FBI’s controlled information sharing network ‘InfraGard’ hacked – Krebs on security

FBI’s controlled information sharing network ‘InfraGard’ hacked – Krebs on security

InfraGarda program run by US Federal Bureau of Investigation (FBI) to build partnerships for sharing cyber and physical threat information with the private sector, its database of contact information on more than 80,000 members was put up for sale this week on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard online portal – using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

December 10, 2022, the relatively new cybercrime forum Break contained a bombshell new sales pitch: the user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.

The FBI’s InfraGard program is intended to be a vetted Who’s Who of key individuals in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructure — including drinking water and power plants, communications and financial services, transportation and manufacturing companies, healthcare personnel and nuclear power companies.

“InfraGard connects critical infrastructure owners, operators and stakeholders with the FBI to provide education, networking and information sharing about security threats and risks,” the FBI’s InfraGard fact sheet states.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member using the handle “USDoD” and whose avatar is the seal of United States Department of Defense.

USDoD’s InfraGard sales thread on Breached.

The USDoD said it gained access to the FBI’s InfraGard system by applying for a new account using the name, social security number, date of birth and other personal details of a CEO of a company that was likely to be granted InfraGard membership.

See also  Steve Smith accused of milking infamous Kagiso Rabada contact, Faf du Plessis autobiography

The CEO in question – currently the head of a major US financial company that has a direct impact on the creditworthiness of most Americans – did not respond to requests for comment.

The USDoD told KrebsOnSecurity that their fake application was submitted in November in the CEO’s name, and that the application included a contact email address that they verified — but also the CEO’s real cell phone number.

“When you register, they said it can take at least three months to be approved,” the USDoD said. “I was not expected to be approved[d].”

But the USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved (see redacted screenshot at right). While the FBI’s InfraGard system requires multifactor authentication by default, users can choose to receive a one-time code via SMS or email.

“If it was just the phone I’d be in [a] bad situation,” the USDoD said. “Because I used the person[‘s] phone that I am pretending to be.”

The USDoD said the InfraGard user data was made readily available via an Application Programming Interface (API) embedded in several key components of the website that help InfraGard members connect and communicate with each other.

The USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data.

“InfraGard is a social media intelligence center for high-profile individuals,” the USDoD said. “They even got [a] forum to discuss things.”

See also  Game Inbox: Will Sonic Frontiers Be Any Good?

KrebsOnSecurity shared with the FBI several screenshots and other data that may help isolate the fraudulent InfraGard account, but the agency declined to comment for this story.

To prove that it still had access to InfraGard as of the time of publication Tuesday evening, the USDoD sent a direct memo through InfraGard’s messaging system to an InfraGard member whose personal details were originally published as a teaser on the database sales thread.

The InfraGard member, who is the chief security officer of a major US technology firm, confirmed receipt of the USDoD’s message but asked to remain anonymous for this story.

The USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a little high, given that it’s a fairly basic list of people who are already very security conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields – such as social security number and date of birth – are completely blank.

“I don’t think anyone will pay that price, but I have to [price it] a little higher [negotiate] the price I want,” they explained.

While the data exposed by the InfraGard infiltration may be minimal, user data may not have been the true endgame for the attackers.

The USDoD said it hoped the impostor account would last long enough for it to send direct messages as the CEO to other executives using the InfraGuard messaging portal. The USDoD shared the following redacted screenshot from what they claimed was such a message, though they didn’t provide any additional context about it.

A screenshot shared by the USDoD showing a message thread in the FBI’s InfraGard system.

The USDoD said in its sales thread that the guarantor for the transaction would be Pump purine, the administrator of the cybercrime forum Breached. By purchasing the database through the forum administrator’s escrow service, potential buyers can theoretically avoid being ripped off and ensure that the transaction is completed to both parties’ satisfaction before money exchanges hands.

See also  TerraZero Technologies Inc., adapts "HELL'S GATE" Original IP to Metaverse Game for the SANDBOX

Pompompurin has been a thorn in the side of the FBI for years. Their Breached forum is considered to be the second incarnation of the RaidForum, a remarkably similar English-language cybercrime forum that was shut down by the US Department of Justice in April. Before it was infiltrated by the FBI, RaidForum sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches.

In November 2021, KrebsOnSecurity described how Pompompurin abused a vulnerability in an FBI web portal designed to share information with state and local law enforcement authorities, and how that access was used to send out thousands of fake emails—all sent from an FBI email mail and Internet address.

This is a developing story. Updates will be noted here with time stamps.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *