A hacker who reportedly posed as the chief executive of a financial institution claims to have obtained access to the more than 80,000-member database of InfraGard, an FBI-run outreach program that shares sensitive information on national security and cybersecurity threats with public officials and private sector individuals who run U.S. critical infrastructure.
The hacker posted samples purportedly from the database to an online forum popular with cybercriminals last weekend and said the asking price for the entire database was $50,000.
The hacker made the disclosures to independent cybersecurity journalist Brian Krebs, who broke the story. The hacker called the vetting process surprisingly lax.
The FBI did not immediately respond to a request for comment from The Associated Press. Krebs reported that the agency told him it was aware of a potential false account and was looking into the matter.
InfraGard’s members include business leaders, information technology professionals, and officials of the military, state and local law enforcement, and the government who are involved in overseeing the safety of such things as the electrical grid, transportation, health care, pipelines, nuclear reactors, the defense industry, dams, water plants and financial services. Founded in 1996, it is the FBI’s largest public-private partnership, with local alliances affiliated with all its field offices. It regularly shares threat advisories from the FBI and the Department of Homeland Security and serves as a behind-closed-doors social media site for select insiders.
The database has the names, affiliations and contact information of tens of thousands of InfraGard users. Krebs first reported its theft on Tuesday.
The hacker, going by the username USDoD on the BreachForums site, said on the site that records of only 47,000 of the forum’s members — slightly more than half — include unique emails. The hacker also posted that the data contained neither Social Security numbers nor dates of birth. Although fields existed in the database for that information, InfraGard’s security-conscious users had left them blank.
However, the hacker, according to Krebs, claimed to have been messaging InfraGard members, posing as the financial institution’s CEO, to try to obtain more personal data that could be criminally weaponized.
The AP reached the hacker on the BreachForums site via private message. The person would not say whether a buyer for the records had been found or answer other questions, but did say that Krebs’ article “was 100% accurate.”
The FBI did not immediately respond to an email seeking comment on how the hacker was able to trick it into approving the InfraGard membership. Krebs reported that the hacker had included a contact email address under the person’s control, as well as the CEO’s real mobile phone number, when applying for InfraGard membership in November.
Krebs quoted the hacker as saying InfraGard approved the application in early December and the email account was used to receive a one-time authentication code.
Once inside, the hacker said, the database information was easy to obtain with simple software script.