View all newsletters
Receive our newsletter – data, insights and analysis delivered to you

LockBit claims Mandiant hack in apparent bid to distance itself from Evil Corp

The ransomware gang is apparently keen to play down associations with the notorious cybercriminals.

By Claudia Glover

Ransomware gang LockBit claims to have hacked security vendor Mandiant, stealing more than 350,000 files and threatening to leak them online. Mandiant says it has found “no evidence” of a breach, and believes LockBit may be striking back after Mandiant released an investigation into its relationship to Russian cyber gang Evil Corp.

Security vendor Mandiant has apparently been hacked by LockBit. (Photo by Gabby Jones/Bloomberg via Getty Images)

The claims emerged late last night as LockBit published two files to its victim blog on the dark web which it claims stem from an attack on Mandiant. The group says it has more data to release: “all available information will be published!”, its blog post reads. It is not known if a ransom demand has been made to Mandiant, but a countdown timer on the post appears to indicate that the deadline for the release of information is approaching.

Who are LockBit?

Formerly known as ABCD, LockBit is known for requesting financial payment from its victims in exchange for decryption of information. “It focuses mostly on enterprises and government organisations rather than individuals,” says a report from security vendor Kaspersky.

Active since 2019, high-profile victims of the gang include Accenture, where LockBit demanded $50m in exchange for stolen data last year. However, reports noted that when a countdown timer set up for payment of the ransom passed zero, no data was released.

The similarities between the Accenture ‘breach’ and this incident have made security analysts suspicious. “This gang has made a number of false claims in the past,” said Brett Callow, security researcher at Emsisoft, adding that it is “entirely possible” that the group’s claims about Mandiant have “no substance to them whatsoever”.

Has LockBit really breached Mandiant?

Indeed Mandiant, which is currently in the process of being acquired by Google for around $5.4bn, says it is aware of claims but has “found no evidence” to back them up. “Based on the data released, there are no indications that Mandiant data was disclosed but rather the actor appears to be trying to disprove Mandiant’s blog on UNC2165 and LockBit,” the company said.

Mandiant released a report into LockBit and its relationship to the Russian cybercrime gang Evil Corp last week. The US government sanctioned Evil Corp members in 2019 as part of an international sting operation, describing it as “one of the world’s most prolific cybercrime operations”. The new Mandiant report explains that it believes Evil Corp members are now using LockBit malware “to hinder attribution efforts in order to evade sanctions”.

Content from our partners
Webinar - Top 3 Ways to Build Security into DevOps
Tech sector is making progress on diversity, but advances must accelerate
How to bolster finance functions and leverage tech to future-proof operational capabilities

LockBit was clearly irked by this association, releasing a statement declaring “ are not professional”, and adding it “has nothing to do with Evil Corp”. It said: “We are real underground darknet hackers, we have nothing to do with politics or special services like the FSB, FBI and so on.”

This new alleged attack could be a further attempt to discourage Mandiant from linking LockBit and Evil Corp says Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows. “Its reasons for the attack are likely to be to avoid the ensuing scrutiny and attention that would come with being affiliated with a sanctioned cybercriminal group [Evil Corp],” she says.

Others believe the timing of the disturbance is significant, as the global cybersecurity conference RSA is getting underway in San Francisco. “Given that it’s the second day of RSA, there may be some kind of marketing or publicity stunt driving this story,” argues Brian Higgins, security specialist at Comparitech.

Read more: Ransomware in 2022: Bigger and more business-savvy

Topics in this article:
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy