Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Hackers Reportedly Post Data on Law Enforcement Officers
FBI National Academy Associates Says Three Chapters Apparently HackedThis story has been updated.
See Also: Gartner Market Guide for DFIR Retainer Services
Federal law enforcement authorities are investigating an apparent breach of three chapters of FBI National Academy Associates, a nonprofit training and education organization that's independent of the FBI.
Attackers claim to have posted data on thousands of law enforcement officers obtained from the organization, according to news reports.
FBI National Academy Associates serves about 17,000 law enforcement personnel who have graduated from the FBI's National Academy Program.
The leaked data includes personal information on more than 23,000 individuals, many of whom work in law enforcement, according to NBC News. The data includes names, job descriptions, email addresses and some street addresses as well as email addresses belong to FBI.gov and other federal, state and local agencies, NBC reports.
Tracking the Breach
The hacking group apparently accessed the data late last week and then posted it on its own website to show that the attack took place, according to TechCrunch, which reported on the incident Saturday.
Since then, the Associated Press and other news organizations report that they saw all or part of the leaked data, but none of the news outlets linked to the data or named the group apparently involved. The group claims to have been active since 2014, according to NBC.
The AP said hacked records belonging to 1,400 law enforcement agencies, including the FBI, Secret Service, Capitol Police, U.S. Park Police as well as state and local agencies, are available on the hacker group's site.
The hacker group's Twitter handle has been removed, although its website seems to be accessible, according to AP.
TechCrunch reports that a hacker claiming to be with the group that hacked FBINAA said the group has "over a million" pieces of data on various law enforcement agencies and is making plans to release more and possibly sell the information.
FBINAA's Investigation
On Saturday, FBI National Academy Associates issued a statement acknowledging it was cooperating with a federal investigation of the apparent breach.
"We believe we have identified the three affected chapters that have been hacked, and they are currently working on checking the breach with their data security authorities," the statement noted. "We have checked with the national database server/data provider and they have assured us that the FBINAA national database is safe and secure.
The statement also said: "In each of these instances, a third-party software was being used by the affected chapters. However, it is still too early to determine if this impacted the breach."
FBINAA declined to offer further comment.
What Happened?
The hacking group may have taken advantage of a web application vulnerability to gain access to the network and then hunt for a database, says Terence Jackson, the CISO of the Washington-based security firm Thycotic Software.
"As more information becomes available, we will likely learn that a vulnerability was exploited in a web application," Jackson says. "Similar to the Equifax breach, this highlights not only the importance of vulnerability management, but also the mean time to detection of unauthorized access."
Karl Steinkamp, a director at Coalfire, which provides cybersecurity consulting, says: "Unfortunately, these types of hacks are becoming more commonplace against not only enterprises, but the federal government. This hack is particularly concerning because it puts law enforcement personnel and others at direct risk by exposing their job descriptions and physical locations and making that information publicly available."
Possible Ties to New Ransomware
The group that claimed responsibility for hacking into the chapters of FBI National Academy Associates might also have ties to a new type of ransomware called CryptoPokemon, according to Emsisoft, an anti-virus and security company that also makes decryption tools.
When Emsisoft released a new decryption tool for CryptoPokemon recently, the company was contacted by a group that claimed authorship of the new ransomware and pointed out the source code on GitHub. By tracing back the Twitter account that made the initial contact, company researchers found the cache of stolen law enforcement data and connected the two, says Brett Callow, a spokesperson for the company.
From there, Emsisoft researchers notified authorities about the data, Callow says. So far, this particular ransomware has not been spotted in the wild and only one sample has been examined by researchers, Callow adds.
"The ransomware is puzzling," Callow tells ISMG. "We discovered the data dump and then immediately notified the FBI because the group replied to us on Twitter after we announced the release of the decryption tool."
The Emsisoft researchers also note that the ransomware will not encrypt if the operating system's default is a language used in a CIS country - the name for a several countries that formed part of the Soviet Union, including Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. Callow says this could indicate where the group is operating or be a cover for a false flag operation, and company researchers are still investigating.