InfraGard, a partnership between the FBI and members of the private sector that was established to protect critical infrastructure in the US, has been infiltrated by a cybercriminal. As a result, its database of contact information is now for sale on an English-language cybercrime forum.
InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector that was created to help protect US critical infrastructure. In its collaboration efforts, InfraGard connects those responsible for critical infrastructure to the FBI. The FBI provides education, information sharing, networking, and workshops on emerging technologies and threats. InfraGard’s membership includes business executives, entrepreneurs, lawyers, security personnel, military and government officials, IT professionals, academia, and state and local law enforcement.
A threat actor posted samples as proof that they have obtained access to the more than 80,000-member database of InfraGard. According to KrebsOnSecuirty, the threat actor is a member of the Breached forums using the handle USDoD. Pompompurin, the administrator of the cybercrime forum Breached, is providing an escrow service for the seller. An escrow service acts as a mediator between two parties making a financial transaction and is meant to ensure no one loses their funds due to a scam. They receive the funds from the buyer and hold on to that payment until the buyer has received the purchase in good order.
When asked, the threat actor revealed that they gained access by registering a false account. The user USDoD told KrebsOnSecurity that they applied with the name and real phone number belonging to a CEO of a major US financial corporation, but with an email address that was under the threat actor’s control. The application was approved, apparently without any verification that the CEO was aware of.
Once they had access, the InfraGard user data was easily available via an Application Programming Interface (API) that is built into several key components of the website.
The FBI commented that they were aware of a false account but declined to provide any further comments.
“This is an ongoing situation, and we are not able to provide any additional information at this time.”
The stolen data are not earth-shattering. The stolen database has the names, affiliations, and contact information for more than 80,000 InfraGard users, but only 47,000 of the stolen records include unique emails. Probably due to the security awareness of the members, the data contained neither Social Security numbers nor dates of birth. Although fields existed in the database for that information, many users had left them blank.
What’s maybe more worrying is that the threat actor has direct access to the other InfraGard members and can use this “trustworthy” platform to engage on other phishing expeditions. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGard messaging portal.
This story looks like it might be continued. We will keep you posted here of any new developments.