InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to construct cyber and bodily risk data sharing partnerships with the non-public sector, this week noticed its database of contact data on greater than 80,000 members go up on the market on an English-language cybercrime discussion board. In the meantime, the hackers accountable are speaking instantly with members via the InfraGard portal on-line — utilizing a brand new account underneath the assumed identification of a monetary trade CEO that was vetted by the FBI itself.
On Dec. 10, 2022, the comparatively new cybercrime discussion board Breached featured a bombshell new gross sales thread: The consumer database for InfraGard, together with names and call data for tens of 1000’s of InfraGard members.
The FBI’s InfraGard program is meant to be a vetted Who’s Who of key folks in non-public sector roles involving each cyber and bodily safety at firms that handle many of the nation’s crucial infrastructures — together with ingesting water and energy utilities, communications and monetary companies corporations, transportation and manufacturing firms, healthcare suppliers, and nuclear power corporations.
“InfraGard connects crucial infrastructure house owners, operators, and stakeholders with the FBI to supply training, networking, and information-sharing on safety threats and dangers,” the FBI’s InfraGard reality sheet reads.
KrebsOnSecurity contacted the vendor of the InfraGard database, a Breached discussion board member who makes use of the deal with “USDoD” and whose avatar is the seal of the U.S. Division of Protection.
USDoD’s InfraGard gross sales thread on Breached.
USDoD mentioned they gained entry to the FBI’s InfraGard system by making use of for a brand new account utilizing the identify, Social Safety Quantity, date of start and different private particulars of a chief government officer at an organization that was extremely more likely to be granted InfraGard membership.
The CEO in query — at present the top of a significant U.S. monetary company that has a direct influence on the creditworthiness of most People — didn’t reply to requests for remark.
USDoD informed KrebsOnSecurity their phony software was submitted in November within the CEO’s identify, and that the appliance included a contact electronic mail tackle that they managed — but in addition the CEO’s actual cell phone quantity.
“If you register they mentioned that to be permitted can take no less than three months,” USDoD mentioned. “I wasn’t anticipated to be approve[d].”
However USDoD mentioned that in early December, their electronic mail tackle within the identify of the CEO acquired a reply saying the appliance had been permitted (see redacted screenshot to the fitting). Whereas the FBI’s InfraGard system requires multi-factor authentication by default, customers can select between receiving a one-time code by way of SMS or electronic mail.
“If it was solely the telephone I might be in [a] dangerous state of affairs,” USDoD mentioned. “As a result of I used the individual[‘s] telephone that I’m impersonating.”
USDoD mentioned the InfraGard consumer information was made simply out there by way of an Utility Programming Interface (API) that’s constructed into a number of key parts of the web site that assist InfraGard members join and talk with one another.
USDoD mentioned after their InfraGard membership was permitted, they requested a good friend to code a script in Python to question that API and retrieve all out there InfraGard consumer information.
“InfraGard is a social media intelligence hub for top profile individuals,” USDoD mentioned. “They even bought [a] discussion board to debate issues.”
KrebsOnSecurity shared with the FBI a number of screenshots and different information which will assist isolate the imposter InfraGard account, however the company declined to remark for this story.
To show they nonetheless had entry to InfraGard as of publication time Tuesday night, USDoD despatched a direct be aware via InfraGard’s messaging system to an InfraGard member whose private particulars have been initially printed as a teaser on the database gross sales thread.
That InfraGard member, who’s head of safety at a significant U.S. know-how agency, confirmed receipt of USDoD’s message however requested to stay nameless for this story.
USDoD acknowledged that their $50,000 asking value for the InfraGard database could also be a tad excessive, on condition that it’s a pretty fundamental listing of people who find themselves already very security-conscious. Additionally, solely about half of the consumer accounts comprise an electronic mail tackle, and many of the different database fields — like Social Safety Quantity and Date of Beginning — are fully empty.
“I don’t assume somebody can pay that value, however I’ve to [price it] a bit larger to [negotiate] the value that I need,” they defined.
Whereas the information uncovered by the infiltration at InfraGard could also be minimal, the consumer information won’t have been the true finish recreation for the intruders.
USDoD mentioned they have been hoping the imposter account would final lengthy sufficient for them to complete sending direct messages because the CEO to different executives utilizing the InfraGuard messaging portal. USDoD shared the next redacted screenshot from what they claimed was one such message, though they supplied no further context about it.
A screenshot shared by USDoD displaying a message thread within the FBI’s InfraGard system.
USDoD mentioned of their gross sales thread that the guarantor for the transaction could be Pompompurin, the administrator of the cybercrime discussion board Breached. By buying the database via the discussion board administrator’s escrow service, would-be consumers can theoretically keep away from getting ripped off and make sure the transaction might be consummated to the satisfaction of each events earlier than cash exchanges palms.
Pompompurin has been a thorn within the facet of the FBI for years. Their Breached discussion board is extensively thought-about to be the second incarnation of RaidForums, a remarkably related English-language cybercrime discussion board shuttered by the U.S. Division of Justice in April. Previous to its infiltration by the FBI, RaidForums bought entry to greater than 10 billion shopper data stolen in a number of the world’s largest information breaches.
In November 2021, KrebsOnSecurity detailed how Pompompurin abused a vulnerability in an FBI on-line portal designed to share data with state and native legislation enforcement authorities, and the way that entry was used to blast out 1000’s of hoax electronic mail messages — all despatched from an FBI electronic mail and Web tackle.
This can be a creating story. Updates might be famous right here with timestamps.
