolen from Mandiant secret document.
This off-site interlude brought a haze to Mandiant, who was at the RSA 2022 conference at this time.
We note that all of the conflict stemmed from a threat analysis report published by Mandiant on June 2, which showed that the Evil Corp gang used the LockBit 2.0 group ransomware to carry out cyber extortion attacks, and Evil Corp was another early in 2019. A cybercriminal organization that was sanctioned by the U.S. government in 2010. Mandiant classified the LockBit 2.0 group as an affiliation of the Evil Corp gang and named it UNC2165.
Subsequently, the Lockbit extortion gang finally “published” Mandiant’s “hacked material” on its dark web site. However, this is not Mandiant’s confidential data, but a statement and a graphic evidence…
This statement caught our attention. After our analysis, we found that this statement implied some intelligence information, and Lockbit refuted some of Mandiant’s judgments from the attacker’s point of view:
First, Lockbit argues that many hacking tools, scripts and attack methods are now public and can be used by any hacker on the planet. Security vendors cannot determine who the attacker is based on the similarity of the tools used by hackers.
Second, Lockbit revealed that Foxconn was breached for ransomware because their security was really bad, and the domain control permissions were obtained by the ancient zerologon vulnerability. Implying that there are multiple extortion gangs, and even affiliated groups of these gangs may have captured Foxconn, the personnel of these extortion gangs are complex, there is no way to attribute the people behind the cyberattack, the speculation of security vendors is wrong, and it is implied that there are only a few The top FBI agents knew the truth about the relationship between the people behind the blackmail organization.
Third, Lockbit emphasized that it has nothing to do with the Evil Corp organization, nor with any government agency, and that it is an international cybercriminal gang without borders, including members of many countries.
With the evolution of the Mandiant hacked security incident, “offensive and defensive community first” conducted a more in-depth analysis and discussion. Some thoughts are as follows:
First, the U.S. OFAC (Office of the Treasury Department’s Foreign Assets Control) imposed sanctions on the Evil Corp gang in December 2019, and a recent report released by Mandiant concluded that the LOCKBIT gang and the Evil Corp gang may be the same gang, and they are very likely to be involved. It may be that the use of complex relationships and shared tools by cybercriminal organizations leads to misjudgments by security vendors. The intelligence analysis of such gangs is indeed out of the scope of technical capabilities. The intelligence judgment of technical personnel for complex relationship groups is only an auxiliary reference and cannot be highly qualified. Confidence.
Second, given the leadership and influence of Mandiant’s U.S. network security vendors, the LockBit organization is still very afraid, for fear that the gang will be included in the sanctions list by the US OFAC, which does not understand technology, because of “influential misjudgments”. OFAC’s legal sanctions have international deterrent effect. If a blackmail organization is sanctioned by the United States at the national level, even if the entities and enterprises related to the United States are hacked, they will not dare to pay ransom to the extortion organization that has been publicly sanctioned by OFAC, because it is The payment of ransom by the sanctioned criminal organization will be considered a violation of the law. The LockBit organization is very afraid that its criminal business will be suddenly implicated by the existing international sanctions of the Evil Corp gang because of Mandiant’s judgment, and lose a large amount of corporate ransoms.
Everyone must be concerned about whether Mandiant has been hacked, and whether the 356,841 files to be released by the LockBit organization’s website will eventually be a farce, all this is still a mystery.
The inside story between extortion organizations and security vendors is far from being as simple as the media news and some vendors imagined. All of this is due to the complex game between their respective interests and the tug-of-war, deterrence, and psychology between criminals and security personnel. War is a dark war that the public cannot understand. They only thing we know is that hackers are always seeking for new ways to gain access to people’s data. Although there was no threat this time, data leaking was a possibility and data protection is necessary. If there is crucial data in the folder, Mandiant may be in much worse situation today. As a result, data breaches affect even security suppliers, much alone ordinary businesses and individuals. Therefore, our businesses and people must take proactive steps to secure data. To avoid all hazards, data may be backed up for disaster recovery. Data protection solutions are now plentiful and simple to use. As an example, consider the popular virtual machine backup. Virtual machines may run many operating systems concurrently, saving both physical and virtual resources. VMware Backup, Xenserver Backup, Hyper-V Backup, and other virtual machine backup tools are now widely utilized.
For more valuable information visit the website