Hacker posted stolen material from Mandiant researcher in attempt to damage FireEye stock

The incident highlights how a hacker can stoke fears of a corporate breach to negatively affect the stock price of a specific, targeted company.
Mandiant, FireEye's incident response team, issued the warning. (Brice Daniels / Flickr)

A hacker broke into an Israeli-based security researcher’s personal email account one year ago, but waited until the day before his employer, U.S. cybersecurity firm FireEye, announced earnings to publish the stolen material in an effort designed to damage the company’s stock value, people familiar with the matter told CyberScoop.

While the investigation is ongoing, it’s believed that the attacker’s underlying motive was to cause financial and reputational damage to FireEye. The incident highlights how a hacker can stoke fears of a corporate breach to negatively affect the stock price of a specific, targeted company.

The attacker behind this widely publicized incident, dubbed operation “LeakTheAnalyst,” first started posting evidence on July 31 of breached email and social media accounts belonging to a single analyst who worked for Mandiant, a FireEye subsidiary. FireEye posted earnings for their second fiscal quarter the next day.

The hacker’s first message included a cache of documents, images and descriptions suggesting that Mandiant’s network had been penetrated. Evidence to back up this claim continues to be lacking, however.


FireEye CEO Kevin Mandia addressed the attack during an investors call on Aug. 1, stating “our investigation has found that no corporate network has been compromised.”

It’s unclear to what degree the #LeakTheAnalyst operation negatively impacted FireEye stock. The company’s stock is down about 4 percent from where it was on Aug. 31, but that drop could be linked to a wide array of factors.

Although the leak includes material that briefly mentions customer names, sensitive client information such as incident response reports or financial details weren’t included. In addition, some of the documents shared by the hacker had already been made public.

The leaked messages originally appeared on PasteBin, a web application where users can store plain text. They were quickly removed by site moderators upon posting.


An internal investigation by Mandiant found that the attacker “did not breach, compromise or access our corporate network, despite multiple failed attempts to do so” and “[some] documents released … were previously publicly available or were screen captures,” according to a FireEye blog post published on Aug. 7.

The hacker shared additional stolen documents on Monday, but the material appeared to be mostly benign and insignificant.

The second release contained a foreword by the hacker that reads: “It was funny seeing their frustration during these days. Trying to track us while keeping their shares value not to drop under $14 … we’re going to punish the lairs [sic], the fat riches who care only about their stock shares.”

It also appears as if the hacker may be leveraging a collection of anonymous Twitter accounts to circulate the leaked documents and attract press coverage — a tactic popularized by Russian operatives surrounding the 2016 U.S. presidential election. 


The U.S. Securities and Exchange Commission, the lead agency in charge of investigating stock manipulation schemes, declined to comment for this story.

Latest Podcasts