Operation #LeakTheAnalyst hits security firms by hitting employees.
An attack on an individual, legitimate security analyst, came to light early Monday. A Mandiant analyst's personal accounts were breached, with doxing to Pastebin by a person or persons calling themselves "the 31337 Hackers." (Leetspeak for "eleet," that is, "elite.") The doxing was part of Operation #LeakTheAnalyst. The hackers also claim to have breached Mandiant systems in 2016, but no documents posted so far suggest this is anything but gasconade (Security Week).
Mandiant is a unit of FireEye, which says it's found no evidence that its systems or networks were compromised. An investigation is in progress. The company did say that some information on two customers was exposed in the doxing; they're working with those customers to contain any problems (Infosecurity Magazine). FireEye reported strong results this week, and said that their investigation of the hack revealed that not only had corporate networks not been breached, but that the affected employee had suffered compromise of a couple of online accounts, not his personal systems. The company said it found the timing of the attack "interesting" for unspecified reasons (CRN).
As far as declared motivation, the 31337 Hackers say they've long resented legitimate security analysts and have decided to target them as individuals. The communiques that accompanied their Pastebin doxing aren't quite written in ShadowBrokerese, but there are some similarities. One of the ShadowBrokers' linguistic stigmata is a mangled plural, as in their use of "peoples." There are signs of this in what the 31337 Hackers have to say. "This documents describes some of the key events of the past two months related to cyber espionage," is a representative sample. Not quite as mannered and contrived as the ShadowBrokers—indeed, it's within the range of what one might see in an undergraduate's term paper—but still, Operation #LeakTheAnalyst" will bear watching (CSO).