Hackers Group Allegedly Leaked Threat Actor List from Crowdstrike With 250 Million IOC Data

Cyber Press researchers observed new activity in data leak forums, where a threat group known as USDoD claimed to have leaked CrowdStrike tracking threat actors database.

CrowdStrike is a leading cybersecurity firm renowned for its threat intelligence and incident response services. The recent Falcon issue caused losses amounting to roughly $5.4 billion. Airlines were also heavily impacted, losing around $860 million.

The leaked database, highlighted in a thread on an infamous data leak forum, contains sensitive information about various threat actors that CrowdStrike has been tracking.

USDoD has conducted both hacktivism and financially motivated breaches, primarily using social engineering tactics to access sensitive data.

In addition, starting in January 2024, the threat actors have been trying to expand their cyber activities. They have moved beyond just carrying out cyber operations and now administer eCrime forums.

The Cyber Press team discovered that the list contains more than threat actors' identities. It also contains their most recent activity status, the crime motivation, the origin, the number of industries that the groups targeted, and more.

Taking advantage of this incident, threat actors exploit current events for attention and gain. The actor also alleges that they had obtained CrowdStrike's "entire IOC [indicators of compromise] list" with more than 250M of data and intended to make it available "soon."

However, the implications of such a leak are profound. It could compromise ongoing investigations and expose methods to track malicious actors.

What the Database Contains

The Cyber Press Team analyzed the allegedly leaked list of Crowdstrike tracking threat actor groups. While the sample data had "LastActive" dates that went up to June 2024, the referred actors' Falcon portal's last active dates go up to July 2024, which could indicate when they got their hands on the information.

While the full extent of the data leak is still being assessed, initial reports suggest that the database includes:

• Profiles of Threat Actors: Detailed information about various cybercriminal groups, including their known aliases, tactics, techniques, and procedures (TTPs).
• Operational Insights: Data on how these threat actors operate, their targets, and the tools they use.
• Incident Reports: Documentation of past cyber incidents attributed to these groups, including timelines and impact assessments.

In their post, the USDoD also mentioned that they acquired two large databases, one from an oil company and another from a pharmacy industry, which are not based in the USA. The connection between the post's claims of breaching an oil company and a pharmaceutical industry company and their alleged acquisition of CrowdStrike data remained unclear.

In responding to this incident, Crowdstrike replies that the USDoD has probably made false claims in the past to boost its reputation among hacktivists and e-crime networks.

Take USDoD's earlier assertions about a hack-and-leak operation he allegedly ran on a professional networking platform as an example. However, according to industry sources, the actor was actually just skimming the web for information rather than conducting a targeted incursion.

Download Free Cybersecurity Planning Checklist 2024 (PDF) – Download Here