FBI's Vetted Info Sharing Network 'InfraGard' Hacked

An anonymous reader quotes a report from KrebsOnSecurity: On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members. The FBI's InfraGard program is supposed to be a vetted Who's Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation's critical infrastructures -- including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms. "InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks," the FBI's InfraGard fact sheet reads.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle "USDoD" and whose avatar is the seal of the U.S. Department of Defense. USDoD said they gained access to the FBI's InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership. The CEO in question -- currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans -- did not respond to requests for comment. USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO's name, and that the application included a contact email address that they controlled -- but also the CEO's real mobile phone number. "When you register they said that to be approved can take at least three months," USDoD said. "I wasn't expected to be approve[d]." But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved. While the FBI's InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email. "If it was only the phone I will be in [a] bad situation," USDoD said. "Because I used the person['s] phone that I'm impersonating."

USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other. USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data. "InfraGard is a social media intelligence hub for high profile persons," USDoD said. "They even got [a] forum to discuss things." USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields -- like Social Security Number and Date of Birth -- are completely empty. [...] While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal.

Poor checks

[coofercat]

This summarises to "the checks to make sure only the "right" people get in were utterly terrible".

There's also something else more subtle though - I seriously doubt any CEOs of properly big concerns are hanging out on any chat rooms to talk about . They have people for that, so you'd expect the requests to connect to come from someone below the c-suite. That's not to say you'd ever deny a CEO wanting to connect, but the fact it's C-suite should alert you to the possibility that the connection request is already fake, and so should warrant even more checks than a "normal" request.

Either way, the checks they were doing were clearly unfit for purpose. Not much of a surprise there.

the old folks home of security

[xeno]

Former member of InfraGard here. I went through a long and silly hazing/vetting process to join, and then came to the realization that it's organizations like this that are part of the problem. You know that weird sensation of being an actual old person in a crowd then listening to what they're saying and thinking "oh my god these people are old" even if they're younger than you? Yeah, that. That was almost every InfraGard session and meeting, with olde dudes in DC and Redmond giving powerpoint presentations about vulns known 18mo prior, grossly mis-attributed threat actors ("the APTs are comin for yew!! Fancy Bear!!1!1!!!"), 101-level errors in data gathering and basic analysis, hopelessly outdated kill-diamond malware circle-jerks, results from clustering algorithms they'd picked but couldn't explain, and other wheezing exhortations to vague action made by people who smell like mothballs and coffee with too much cream.

Seriously, we need an organization LIKE IngraGard to share information as a coordinated community. But running it with the organization of a stereotypical frat combined with the speed of the feds ... there's no there there, and even if there was or will be, that org moves too slowly to be useful, by at least an order of magnitude. But hey, if you like a dependable flow of disappointment with absolute consistency, there they are.

Re:

[bhenson]

Current member here and you're not wrong.

Re:the old folks home of security

[DarkOx]

Same experience. I pretty much stopped attending and stopped following and stopped sharing because it seemed all anyone wanted to talk about was threat intel from 2+ years ago and ideas around controls that were cribbed directly from the CISSP handbook a presented as clever new insights.

If you tried share any current info you got met with a lot of derp derp we have not been seeing that - no shit if you were you would busy responding to it not sitting here presumably to learn about what someone was apparently trying to do to our organization how we spotted it and what we have done to make sure it will never be successful. You just got completely dismissed.

Re:

[kalieaire]

you guys actually joined the forums? i only ever looked at the daily threat intel news because it was faster than reading stuff through RSS even if it was a day late.

Re:

[branmac]

100% my experience many years ago when I was "invited" to join. I asked our corporate legal guy what his thoughts were and he said "you generally don't want to play with the feds... it never ends well."

Re:

[branmac]

They were very proud of the donuts they shared at the one meeting I attended.

Re: the old folks home of security

[dowhileor]

You have the nsa and cyber command that will be handling things like national (application/presentation) security. Bill of Rights vagueness be damned.

Re:

[Midnight_Falcon]

Current member here. This guy is 100% right. We're members to check the box for compliance to say the CISO etc has contacts with law enforcement.

