Hackers Claim FBI Information-Sharing Portal Breached

2,400 Law Enforcement Agents Named, Additional Dumps Threatened
Hackers Claim FBI Information-Sharing Portal Breached

A group of hackers claims to have breached an FBI information-sharing portal and gained access to numerous sensitive systems, including records of individuals who have been arrested by U.S. federal agencies as well as tools for sharing information between U.S. federal agencies and partners located both domestically and abroad.

See Also: The Anatomy of a Spear Phishing Attack: How Hackers Build Targeted Attacks (and why they're so effective)

The group, which goes by the name Crackas With Attitude - or CWA - also dumped online about 2,400 names of federal, local, state and international law enforcement agency employees and threatened to release much more information.

The data dump follows CWA claiming recently to have breached the personal email account of FBI Deputy Director Mark Giuliano. That followed its claimed hack in October of CIA Director John Brennan's personal AOL email account. The attackers, who say they leaked sensitive information they found in AOL email attachments and who have described themselves as "stoners" in multiple media interviews, claimed they were high at the time of their actions.

On Nov. 5, meanwhile, the group released a data dump to text-sharing websites Pastebin and Cryptobin. The data dump, which was obtained by Information Media Security Group, includes names, work email addresses and work telephone numbers for 2,398 individuals, as well as the hashtags "#Nov5" and "FreePalestine."

"Happy Nov5 guys! This is only part 1 ... Gov/Police/Military names, emails and phone numbers," a member of the group who goes by "Cracka" tweeted Nov. 5, including links to the data dump. "Who's ready for part 2?" Cracka added Nov. 8.

The veracity of the dumped data has not been verified. But the named individuals allegedly range from FBI special agents and a detective in the Troy, Mich., police force, to an explosives specialist at the U.S. Transportation Security Administration and special agents working for the U.S. Department of Transportation and Diplomatic Security Service, among many other agencies.

The leaked data has already been reposted on at least one leak-sharing website. One CWA member, known as Cubed, tells Vice Motherboard that the group has "a lot more names" that it's prepared to leak, although declined to give a specific count.

FBI Portal Breach Claimed

CWA appears to have breached the FBI's Law Enforcement Enterprise Portal - or LEEP - which the bureau describes as being "a secure, Internet-based information sharing system available to agencies around the world that are involved in law enforcement, first response, criminal justice, anti-terrorism, intelligence and related matters."

On Nov. 8, CWA published a screenshot of what's labeled as being the "SIG/VCC address book," which says it contains 9,046 members' names, titles, employers and location, although parts of that list are blacked out. That appears to refer to the FBI's Virtual Command Center/Special Interest Group, or VCC/SIG, which the bureau says has been used to coordinate about 5,500 cases in the past 10 years, ranging from active shooter incidents and child abductions to presidential inaugurations and terrorist attacks and threats.

An FBI spokeswoman declined to comment on the hack, or what portal technology the bureau uses to run LEEP. "We have no comment on specific claims of hacktivism, but those who engage in such activities are breaking the law," FBI spokeswoman Carol Cratty says. "The FBI takes these matters very seriously. We will work with our public and private sector partners to identify and hold accountable those who engage in illegal activities in cyberspace."

The hackers tell Wired that they were able to exploit a vulnerability in the LEEP portal, giving them access to nearly 20 U.S. law enforcement information-sharing portals and investigation tools. The group declined to detail the vulnerability they exploited, saying they were still using it to attempt to extract additional information.

But CWA provided a detailed list to Wired of 19 tools it claims the group was able to access via the law enforcement portal, which range from the Internet Crime Complaint Center, or IC3, and the Homeland Security Information Network, used for trading sensitive but non-confidential information, to an automated malware analysis tool and JABS, the Joint Automated Booking System, which is a database of federal arrest records.

One concern about the potential JABS breach is that the system can contain arrest records relating to indictments that are still under seal and thus may give any criminals with access to the system a heads-up if they're being targeted. As noted by Wired, a common tactic in cybercrime investigations is for law enforcement agencies to arrest one suspected member of a hacking ring and keep the case sealed while they attempt to get the accused to provide evidence on alleged co-conspirators.

Guy Fawkes Symbolism

The choice of date for CWA's Nov. 5 leak is symbolic - that's Bonfire Night in the United Kingdom, which commemorates the failure of Guy Fawkes to blow up the Houses of Parliament in 1605. The date also features in "V for Vendetta," a comic book and then film, which envisions an alternate future in which a legion of revolutionaries wearing masks - of the type since popularized by Anonymous - battles the fascist state. The date has also become a rallying point for Anonymous-related online operations and protests.

But CWA says it's not part of Anonymous. "No need to target #AnonSec feds, they were nothing to do with the attacks, they're just good friends," reads a tweet from the CWA member who goes by the name Cracka.

In a separate Nov. 5 Pastebin post, meanwhile, Cracka claims that he's "targeting the U.S. government for funding Israel." And the group has said it has a substantial amount of additional data that it's prepared to release unless the government meets its demands.

FBI Deputy Director Targeted

The apparent law enforcement portal breach follows CWA claiming via Twitter that it had hacked into the personal email account of FBI Deputy Director Mark Giuliano. The group told Vice Motherboard it first gained access to a Comcast account registered in Giuliano's wife's name, although declined to note how - and the group's claims could not be verified. The FBI declined to comment on CWA's claimed attack.

Some security experts question the attackers' asserted ages and levels of recreational drug use. "If they were really teenage stoner hackers, they'd be in jail," Michael Adams, an information security expert who served more than two decades in the U.S. Special Operations Command, tells Vice Motherboard. "It is very difficult for me to understand how hackers characterized as 'teenage stoners' cannot be caught with the resources available to the United States intelligence community and the FBI."

Adams, who has reviewed the list of dumped data, warns that it appears to show police officers that have an FBI email address - meaning they could be embedded bureau agents - as well as agents deployed abroad, for example on the Caribbean nation of Saint Kitts and Nevis, and might be working undercover. "They're busting covers left and right and they don't know it," he said of CWA.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.