On Sunday, Motherboard reported that a hacker contacted them and claimed to have hacked into a US Department of Justice (DoJ) computer, exfiltrated 200GB of files, as well as several databases supposedly containing names, job titles, email addresses and phone numbers of over 20,000 US FBI employees and over 9,000 Department of Homeland Security (DHS) employees from the DOJ intranet.
To prove that this actually happened, the hacker gave the reporter access to the information from these databases. In order to ascertain whether the info is genuine, the publication called some of these phone numbers. The result? Some of them did belong to the stated owners, other calls went through to generic operator desks in various departments.
The reporters weren’t provided with the rest of the stolen data.
In the meantime, the hacker released first the details of the 9,000 DHS employees, and then those of some 22,000 FBI employees and contractors.
Links to the data dumps were published via a Twitter account sporting a pro-Palestinian message. According to the Daily Dot, the information seems legitimate.
DoJ and DHS spokespersons stated that they are investigating whether a breach occurred, but that “there is no indication at this time that there is any breach of sensitive or personally identifiable information.”
Whether or not this sensitive but not confidential data comes from the claimed source (the DoJ intranet) is unknown. The hacker still hasn’t published the rest of the files he allegedly exfiltrated and which supposedly contain, among other things, military emails and credit card numbers.
“The Department of Justice hack is the latest in a series of recent high-profile breaches of U.S security attributable to human error,” noted Richard Beck, Head of Cyber Security at QA.
“The hacker appears to have used social engineering tactics to access the email account of a DoJ employee and then called up a department and claimed he was new and couldn’t access the organisation’s portal. He was asked for a token, demonstrating that there is a security policy and procedure in place, however, when he said no, he was told ‘that’s fine – just use our one’. From here he was able to gain full access to the computer, their contacts, documents, local network and databases.”
Beck posits that this soon-to-be leaked data will no doubt eventually end up for sale on the Dark Web and compromise the privacy and security of the thousands of employees involved.
“One way that organisations can try and limit the impact social engineering is to increase staff awareness of cyber threats. Educating staff on how to detect and deter common threats like social engineering or phishing attacks could prove invaluable in helping defend an organisation. All companies should be teaching employees a ‘Cyber Security Code’ until it becomes instinctive.”
Leo Taddeo, currently the CSO of Cryptzone, and former Special Agent in Charge of the Special Operations/ Cyber Division of the FBI’s New York Office, had this to say regarding the FBI/DoJ’s likely response to this leak:
“There are very few options for the FBI/DoJ. Recalling the information is not possible. The FBI may request that sites hosting the information take it down, but it would be very unlikely the FBI could obtain authority to compel a site to remove the list. Most likely, the FBI will warn employees of the loss of data and monitor for any anomalous activity that can be attributed to the loss. While the risks from this type of loss will never dissipate completely, over time, the information will become less sensitive due to employee rotations and turnover. What is as certain as tomorrow’s sunrise is the fact that the FBI will put significant resources into finding whoever is responsible.”
“The best defense against this type of attack is to deploy user access controls that go beyond two-factor authorization to check multiple attributes before allowing access,” he added. “By checking multiple attributes, an enterprise can create a ‘digital identity’ that is almost impossible to socially engineer. For example, before allowing access, enterprises can check the user’s location, the time of day, the computer’s configuration, patch level, and use of antivirus. By creating this ‘digital identity,’ a network is less likely fooled and better protected from bad user behavior.
“Organizations are forced to balance information security against user access requirements. The success of what appears to be a social engineering attack does not mean DHS and the FBI need to rethink their approach to securing unclassified data. Two-factor authentication failed, but the information lost was important, but not critical. Both agencies may, however, need to figure out what happened and fix whatever went wrong. In the end, it’s likely both agencies will find they need to reexamine employee awareness, training, and help desk procedures,” he concluded.