Ransomware gang LockBit claims to have hacked security vendor Mandiant, stealing more than 350,000 files and threatening to leak them online. Mandiant says it has found “no evidence” of a breach, and believes LockBit may be striking back after Mandiant released an investigation into its relationship to Russian cyber gang Evil Corp.
The claims emerged late last night as LockBit published two files to its victim blog on the dark web which it claims stem from an attack on Mandiant. The group says it has more data to release: “all available information will be published!”, its blog post reads. It is not known if a ransom demand has been made to Mandiant, but a countdown timer on the post appears to indicate that the deadline for the release of information is approaching.
Who are LockBit?
Formerly known as ABCD, LockBit is known for requesting financial payment from its victims in exchange for decryption of information. “It focuses mostly on enterprises and government organisations rather than individuals,” says a report from security vendor Kaspersky.
Active since 2019, high-profile victims of the gang include Accenture, where LockBit demanded $50m in exchange for stolen data last year. However, reports noted that when a countdown timer set up for payment of the ransom passed zero, no data was released.
The similarities between the Accenture ‘breach’ and this incident have made security analysts suspicious. “This gang has made a number of false claims in the past,” said Brett Callow, security researcher at Emsisoft, adding that it is “entirely possible” that the group’s claims about Mandiant have “no substance to them whatsoever”.
Has LockBit really breached Mandiant?
Indeed Mandiant, which is currently in the process of being acquired by Google for around $5.4bn, says it is aware of claims but has “found no evidence” to back them up. “Based on the data released, there are no indications that Mandiant data was disclosed but rather the actor appears to be trying to disprove Mandiant’s blog on UNC2165 and LockBit,” the company said.
Mandiant released a report into LockBit and its relationship to the Russian cybercrime gang Evil Corp last week. The US government sanctioned Evil Corp members in 2019 as part of an international sting operation, describing it as “one of the world’s most prolific cybercrime operations”. The new Mandiant report explains that it believes Evil Corp members are now using LockBit malware “to hinder attribution efforts in order to evade sanctions”.
LockBit was clearly irked by this association, releasing a statement declaring “Mandiant.com are not professional”, and adding it “has nothing to do with Evil Corp”. It said: “We are real underground darknet hackers, we have nothing to do with politics or special services like the FSB, FBI and so on.”
This new alleged attack could be a further attempt to discourage Mandiant from linking LockBit and Evil Corp says Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows. “Its reasons for the attack are likely to be to avoid the ensuing scrutiny and attention that would come with being affiliated with a sanctioned cybercriminal group [Evil Corp],” she says.
Others believe the timing of the disturbance is significant, as the global cybersecurity conference RSA is getting underway in San Francisco. “Given that it’s the second day of RSA, there may be some kind of marketing or publicity stunt driving this story,” argues Brian Higgins, security specialist at Comparitech.