FireEye data leak: Mandiant hackers post second data dump taunting cybersecurity firm

An unknown group of hackers, calling themselves the "31337" have reportedly claimed to have leaked a second batch of data stolen from US cybersecurity giant FireEye. In the end of July, the hackers first leaked FireEye's files after stealing them from an employee of Mandiant, which is owned by FireEye.

The latest data dump is relatively small and reportedly contains 3MB worth of files. FireEye has told IBTimes UK that it is aware of the second leak and is investigating the incident.

"We launched an investigation immediately upon learning of this second post early this morning. Despite the attacker's attempt to call attention to this matter, the situation remains the same -- there has been no further exposure beyond what we reported on August 7. There is no evidence that the attacker breached, compromised or accessed our corporate network," a FireEye spokesperson said in an emailed statement.

The identity of the hackers remains unknown. It is also unclear whether the hackers' motivation behind launching the "Leak the Analyst" campaign was financial or to merely damage the reputation of the cybersecurity firm.

As part of the second leak, the hackers also posted a message on Pastebin, taunting FireEye. "Guess what, we're going to punish the lairs [sic], the fat riches who care only about their stock shares," the hackers wrote.

In their message, the hackers also gave "special thanks" to two other hacker groups – APT 28, aka Fancy Bear, the same Kremlin-linked group that is widely considered to be behind the US election hacking spree, as well as the Shadow Brokers, which made headlines after leaking NSA cyberweapons last year.

Motherboard reported that the second dump contained files relating to the Israeli Bank Hapoalim and a forensics report from an Israeli security firm Illusive Networks.

In an earlier blog published after the first leak, FireEye confirmed that the hackers stole data from one of its employees. The firm also said that the files leaked by the hackers were already publicly available. "A number of the screen captures created by the Attacker and posted online are misleading, and seem intentionally so. They falsely implied successful access to our corporate network, despite the fact that we identified only failed login attempts from the Attacker," FireEye previously said on its blog.

It is unclear whether the latest batch of data dumped by the hackers also came from the compromised account of the Mandiant employee. However, some in the infosec community on Twitter have speculated that the latest dump may also have come from the Mandiant employee's hacked accounts and that the hackers may just be "trolling."

"We continue to investigate this issue, and while we do not anticipate any significant new discoveries, we will update you if any relevant information emerges," FireEye told us. "We will continue to do all we can to address this matter and maintain the trust customers place in FireEye. This includes engaging law enforcement, as well as our team of investigators and security experts."