KrebsonSecurity Reports That FBI’s InfraGard Was Hacked
December 20, 2022
KrebsonSecurity reported on December 13 that the FBI’s InfraGard, a program run by the FBI to build cyber and physical threat information sharing partnerships with the private sector, has been hacked. The same story has been widely reported, but I am exercising care in this post because of our own involvement with Infragard, so I am only reporting what is public.
As Krebs reported, the FBI saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. The hackers responsible were communicating directly with InfraGard members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
As Krebs reported, “The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.”
“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.
The FBI told Krebs it was aware of a potential false account associated with the InfraGard Portal and that it was actively looking into the matter.
“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.
KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle “USDoD” and whose avatar is the seal of the U.S. Department of Defense.
USDoD said they gained access to the FBI’s InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership.
That CEO, who is now the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans — told KrebsOnSecurity they were never contacted by the FBI seeking to vet an InfraGard application.
USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO’s name, and that the application included a contact email address that they controlled — but also the CEO’s real mobile phone number.
“When you register they said that to be approved can take at least three months,” USDoD said. “I wasn’t expected to be approve[d].”
But USDoD did in fact receive approval. While the FBI’s InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email.
“If it was only the phone I will be in [a] bad situation,” USDoD said. “Because I used the person[‘s] phone that I’m impersonating.”
USDoD said the InfraGard user data was easily available via an Application Programming Interface (API) built into several key components of the website that help InfraGard members connect and communicate with each other.
USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data.
USDoD told Krebs that their $50,000 asking price for the InfraGard database may be a little high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields, such as Social Security Number and Date of Birth — are completely empty.
“I don’t think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want,” they explained.
While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true objective.
USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal.
I have no clue what USDoD is up to, but I imagine many individuals who are members of the FBI’s InfraGard are dismayed by the breach.
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology