Cyber Threat Actor: USDoD
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
2 incidents |
|---|
Profile
The threat actor using the alias USDoD operates with a focus on compromising high-value targets within U.S. critical infrastructure sectors. This actor targeted InfraGard, an FBI-managed platform designed for trusted information sharing between law enforcement and private sector entities overseeing national critical infrastructure, including financial services, utilities, telecommunications, and healthcare. USDoD's primary objective centered on financial gain, evidenced by their attempt to sell the stolen InfraGard member database for $50,000 on the Breached cybercrime forum. The actor exploited InfraGard’s membership vetting process rather than deploying malware or conducting broad phishing campaigns, indicating a tailored approach to access restricted systems.
USDoD gained initial access by submitting a fraudulent InfraGard application impersonating a CEO from a major U.S. financial corporation, using the executive’s authentic personal details—including Social Security Number and date of birth—while controlling the application’s email address. The FBI approved this falsified account without contacting the impersonated CEO, enabling USDoD to bypass InfraGard’s multi-factor authentication by selecting email-based one-time codes instead of SMS. Once inside, the actor extracted over 80,000 member records via the platform’s API, employing a custom Python script to automate data retrieval. USDoD leveraged their access to communicate directly with InfraGard members through the portal’s messaging system, attempting to establish credibility under the CEO’s identity. The actor collaborated with Breached forum administrator Pompompurin to facilitate the sale through escrow services, though the database contained limited sensitive fields. This operation exposed vulnerabilities in the FBI’s identity verification processes for high-trust networks, demonstrating the actor’s ability to identify and exploit systemic weaknesses in secure government-affiliated platforms.
