A database of contact information from InfraGard, FBI’s vetted information sharing program that includes key people in private sector roles handling both cyber and physical security at key organisations has gone up for sale on a cybercrime forum called Breached for $50,000.
The database went on sale on December 10 and includes names and contact information for tens of thousands of InfraGard members. The attacker, known on the forum as USDoD, claimed to have gained access to the system by applying for a new membership using the name, Social Security Number, date of birth and other personal details of a CEO of a major US financial corporation who was likely to be accepted into the program.
KrebsOnSecurity reports that the attacker told them they applied for the membership in November under the CEO’s name and an email address that they controlled. The phone number on the application however was real.
The FBI then got in touch at the compromised email address the attacker listed in early December. The database does support dual-factor authentication, but users can get their messages on their email or their phone. This allowed USDoD to get the 2FA code on the compromised email instead and gain access to the program.
Once inside, they were granted access to an API built into a number of key components on the InfraGard website that helps members communicate with each other. The attacker then asked a friend to code a Python script that’d query all available data to build the currently on-sale database.
Going one step further, USDoD even proved access to the program as recently as Tuesday evening by sending a message through InfraGard’s messaging system to a member whose information had been revealed as a teaser. The member confirmed getting the message and has asked to remain anonymous.
While the exposed data doesn’t do much harm by itself, USDoD wanted the fake account to last long enough for intruders to send messages to other executives on the platform. This could’ve opened the door to widespread cyberattacks from inside InfraGard to other organisations, a lot of which control critical infrastructure and other key industries.
The FBI is aware of the fake account and is actively investigating the issue. That said, the agency hasn’t revealed any information as to what data was exposed and the mitigations that can be taken at the time of writing.