A hacker group calling itself DotGovs tweeted on Monday a link to what it claims is a directory of over 20,000 FBI employees. The data, encrypted with the password “lol,” includes names, job titles, phone numbers, states, and email addresses for 22,175 people.
The leak comes just 24 hours after the same group posted a link to what it claimed was a directory of 9,372 Department of Homeland Security employees.
The FBI list, in alphabetical order by last name and ending in the J’s, includes nearly 1,300 intelligence analysts and nearly 1,800 special agents. The DHS list ranges in last name from A to Z and contains roughly 100 intelligence analysts.
The list of names and phone numbers could aid targeting efforts by bad actors looking to launch future attacks, and it could mean that DOJ employees answering the phone to someone who knows their name can no longer be confident that the caller was necessarily a well-informed insider. Alternatively, hackers might seek out “soft targets” in the list like administrators who might have less training in dealing with intelligence threats.
But The Guardian reported that “an official likened it to stealing a years-old AT&T phone book after the telecom had already digitized most of its data.” Other officials reportedly admitted that there should not be such a simple process through which attackers could obtain a token.
How it happened
An anonymous member of DotGovs told Motherboard of the coming leaks before they were published. The hacker claimed to have obtained access to a Department of Justice web portal through fairly basic techniques: First, the hacker managed to compromise the email account of a DOJ employee, then he or she called an internal department and asked for help accessing their intranet web portal and was obliged. From there, the hacker claimed to have access to a terabyte of data and to have downloaded 200 gigabytes of it.
“I see no reason why the data would be ‘fake,'” Patrick Wardle, director of research at cybersecurity firm Synack. He referenced an entry in the FBI list and found that the individual named was quickly shown by a public records search to have been in recent years a state police trooper with a six-figure salary and a listed phone number matching the FBI’s Boston office. “[It] seems reasonable that he’s now working at or for the FBI in Boston.”
Alex McGeorge, a senior security researcher specializing in penetration testing at Immunity Inc., another cybersecurity firm, had reservations about some of the hacker’s self-reported methods. McGeorge doubted the hacker’s claim that he or she had access to a terabyte of data as they hadn’t provided any documents that couldn’t have originated from a compromised email account alone.
“Somebody got access to someone [in the DOJ’s] email and they milked it for all it was worth and that’s probably it until they give us more [proof].”
McGeorge felt that the contents of the leaked directory could be “inconvenient” for the DOJ as organizations like the FBI have employees who are not necessarily at liberty to disclose their employer or title. He felt that it was less valuable than the Office of Personnel Management leak last year.
The Department of Justice told Business Insider:
The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information. This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information. The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation.