The FBI got hacked, big-time. They “vetted” their attacker and now a “database of contact information on more than 80,000 members” is up for sale. Not just any “members,” InfraGard “is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures.” The hacker, calling himself “USDoD,” is asking $50,000 but he’s willing to consider any reasonable offer.
FBI vetted their intruder
You know the “InfraGard” program had to be doomed from the start, since it’s creators at the FBI couldn’t even spell “guard.” The Federal Bureau of Instigation built the “cyber and physical threat information sharing partnerships with the private sector.”
It was reported on December 12, by Krebs on Security, the bureau “saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum.” Even more embarrassing, “the hackers responsible are communicating directly with members through the InfraGard portal online.”
All it took to get “root” from the FBI was “a new account under the assumed identity of a financial industry CEO.” The bureau trusted it because they vetted it. The CEO spoofed is “currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans.” Sensitive data has been on the market since December 10.
That’s when “the relatively new cybercrime forum ‘Breached‘ featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.” The FBI had been breached, alright. The stolen data is the real thing. USDoD “asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data.”
The FBI wanted a quick way to contact “key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures.”
They also wanted input from the people actually running “drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.” InfraGard was born. USDOD loves their forum and tried to invite everyone to a conference.
DOD seal for an avatar
The hacker isn’t shy about what he did, explaining it all to Krebs, on the hacked forum itself. The FBI wishes he didn’t use a live member for an example.
“To prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct message through InfraGard’s messaging system to an InfraGard member whose personal details were initially published as a teaser on the database sales thread.”
That member isn’t thrilled about being used as an intermediary and wants to stay anonymous. Especially because that member “is head of security at a major U.S. technology firm.” He confirmed to Krebs he got the message. It might have been Yoel Roth. If so, it would also explain why he suddenly went into hiding.
USDoD bragged how they “gained access” to the FBI system “by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.” The only bogus part of the app was the email and he got approved.
The hacker had a word of advice for the FBI on future project design. “While the FBI’s InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email.” The email option got him in the back door.
“If it was only the phone I will be in [a] bad situation. Because I used the person[‘s] phone that I’m impersonating.” Also, whoever vetted him is a slacker who didn’t even bother to call the exec to make sure he applied.