This week, a database of contact information for more than 80,000 members of InfraGard, a project established by the U.S. Federal Bureau of Investigation (FBI) to establish partnerships with the private sector for the exchange of information about cyber and physical threats, was put up for sale.
“The hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself”, reported KrebOnSecurity.
The Specifics of the Hack
The user database for InfraGard, which contained the names and contact details of tens of thousands of InfraGard members, was advertised for sale in a shocking new thread on the relatively recent cybercrime site Breached on December 10, 2022.
“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.
The FBI stated that it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.
“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.
According to the reports, the seller of the InfraGard database is a Breached forum user with the handle “USDoD” with the U.S. Department of Defense seal as his avatar.
Also, the USDoD said that they were able to access the InfraGard system of the FBI by applying for a new account using the name, Social Security Number, birth date, and other personal information of the chief executive officer of a company that was very likely to be accepted as an InfraGard member.
USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that the application included a contact email address that they controlled — but also the CEO’s real mobile phone number.
The Application Programming Interface (API), which is integrated into various important parts of the website that enable InfraGard members to connect and communicate with one another, is how USDoD claimed the InfraGard user data was made easily accessible.
Notably, after their InfraGard membership was granted, they asked a friend to write a Python script to query that API and retrieve every piece of InfraGard user data that was accessible.
“InfraGard is a social media intelligence hub for high profile persons,” USDoD said. “They even got [a] forum to discuss things.”
Reports say given that it is a fairly basic list of people who are already quite security-conscious, the USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a bit high.
Further, the majority of the other database entries, such as Social Security Number and Date of Birth, are empty, and only roughly half of the user accounts have an email address.
USDoD said that the sale of the database is covered by the escrow service offered by the Breached administrator Pompompurin.
Pompompurin has been a thorn in the side of the FBI for years. Their Breached forum is widely considered to be the second incarnation of RaidForums, a remarkably similar English-language cybercrime forum shuttered by the U.S. Department of Justice in April.
The FBI’s inadequate cybersecurity measures were exposed by the attack; the US agency informed Krebs that it is aware of a possible phoney account connected to InfraGard.
“This is an ongoing situation, and we are not able to provide any additional information at this time,” reads the statement shared by the FBI.
Penetration Testing As a Service – Download Red Team & Blue Team Workspace