Hacker Swipes FBI’s Info Sharing InfraGard Database of 80K Contacts
A hacker calling themselves “USDoD” has swiped tens of thousands of records from an internal database belonging to a Federal Bureau of Investigation (FBI) cyber-specific information sharing program called InfraGard.
Dark Web Lists Data for $50,000
The database, which contained names and contact information for InfraGard’s 80,000 members, has been put up for sale on the dark web for $50,000, said Krebson Security, which first reported the December 10, 2022 heist. The hacker told Krebs that they knew the price was likely too high to fetch a buyer but they had to price it a “bit higher…to [negotiate] the price I want.”
It’s uncertain if the hacker’s ultimate goal is financial or access to bigger fish. USDoD told Krebs that they gained access to the FBI’s InfraGard system by applying for a new account using the personal credentials and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.
InfraGard is the FBI’s partnership program that connects critical infrastructure owners and operators and stakeholders in and out of government with the law enforcement agency to provide “education, networking, and information-sharing on security threats and risks,” according to the program’s website. InfraGard’s membership includes security professionals from government agencies and major corporations.
In an information swap with Krebs, the FBI confirmed that it is aware of the potential false account associated with the InfraGard Portal and that it is investigating.
“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI told Krebs in a written statement.
Hackers Impersonate CEO
Krebs said that the impersonated CEO, who apparently had nothing to do with the breach, heads a major U.S. financial corporation that involves creditworthiness of individuals. The person reportedly has yet to be contacted by the FBI to vet an InfraGard application.
USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that the application included a contact email address (that they controlled) and also the CEO’s real mobile phone number.
A typical registration approval takes three months but USDoD was approved in early December.
“When you register they said that to be approved can take at least three months,” USDoD said. “I wasn’t expected to be approve[d].”
USDoD told Krebs that they wanted the imposter account to last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal.