A major ransomware gang claimed today it has data from Google subsidiary Mandiant, one of the biggest names in threat intelligence and incident response.
According to several news sites, the LockBit gang’s data leak site now lists Mandiant.com as one of its victims, along with the notice “All available data will be published.”
Mandiant quickly responded to reporters’ requests for comment by issuing this statement: “Mandiant is aware of these LockBit-associated claims. At this point, we do not have any evidence to support their claims. We will continue to monitor the situation as it develops.”
Coincidentally the LockBit statement comes as one of the world’s biggest cybersecurity meetings, RSA Conference, opens in San Francisco.
It also comes four days after Mandiant said there’s evidence a threat group it names UNC2165 has moved away from using the Hades ransomware strain in favour of LockBit. This, the report argues, is because the U.S. has sanctioned the gang known as Evil Corp. UNC2165 seems to be an Evil Corp affiliate, Mandiant says, so the shift in ransomware strain could be an attempt to distance the gang from the sanctioned entity,
Originally an independent company, Mandiant was bought by FireEye for US$1 billion in December, 2013. After FireEye was acquired by Symphony Technology Group for US$1.2 billion in June 2021, Google bought Mandiant for US$5.4 billion, with the goal of integrating it into its Google Cloud division.
Brett Callow, a threat analyst at Emsisoft, warned against accepting the LockBit claim at face value. “LockBit has made bogus claims in the past, and I suspect this is another of them. In fact, it may well be nothing more than a troll in response to Mandiant’s recent report claiming that Evil Corp was using LockBit’s affiliate program in an attempt to evade [U.S.] sanctions. The fact that LockBit timed the announcement to coincide with the start of RSAC could also point to it being a troll designed to cause embarrassment.”
Chris Olson, CEO of The Media Trust, a mobile app and website security provider agreed. “With Mandiant claiming “we do not have any evidence” to support LockBit’s claim, this is a developing story which we should take with a grain of salt. In the past, LockBit has posted names on its website only to drop them without explanation – it has also stolen data from organizations through a third-party vendor while falsely claiming to have breached its victims directly. Until more information emerges, the Mandiant story may go in either of those directions.
“LockBit acts on a ransomware-as-a-service (RaaS) model, meaning the actors who may have initiated this breach cannot be directly identified. This could be a useful tactic for the enemies Mandiant has acquired since it first began operating at the frontlines of global cyberwarfare. In 2013, it implicated Chinese actors in cyber espionage – in 2020, it helped investigate Russian groups responsible for the SolarWinds hack. More recently, it has been tracking the Russia-based cybercriminal group ‘Evil Corp’, which has begun working with LockBit to evade U.S sanctions.
“For now, we don’t know if LockBit’s claims are true. But if they are, they could have serious implications for cybersecurity research firms who are increasingly ending up in the crosshairs of global cyber actors.”