Hacktivists Claim Leak of CrowdStrike Threat Intelligence
Summary:
A hacktivist group, USDoD, has claimed to have leaked CrowdStrike’s internal threat actor list, including indicators of compromise (IoCs). CrowdStrike acknowledged these claims in a blog post on July 25, 2024, noting that USDoD provided a download link for the alleged list and shared sample data on BreachForums. This incident follows a significant IT outage on July 19 caused by a bug in the CrowdStrike Falcon platform, which affected critical sectors like airlines, banks, media, and healthcare by preventing systems from booting correctly.
CrowdStrike stated that the sample data released by USDoD contained detailed intelligence on threat actors, such as adversary aliases, statuses, last active dates, regions, targeted industries, and motivations. The firm noted that the adversary aliases matched those on the Falcon platform but were listed in a different order. The data, which includes "LastActive" dates up to June 2024, suggests recent acquisition, as the Falcon portal lists some actors as active in July 2024. USDoD also claimed to have obtained CrowdStrike’s entire IoC list and plans to release it soon. These IoCs are critical for cybersecurity professionals as they help identify hacker methods in attacks. Additionally, USDoD claimed to have data from an oil company and a pharmacy industry outside the USA, though it is unclear if this claim is separate from the alleged CrowdStrike data leak.
CrowdStrike emphasized in a statement to Infosecurity that the attackers' claims do not constitute a breach, as the threat intelligence data is available to thousands of customers, partners, and prospects. They reiterated, "There is no CrowdStrike breach. This threat intel data is available to tens of thousands of customers, partners, and prospects." Additionally, CrowdStrike states in the blogpost “The threat intel data noted in this report is available to tens of thousands of customers, partners and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”
Security Officer Comments:
USDoD, active since at least 2020, has engaged in both hacktivism and financially motivated breaches. In the past two years, the group has focused on high-profile intrusion campaigns and recently expanded their activities to include administering eCrime forums. In September 2023, USDoD claimed to have stolen personal data from credit agency TransUnion and also claimed a data breach at Airbus in the same month. They primarily use social-engineering tactics to access sensitive data. CrowdStrike noted that USDoD has a history of exaggerating claims to enhance their reputation within both hacktivist and eCrime communities.
Suggested Corrections:
Restrict and Monitor Access to Threat Intelligence Data:
Enhance Endpoint and API Security:
Deploy Web Application Firewalls (WAF):
Conduct Regular Security Audits and Penetration Testing:
https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/
https://www.infosecurity-magazine.com/news/hacktivists-leak-crowdstrike/
A hacktivist group, USDoD, has claimed to have leaked CrowdStrike’s internal threat actor list, including indicators of compromise (IoCs). CrowdStrike acknowledged these claims in a blog post on July 25, 2024, noting that USDoD provided a download link for the alleged list and shared sample data on BreachForums. This incident follows a significant IT outage on July 19 caused by a bug in the CrowdStrike Falcon platform, which affected critical sectors like airlines, banks, media, and healthcare by preventing systems from booting correctly.
CrowdStrike stated that the sample data released by USDoD contained detailed intelligence on threat actors, such as adversary aliases, statuses, last active dates, regions, targeted industries, and motivations. The firm noted that the adversary aliases matched those on the Falcon platform but were listed in a different order. The data, which includes "LastActive" dates up to June 2024, suggests recent acquisition, as the Falcon portal lists some actors as active in July 2024. USDoD also claimed to have obtained CrowdStrike’s entire IoC list and plans to release it soon. These IoCs are critical for cybersecurity professionals as they help identify hacker methods in attacks. Additionally, USDoD claimed to have data from an oil company and a pharmacy industry outside the USA, though it is unclear if this claim is separate from the alleged CrowdStrike data leak.
CrowdStrike emphasized in a statement to Infosecurity that the attackers' claims do not constitute a breach, as the threat intelligence data is available to thousands of customers, partners, and prospects. They reiterated, "There is no CrowdStrike breach. This threat intel data is available to tens of thousands of customers, partners, and prospects." Additionally, CrowdStrike states in the blogpost “The threat intel data noted in this report is available to tens of thousands of customers, partners and prospects – and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain committed to sharing data with the community.”
Security Officer Comments:
USDoD, active since at least 2020, has engaged in both hacktivism and financially motivated breaches. In the past two years, the group has focused on high-profile intrusion campaigns and recently expanded their activities to include administering eCrime forums. In September 2023, USDoD claimed to have stolen personal data from credit agency TransUnion and also claimed a data breach at Airbus in the same month. They primarily use social-engineering tactics to access sensitive data. CrowdStrike noted that USDoD has a history of exaggerating claims to enhance their reputation within both hacktivist and eCrime communities.
Suggested Corrections:
Restrict and Monitor Access to Threat Intelligence Data:
- Ensure that access to threat intelligence data is strictly controlled and only available to authorized personnel.
- Implement detailed logging and monitoring of access to threat intelligence data to quickly identify and respond to any unauthorized access attempts.
Enhance Endpoint and API Security:
- Secure all endpoints and APIs with strong authentication mechanisms, including multi-factor authentication (MFA).
- Regularly update and patch endpoint software and APIs to protect against known vulnerabilities that could be exploited for data scraping or unauthorized access.
Deploy Web Application Firewalls (WAF):
- Use WAFs to protect web applications and APIs from automated attacks and scraping attempts.
- Configure WAFs to detect and block suspicious activities, such as repeated access attempts or unusual patterns of data requests.
Conduct Regular Security Audits and Penetration Testing:
- Perform regular security audits and penetration testing to identify and address vulnerabilities in your systems.
- Focus on areas that are most likely to be targeted by hacktivists, such as public-facing applications, endpoints, and APIs.
- Develop and regularly update incident response plans that specifically address hacktivist threats.
https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/
https://www.infosecurity-magazine.com/news/hacktivists-leak-crowdstrike/