Otherwise, the information is outdated OSINT largely. Presentations from "experts" are done at elementary level, by guys with years of experience and big titles but very little current technical expertise -- with a massive sprinkling of attaboy.

Re:

[The-Blue-Clown]

So glad others feel the same. After the tedious vetting I thought I would be getting information faster, not slower. After a few months I realized why this felt so familiar. This was like being at the university where professors were teaching coding years old and had no clue on anything new (the last two years). I still review the daily emails from InfraGard but lately it all seems to be discussing the internal workings of the org and conferences here and there. I guess if you are a cyber security expe

One way information sharing

[xanthos]

Read this again, slowly.
"InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks"

While InfraGard does give you a direct contact to report incidents and ask questions, very little information ever seems to flow back from the FBI. Occasionally they release notices about threats that you already heard about via infosec newsfeeds, but prettied up enough to pass up to the C-level.

Summary and thoughts

[jd]

1. The checks made are about the same as used to be made for DNS changes - none.

(They really should be making the same checks as required for Class III certs.)

2. The service doesn't really do anything, least of all to protect critical infrastructure.

(A Slashdot article in the distant past suggested a lot of these sites used to place SCADA-connected machines and even some mission-critical systems on the public Internet for ease of monitoring from home. Hopefully this service has at least fixed THAT much!)

3.

Re:

[Midnight_Falcon]

We're there because it looks good AND because it checks compliance requirement boxes: Contact with law enforcement.

There is supposedly a background check when you join, which I simply got an email saying I passed. But, to weed out threat actors I would have happily marched into the local FBI Field office and presented my passport and security certifications. Unfortunately, I wasn't asked to.

FBI = Fraudulent and Bogus Investigations R Us!

[oldgraybeard]

Criminals and Crime are no longer things the FBI works on.
1. Investigating and prosecution(in the media) of the Trump family and all extended associates of something!
2. Investigating and prosecution(in the media) of republicans and all extended associates of something!
3. Investigating and prosecution(in the media) of democratic enemies and opposition and all extended associates of something!
4. Have extra time start over with # 1.
Busy Busy Busy all for the Cause!
If you want anything leaked to the publ

Re:

[gtall]

I suppose if the former alleged president hadn't stolen government materials and secret documents, and the GQP and their fellow travelers in the dress--up-like-GI-Joe-and-get-hardons-over-the-size-of-their-guns brigades hadn't tried a coup to replace the government, I'd say you had a point. Now, not.

Re:

[oldgraybeard]

Who Cares! Does not mean public servants using their offices for their own political reasons and enrichment is OK.

Re:

[Narcocide]

No, it's worse than this. They're straight up working with the criminals, and doing crimes. You're right the rest is for show, but they're not just spinning their wheels the entire rest of the time. They're secretly in bed with the Russians (oh yes, literally and figuratively there), and possibly have all the way back to the 70's. Guess how I know? My dad (no, not my real dad, just someone who kidnapped me from a test-tube-baby lab) is in the Russian mafia, and a prominent Satanist who helped them kill and

Re:

[Narcocide]

Cue their sock-puppet down-mods to try to hide the truth!

Not hacked.

[pitch2cv]

Not hacked, this time. Social engineered into membership, sure. Bit disappointed in Krebs's semantics here.

Still, makes one wonder why membership gives access to the full membership database like this. Any odd member there can contact any other via their personal email and phone, provided the other member has entered that in their profile?

At least the data obtained by this impersonating user doesn't contain anything that's not visible to other, genuine members. I mean, no plaintext passwords that appear to

People there are not high profile, lmfao.

[kalieaire]

lol, the dude that "hacked" the site has the wrong idea. "InfraGard is a social media intelligence hub for high profile persons" cuz I mean I'm on there and it's only cuz I work in IT and my boss wants to keep up to date on recent vulnerabilities and exploits that they had me sign up. But dang, if there're CEOs on there, maybe I can rub some elbows and advance my career? Low-level hourly IT jobs don't got the same cachet as when I started.