InfraGard: Data of 80k members stolen and sold on Darknet

12/16/2022Darknet News, USA

According to reports, a hacker using by the pseudonym “USDoD” acquired the contact information of more than 80,000 participants in the FBI program InfraGard and posted it for sale on an English-speaking Dark Web site.

According to KrebsOnSecurity, which broke the story this week, the data the hacker obtained from InfraGard’s database appears to be extremely basic and in some cases does not even include an email address. But the people who should have access to it are the CISOs, security directors, IT and C-suite executives, medical experts, emergency managers, and law enforcement and military officials who are directly in charge of safeguarding the essential infrastructure of the US.

According to Chris Pierson, a former member of InfraGard and the CEO of BlackCloak, an online privacy-protection firm for top executives and corporate leaders, the stolen data is therefore a useful resource for adversaries.

Any intelligence agency or nation-state would benefit greatly from having access to the InfraGard database of contacts, according to Pierson. In terms of sensitivity, the exposed data pales in comparison to significant breaches like the one that the US Office of Personnel Management (OPM) announced in 2015. However, he claims that from the standpoint of an attacker, it is incredibly useful and simple to employ.

Information is immensely valuable

“While much of the information may be public or publicly available, the condensing of this information into the key people who run our nation’s critical infrastructure is immensely valuable,” Pierson notes. Personal addresses, personal cell phones, and easy access to which members possess a security clearance are all key pieces of data for an adversary to have, he says.

The FBI describes InfraGard as an initiative to bolster the nation’s collective ability to defend against physical and cyber threats to critical infrastructure targets. It basically connects the FBI directly with critical infrastructure owners, operators, and security stakeholders. Its members include key security personnel and decision-makers from all 16 US civilian critical infrastructure sectors.

Pierson observes Key pieces of information for an opponent to acquire include personal addresses, personal cell phones, and simple access to which members have security clearances, according to him.

According to the FBI, InfraGard is a program that will improve the nation’s overall capacity to protect critical infrastructure targets from physical and digital threats. In essence, it establishes direct contact between security stakeholders, owners, and operators of vital infrastructure and the FBI. Key security personnel and decision-makers from each of the 16 US civilian critical infrastructure sectors are among its members.

According to KrebsOnSecurity, the hacker “USDoD” first applied for a new account using the identity, birthdate, and Social Security number of a chief executive officer at a significant financial services company. This gave him access to the InfraGard database.

According to reports, the hacker submitted an application for InfraGard membership in November and included contact information including the CEO’s genuine phone number as well as an attacker-controlled email address.

OOPSEC Failure

According to KrebsOnSecurity, InfraGard was meant to have verified that information, but they never did and instead approved the application based on the data the hacker had provided. Similar to this, the hacker discovered he could utilize the email address as a second factor for InfraGard’s portal access rather than the required two-factor authentication, negating the requirement for access to the real CEO’s phone.

According to KrebsOnSecurity, which cited a direct interaction with the attacker, once on the portal, the attacker learned that InfraGard user information could be accessible rather readily via an API incorporated into numerous website components. The hacker then reportedly hired a friend to write a Python query to use the API to get access to all available InfaGard member data. According to KrebsOnSecurity, the attacker established a $50,000 asking price for the stolen dataset but didn’t actually expect any takers at that price due to the information’s basic nature.

“Although I have full faith InfraGard leadership has a stronger grasp of the facts than I do from the outside, the radio silence to date makes me uneasy as a potentially impacted professional,” he says.

The FBI did not provide any comments.