A major ransomware gang claimed today it has data from Google subsidiary Mandiant, one of the biggest names in threat intelligence and incident response.
According to several news sites, the LockBit gang’s data leak site now lists Mandiant.com as one of its victims, along with the notice “All available data will be published.”
Mandiant quickly responded to reporters’ requests for comment by issuing this statement: “Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.”
Coincidentally the LockBit statement comes as one of the world’s biggest cybersecurity meetings, RSA Conference, opens in San Francisco.
It also comes four days after Mandiant said there’s evidence a threat group it names UNC2165 has moved away from using the Hades ransomware strain in favour of LockBit. This, the report argues, is because the U.S. has sanctioned the gang known as Evil Corp. UNC2165 seems to be an Evil Corp affiliate, Mandiant says, so the shift in ransomware strain could be an attempt to distance the gang from the sanctioned entity.
UPDATE: A Mandiant spokesperson said Monday evening that the company has reviewed the data disclosed in the initial LockBit release. “Based on the data that has been released, there are no indications that Mandiant data has been disclosed but rather the actor appears to be trying to disprove Mandiant’s June 2nd, 2022 research blog on UNC2165 and LockBit.”
Originally an independent company, Mandiant was bought by FireEye for US$1 billion in December, 2013. After FireEye was acquired by Symphony Technology Group for US$1.2 billion in June 2021, Google bought Mandiant for US$5.4 billion, with the goal of integrating it into its Google Cloud division.
Brett Callow, a threat analyst at Emsisoft, warned against accepting the LockBit claim at face value. “LockBit has made bogus claims in the past, and I suspect this is another of them. In fact, it may well be nothing more than a troll in response to Mandiant’s recent report claiming that Evil Corp was using LockBit’s affiliate program in an attempt to evade [U.S.] sanctions. The fact that LockBit timed the announcement to coincide with the start of RSAC could also point to it being a troll designed to cause embarrassment.”
Chris Olson, CEO of The Media Trust, a mobile app and website security provider agreed. “With Mandiant claiming “we do not have any evidence” to support LockBit’s claim, this is a developing story which we should take with a grain of salt. In the past, LockBit has posted names on its website only to drop them without explanation – it has also stolen data from organizations through a third-party vendor while falsely claiming to have breached its victims directly. Until more information emerges, the Mandiant story may go in either of those directions.
“LockBit acts on a ransomware-as-a-service (RaaS) model, meaning the actors who may have initiated this breach cannot be directly identified. This could be a useful tactic for the enemies Mandiant has acquired since it first began operating at the frontlines of global cyberwarfare. In 2013, it implicated Chinese actors in cyber espionage – in 2020, it helped investigate Russian groups responsible for the SolarWinds hack. More recently, it has been tracking the Russia-based cybercriminal group ‘Evil Corp’, which has begun working with LockBit to evade U.S sanctions.
“For now, we don’t know if LockBit’s claims are true. But if they are, they could have serious implications for cybersecurity research firms who are increasingly ending up in the crosshairs of global cyber actors.”
PR stunts ahead of a major cybersecurity conference are nothing new, said Jamie Brummell, CTO of Socura, but for them to come from a ransomware gang is a novel development. “LockBit wanted to the hit the headlines following a Mandiant report linking them to Evil Corp, which would mean lost revenue due to US government sanctions. In that respect, it’s ‘mission accomplished.’ The intention was seemingly to hit the big U.S. tech publications that their victims’ IT teams most likely read. It was a message to their victims that they can keep paying up.
“However, if their intention was to sever the link between them and Evil Corp in the eyes of the public and potential targets, that’s still up for debate. It may have the reverse effect of drawing more attention to the Mandiant report and make victims question whether they are really linked. They may think ‘the ransomware gang doth protest too much’. In that case, they may be even less likely to pay up.”