A hacktivist group has claimed to have leaked CrowdStrike’s entire internal threat actor list, including indicators of compromise (IoC).
CrowdStrike acknowledged the claims by the USDoD threat actor in a blog post on July 25, 2024. The firm noted that USDoD provided a link to download the alleged threat actor list and provided a sample of data fields on the notorious BreachForums cybercrime forum.
The claims come in the wake of the global IT outage on July 19 caused by a bug in a content update for the CrowdStrike Falcon platform. The bug prevented affected systems from booting correctly, disrupting critical sectors such as airlines, banks, media and healthcare.
Threat Intel Data Claims
CrowdStrike said that sample data released by USDoD contained detailed internal intelligence on threat actors. This included:
- Adversary aliases
- Adversary status
- Last active dates for each adversary
- Region/country of adversary origin
- Number of targeted industries
- Number of targeted countries
- Threat actor type and motivation
The firm observed that the adversary alias field contained the same aliases as the Falcon platform but listed in a different order.
CrowdStrike said that the threat intelligence data is available to tens of thousands of its approved customers, partners and prospects, as well as hundreds of thousands of users but is not avalaible publicly.
The sample leak contained data with “LastActive” dates until no later than June 2024, however the Falcon portal’s last active dates for some of the referenced actors are as recent as July 2024, suggesting the data was obtained very recently.
USDoD also alleged that it had obtained CrowdStrike’s entire IOC list and would release it soon. IOCs are used by cybersecurity professionals to determine a hacker’s methods in an attack.
Additionally, CrowdStrike noted that the hacktivist group claimed in their post to have “two big dbs from a oil company and a pharmacy industry (not from USA).” It is unclear whether this claim is separate from the alleged leak of CrowdStrike data.
Security researchers vx-underground highlighted USDoD’s BreachForums post on X (formerly Twitter).
They said they had spoken with USDoD, who told them they programmatically abused CrowdStrike endpoints to pull IOCs from the company, with the scraping operation taking around a month.
“The time the scrape operation completed it just so happened by chance to coincide with the recent CrowdStrike scandel – they've got bad luck it seems,” said vx-underground.
No tags.
