Threat Research

USDoD Hacktivists Claim to Have Leaked CrowdStrike’s Threat Actor List

Crowdstrike

USDoD, a hacktivist entity, claimed on BreachForums to have leaked CrowdStrike’s entire threat actor list and IOC list, with a sample data file and download link. The report notes USDoD’s history of exaggerating claims and its shifting activities from social engineering to broader eCrime forums. Hashtags: #USDoD #BreachForums #CrowdStrike #ThreatActorList #IOCList #Falcon

Keypoints

  • On July 24, 2024, USDoD claimed on BreachForums to have leaked CrowdStrike’s entire threat actor list and IOC list.
  • Sample data included a CSV file that contained fields for adversary aliases, adversary status, last active dates for each adversary, region/country of adversary origin, number of targeted industries, number of targeted countries, actor type and motivation.
  • In one example, the adversary alias field contained the same aliases as the Falcon platform but listed in a different order.
  • The sample data showed LastActive dates up to June 2024; Falcon portal’s LastActive dates for some actors appear as recent as July 2024, suggesting potential data synchronization or access timing differences.
  • USDoD claimed two big databases from an oil company and a pharmacy industry (not from the USA); it was unclear whether these claims relate to the alleged CrowdStrike data breach.
  • USDoD has a history of exaggerating claims to boost reputation within hacktivist and eCrime communities, and has conducted hacktivism and financially motivated breaches since 2020, expanding into eCrime forums since January 2024.
  • MITRE-style behaviors identified include social engineering, data leak/exfiltration, and exaggeration of claims.”

MITRE Techniques

  • [T1566] Social Engineering – USDoD has utilized social-engineering tactics to access sensitive data. “USDoD has utilized social-engineering tactics to access sensitive data.”
  • [T1041] Exfiltration – Data leak: USDoD claimed to have leaked CrowdStrike’s entire threat actor list and IOC list. “USDoD claimed to have leaked CrowdStrike’s entire threat actor list and IOC list.”
  • [T0003] Exaggeration of Claims – “USDoD has a history of exaggerating claims to enhance their reputation within hacktivist and eCrime communities.”

Indicators of Compromise

  • [Domain] BreachForums domain – BreachForums post claiming data leak, used to disseminate claims. BreachForums ST Post ID: 781235
  • [File] CSV data file – Sample data described as a CSV containing fields like adversary aliases, LastActive, region, and motivation
  • [URL] Download link for alleged threat actor list – A link to download the alleged list referenced by USDoD
  • [Date/Time] LastActive timestamps – Data shows LastActive dates up to June 2024, with some July 2024 activity in Falcon portal data

Read more: https://www.crowdstrike.com/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint