An FBI cybersecurity portal has been hacked, with contact information on thousands of its members leaked on an illicit cybercriminal forum.
More than 80,000 users on the InfraGard portal are thought to have now had their contact information leaked, with hackers messaging members directly under an account posing as an FBI vetted CEO in finance.
InfraGard works with businesses to share information relating to cyberattacks and other threats.
CEO posing
Names and contact information of these members went up for sale on Breached, a new cybercriminal forum.
InfraGard vets its members, comprised of key people at cybersecurity companies that are contracted to handle the security of national institutions, such as water, utilities, transport, healthcare and nuclear energy. The aim is to educate both the FBI and firms on cybersecurity threats by exchanging information.
In responding to the matter, the FBI stated that “This is an ongoing situation, and we are not able to provide any additional information at this time”.
KrebsOnSecurity (opens in new tab) made contact with the seller on Breached, who claimed that they applied for an InfraGard account under the guise of a real CEO of a major creditworthiness firm.
They used their name, social security number, email address (which they also claimed they hacked) and phone number to fill out the application. The real CEO told KrebsOnSecurity that they never received contact from the FBI about the application.
Although not expecting to be accepted, the hacker received an email from InfraGard in early December that said they had indeed been approved.
InfraGard require multi-factor authentication, but users can choose to receive a one-time code by email instead of SMS. The hacker said that had they been forced to use only a phone, they would have been thwarted since they used the real phone number of the CEO, which they didn’t have access to.
To actually steal the database, they claimed they simply exploited an API in the portal that helps members connect to one another. They used a Python script to retrieve the data from it, which contained every user’s information.
Although the information they obtained is rather basic and in some instances incomplete, the hacker claimed that their real motive was to continue posing as a CEO and contact other InfraGard members, perhaps in the hopes of extracting more sensitive information.
The administrator of the Breached forum is Pompompurin, who has a history with the FBI. Last year, they exploited a vulnerability in another information sharing portal between the agency local law enforcements, gaining access to send copious amounts of spam emails from legitimate FBI email addresses and IPs.