A recent cyber incident has put cybersecurity firm CrowdStrike in the spotlight, as a hacktivist group known as USDoD claims to have leaked the company’s entire internal threat actor list. This list reportedly includes crucial indicators of compromise (IoC) that are essential for cybersecurity professionals to analyze and understand hackers’ methods in an attack.

CrowdStrike acknowledged the claims made by USDoD in a blog post on July 25, 2024. The firm confirmed that the hacktivist group provided a link to download the alleged threat actor list and shared a sample of data fields on the BreachForums cybercrime forum. This incident follows a global IT outage on July 19, which was caused by a bug in a content update for CrowdStrike’s Falcon platform. The bug affected systems in various critical sectors such as airlines, banks, media, and healthcare.

The leaked threat intelligence data contained detailed information on various threat actors, including their aliases, status, last active dates, country of origin, number of targeted industries and countries, as well as their type and motivation. CrowdStrike noted that the adversary aliases matched those on the Falcon platform but were listed in a different order. The firm highlighted that this data is typically accessible to tens of thousands of approved customers, partners, and prospects, as well as hundreds of thousands of users, but is not publicly available.

The leaked sample data indicated “LastActive” dates until June 2024, while the Falcon portal showed more recent last active dates for some actors, suggesting that the data was obtained recently. USDoD also claimed to have CrowdStrike’s entire IoC list, which they plan to release soon. Additionally, the hacktivist group mentioned having obtained databases from an oil company and a pharmacy industry, although it remains unclear if this is related to the CrowdStrike leak.

Security researchers noted USDoD’s post on BreachForums and revealed that the group programmatically abused CrowdStrike endpoints to extract IoCs over a month-long scraping operation. It was a coincidence that this operation coincided with the CrowdStrike scandal, according to vx-underground, who spoke with USDoD.

In response to the incident, CrowdStrike clarified that if the attackers’ claims are accurate, it does not constitute a breach. The firm stressed that this threat intelligence data is routinely shared with approved entities and does not represent a security breach on their part.

Regarding the hacktivist group USDoD, CrowdStrike highlighted that the group has been active since at least 2020, engaging in hacktivism and financially motivated breaches. They have intensified their cyber activities in recent years, focusing on targeted intrusion campaigns and eCrime forums. USDoD has previously claimed responsibility for data breaches at organizations such as TransUnion and Airbus, primarily using social engineering tactics to access sensitive information.

CrowdStrike warned that USDoD has a history of exaggerating claims to bolster their reputation within hacktivist and eCrime communities. The incident involving the leak of CrowdStrike’s internal threat actor list sheds light on the ongoing cybersecurity challenges faced by organizations and highlights the importance of robust security measures to protect sensitive data from malicious actors.

Lidhja e burimit