A hacker has breached an FBI program dedicated to critical infrastructure cybersecurity and is now selling access to its data on the dark web.
Security blogger Brian Krebs reports that InfraGard, an information-sharing program maintained by the bureau, was compromised earlier this month by a cybercriminal who goes by the moniker “USDoD.” After swiping an internal database that contained contact information for “tens of thousands” of InfraGard members, the hacker proceeded to post its contents for sale on the dark web marketplace “Breached,” where anybody can now buy the info for $50,000. The hacker told Krebs that the high price set for the data was a negotiating tactic: “I don’t think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want,” they said.
InfraGard is an information-sharing network designed to allow high-level professionals both in and out of the government to collaborate on issues of cybersecurity and defense. InfraGard’s membership includes security pros from government agencies and major corporations and, on its website, it describes its mission like this:
InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure. Through seamless collaboration, InfraGard connects owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats.
In the field of cybersecurity, information-sharing is a popular way for institutions to help protect themselves and each other. Despite InfraGard’s stated mission, however, the FBI apparently missed the emerging threat of a hacker sifting through their network.
“USDoD,” the hacker, claims that they gained entry to InfraGard’s protected environment by using a corporate executive’s stolen personal information. The hacker used the executive’s Social Security Number, birthday, and other info to file a phony application for inclusion in InfraGard’s membership (it’s unclear where the hacker got the exec’s info, but such data can also be purchased on the dark web). Within several weeks, the hacker’s application was accepted, apparently without much vetting by the FBI. Once granted access to the org’s internal environment, USDoD says they used a simple Python script aimed at one of the website’s Application Programming Interfaces (APIs) to call up and steal personal information on the other participating members.
As of Tuesday evening, USDoD’s phony account was apparently still active and hadn’t yet been terminated by the FBI. Krebs reports:
To prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct note through InfraGard’s messaging system to an InfraGard member whose personal details were initially published as a teaser on the database sales thread. That InfraGard member, who is head of security at a major U.S. technology firm, confirmed receipt of USDoD’s message but asked to remain anonymous for this story.
Whether the data that USDoD stole is actually all that valuable or not is a hanging question. Krebs writes that a lot of the accounts in the database are missing critical pieces of personal information, such as birthdays, social security numbers, and emails.
When reached for comment by Gizmodo, InfraGard provided us with the same brief statement it had shared with Krebs: “This is an ongoing situation, and we are not able to provide any additional information at this time.”