FBI Private Sector Cyberthreat Reporting Database Hacked By Apparently Unreported Cyberthreat
Is this irony? It kind of seems like it is. Maybe it isn't. It could just be a coincidence. An extremely unfortunate, ironic coincidence.
Whatever it is, it doesn't look good for the FBI, which encouraged pretty much every private company to register as reporting entities so the FBI could (theoretically, it appears) respond to reported security threats.
The FBI wants to be part of the cyber Pearl Harbor discussion. Here's its latest contribution to that conversation, as first reported by Brian Krebs.
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online - using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
Trust, but don't even bother verifying, I guess. That's how they - and by they," I mean the hacker referring to themselves as USDoD" - get you. A portal for private companies to report threats has been compromised using nothing more than credentials that have likely been floating around the web (dark or otherwise) for some time now.
USDoD said they gained access to the FBI's InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.
The CEO in question - currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans - told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application.
With access obtained, the breach began. USDoD asked a friend" to create a script that would pull all available user data from the database, which apparently had no defensive methods in place to thwart the script, or any siloing in place to ensure one user's approved access wouldn't allow them to obtain other users' information.
In an effort to increase collaboration between private sector contributors (if not the FBI itself, although there doesn't appear to be any actual FBI data/communications included in the hacking haul), InfraGard acted as a quasi-social media hub to allow private companies to share info with each other. That connectivity apparently contributed to the easy exfiltration of data, albeit data of disputable value.
USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields - like Social Security Number and Date of Birth - are completely empty.
While the eventual sale of this data will put USDoD in the black, the ultimate end game may not be the easily-absconded-with user data. The hacker is taking full advantage of this impersonation to contact private sector participants in hopes of securing additional data and/or credentials usable for bigger and better data heists.
The FBI has responded to these reports with a no comment.
This is an ongoing situation, and we are not able to provide any additional information at this time," the FBI said in a written statement.
It's a shame the FBI wasn't aware of this before being contacted by people who don't work for the FBI. If the agency wants the private sector to trust it with its threat reports and data, it needs to be ahead of things like this, rather than simply refusing to talk about incidents it should have been more proactive about.
But spending tax dollars on cyber security furniture" only buys so much competence. While it's essential private sector contributors are able to share information easily with each other, a breach like this will only encourage them to cut the FBI out of the loop. There are obviously more secure channels for communication about these issues. Allowing a hacker to make off with critical data suggests the FBI is not only failing to fully vet contributors to its cyber security marketplace of ideas, but failing to ensure the private companies it hires to provide solutions are capable of meeting the demands of the job.