Threat group USDoD claims to leak CrowdStrike threat actor database
The threat group USDoD posted on a dark web forum on July 24th to claim they’ve got hold of a large database of threat actors compiled by CrowdStrike. So far, the threat actor has released only a small sample of the data, but the forum post below claims that over 250 million records have been exposed. This could provide information on the aliases, recent activities, origins, and motivations of various cybercriminal groups and state-sponsored actors.
Key data points from the alleged leak:
- Total Listed Actors: 228
- Main Types of Actors: eCrime (Criminal), State-Sponsored, Hacktivism
- Top Countries of Origin for Actors: Russian Federation, China, Iran
- Most Targeted Industries: Technology, Government, Healthcare, Energy
- Most Targeted Countries: United States, United Kingdom, Germany, Canada, France
It should be noted that the alleged database leak has been scraped via a breached client, rather than from CrowdStrike themselves. And despite the claim from USDoD, there doesn’t look to be as much to this ‘database leak’ as they would like the cybercrime community to believe.
Is the claim accurate?
According to a statement from CrowdStrike, the data being ‘leaked’ by USDoD is actually freely available to thousands of their customers. They say that the data supposedly being ‘exposed’ by USDoD is in fact already available to users in the Falcon platform. At present, it’s unclear what the post means regarding ‘two big dbs from a oil company and pharmacy industry.’ So, while the dark web post may indeed have a database available for download, it’s not quite the bombshell that this story could first appear.
Victor Acin, Labs Manager at Outpost24’s KrakenLabs, said: “At first glance, a leak like this looks significant and highlights the scale of malicious operations the cybersecurity community is up against. However, on closer inspection, this claim does not appear to be as impactful as the threat group are making out.
“Then why make the claim at all? Threat groups will sometimes exaggerate what they’ve done in order to boost their reputation within cybercrime communities and on the underground marketplaces they operate in. Claiming to have breached a big player in the cybersecurity industry like CrowdStrike helps get their own name out there.”
Who are USDoD?
This isn’t the first time an individual or group posting as USDoD has been linked to a database leak over the past few years. In 2023 they posted stolen data from TransUnion, uploading a 3GB database claiming to contain the personally identifiable information (PII) of 58,505 individuals.
Keep up with the latest Threat Intelligence
Outpost24’s Threat Context lets you monitor global hacktivism operations, track your organization’s footprint on the dark web, and gain contextual intelligence around threat actors and their campaigns. Get in touch to arrange a live demo.