Data Breach , Data Loss , Endpoint Security

Dox Files: DHS Probes Information Dump

But U.S. Government Downplays "@DotGovs" Employee Data Release
Dox Files: DHS Probes Information Dump

The U.S. government is probing the apparent cybersecurity lapse that allowed a hacker to obtain and release contact information for more than 20,000 FBI employees and 9,000 other Department of Homeland Security employees.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

The data was doxed - dumped online - in two batches beginning late Feb. 7. But U.S. government officials have been downplaying the sensitivity of the information.

"We are looking into the reports of purported disclosure of DHS employee contact information," DHS spokesman Sy Lee tells Information Security Media Group. "We take these reports very seriously; however, there is no indication at this time that there is any breach of sensitive or personally identifiable information."

The information was uploaded to CryptoBin, which is a free service for sharing encrypted data. In two tweets, someone using the Twitter account "@DotGovs" and handle "Penis," together with a Buzz Lightyear avatar, published links to each CryptoBin upload - first the DHS information, and then the FBI dump - as well as passwords to unlock each upload. Information Security Media Group was able to verify that the information includes what appears to be contact details for 22,175 FBI employees and 9,372 other DHS employees. The FBI is part of the Department of Justice, which has about 114,000 employees in total, meaning the breach affected about 20 percent of its workforce. DHS, meanwhile, has more than 240,000 employees, meaning contact details for up to 4 percent of its workforce appear to have been leaked.

A view of the encrypted DHS file dump on CryptoBin.

"FBI and DHS info is dropped and that's all we came to do, so now its time to go, bye folks!" the hacker tweeted Feb. 8 via the @DotGovs Twitter account.

On Feb. 7, prior to the data dumps, Vice Motherboard first reported that the hacker, who wished to remain anonymous, claimed to have stolen hundreds of gigabytes of data from a U.S. Department of Justice system after compromising a Justice Department employee's email account, then socially engineering a government help desk. "I called up, told them I was new and I didn't understand how to get past [the portal]," the hacker told Motherboard. "They asked if I had a token code, I said no, they said that's fine - just use our one." The hacker reported then being able to sign in and remotely access three different virtual machines, one of which was the work system for the employee whose email account had been hacked. The hacker then claimed to be able to access a Department of Justice intranet containing 1 TB of data and to have downloaded 200 GB of that data.

Motherboard reports that it tested a sample of the released phone numbers, and found that some went directly to employees - including a woman who confirmed her listed position, as an FBI intelligence analyst - while others went to government switchboards.

U.S. officials have said that much of the released information would have already been available via sites such as LinkedIn.

Reached for comment, the FBI referred data dump inquiries to the Department of Justice, which couldn't be immediately reached for comment. But Justice Department spokesman Peter Carr tells Britain's Telegraph newspaper that "the department is looking into the unauthorized access of a system operated by one of its components containing employee contact information," though notes that the data dump does not appear to include "sensitive, personally-identifiable information."

He adds: "The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation."

Some experts who have reviewed the leaked data note that some of the information associated with listed people - and job roles - is outdated. But of course the breach raises bigger questions. "This hack could reflect broader vulnerabilities in government systems, even if the information the hackers got was outdated," Cornell Tech Professor Thomas Ristenpart says.

CIA Director Email Hack Parallels

Some of the @DotGovs hacker's messages have included a call to "free Palestine." That echoes the reported hack of the personal AOL email account of the U.S. Central Intelligence Agency Director John Brennan in October 2015 by a self-described "teen stoner" who called himself "Cracka" (see CIA Director's AOL Email Account Reportedly Hacked).

The hacker claimed that Brennan's personal email account had included contact information for some for top U.S. national security and intelligence officials, as well as attachments with sensitive information, such as Brennan's application for a top-secret security clearance. Various Twitter accounts used by the hacker - or hackers - involved included the hashtags "FreePalestine," "FreeGaza" and "Anonymous."

In fact, threat intelligence firm iSight Partners believes that the hacker behind the DHS and FBI data dump "is almost certainly 'Cracka,'" and says there's no reason to believe these attacks will stop. "We expect these actors will continue to leverage compromised information to stage additional social engineering attacks against high-level U.S. officials, executives and their family members," it says.

Executive Editor Eric Chabrow also contributed to this story.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network