In Boston, a hacker, who allegedly impersonated the CEO of a financial institution, claims to have gained access to the database of InfraGard, an FBI-managed outreach program. InfraGard, with a membership exceeding 80,000, shares sensitive information about national security and cybersecurity threats with public officials and private sector entities managing U.S. critical infrastructure. The hacker reportedly posted samples from the database on a cybercriminals’ forum last weekend, asking $50,000 for the entire database.
The hacker reportedly gained access to InfraGard’s online portal by impersonating the CEO of a financial institution, according to independent cybersecurity journalist Brian Krebs, who first reported the story. The hacker described the verification process as surprisingly lax.
The FBI has not commented on the matter. However, Krebs reported that the agency confirmed its awareness of a potential false account and was investigating the issue.
InfraGard’s membership is a virtual who’s who of critical infrastructure, including business leaders, IT professionals, military personnel, state and local law enforcement, and government officials responsible for the safety of everything from the electrical grid and transportation to healthcare, pipelines, nuclear reactors, the defense industry, dams, water plants, and financial services. Established in 1996, InfraGard is the FBI’s largest public-private partnership, with local alliances affiliated with all its field offices. It regularly shares threat advisories from the FBI and the Department of Homeland Security and serves as a private social media site for select insiders.
The database contains names, affiliations, and contact information for tens of thousands of InfraGard users. Krebs first reported its theft on Tuesday.
The hacker, using the username USDoD on the BreachForums site, stated that records of only 47,000 of the forum’s members – slightly more than half – include unique emails. The hacker also posted that the data did not contain Social Security numbers or dates of birth. Although fields existed in the database for that information, InfraGard’s security-conscious users had left them blank.
However, the hacker told Krebs that they had been messaging InfraGard members, posing as the financial institution’s CEO, to try to obtain more personal data that could be used for criminal purposes.
The AP contacted the hacker on the BreachForums site via private message. They would not say whether they had found a buyer for the stolen records or answer other questions. But they did confirm that Krebs’ article “was 100% accurate.”
The FBI did not provide an explanation for how the hacker was able to trick it into approving the InfraGard membership. Krebs reported that the hacker had included a contact email address that they controlled – as well as the CEO’s real mobile phone number – when applying for InfraGard membership in November.
Krebs quoted the hacker as saying InfraGard approved the application in early December and that they were able to use the email to receive a one-time authentication code.
Once inside, the hacker said, the database information was easy to obtain with a simple software script.