Cyber Incident Victim: Federal Bureau of Investigation
Date:
Dec 2016
Location:
United States of America
Summary
A hacker compromised the FBI website by exploiting a zero-day vulnerability in the Plone content management system, leading to the exposure of account data including names, encrypted passwords, salts, and email addresses from backup files. The attacker, who previously targeted the agency as part of the Anonymous collective, disclosed system details such as outdated software versions and misconfigured backup storage but failed to gain root access; multiple other organizations using the vulnerable CMS were identified as potential targets during the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 22, 2016, the FBI.gov website was compromised by the hacker known as CyberZeist (@cyberzeist2), who subsequently leaked stolen data on Pastebin. The attacker exploited a previously unknown vulnerability (zero-day) in the Plone Content Management System (CMS) used by the FBI, specifically targeting flaws in certain Python modules within the platform. CyberZeist disclosed that he did not discover the zero-day himself but was instead tasked with testing it against the FBI and Amnesty International websites, indicating the vulnerability had broader implications for other organizations. During the intrusion, the hacker accessed multiple backup files stored on the server, including acc_102016.bck, acc_112016.bck, and old_acc16.bck, which contained sensitive user account information. The leaked records included names, email addresses, SHA1-encrypted passwords, and corresponding SHA1 salts, exposing FBI.gov users to potential credential misuse. CyberZeist documented the hack by tweeting an image showing the FBI website in a compromised state shortly after the breach. He noted that the FBI’s server was running FreeBSD version 6.2-RELEASE—an operating system version dating to 2007—with custom configurations and had last been rebooted on December 15, 2016, at 6:32 PM. The hacker criticized the FBI’s security practices, particularly the storage of unsecured backup files on the same server as the live system, which facilitated unauthorized access.
Following the breach, CyberZeist delayed publicly releasing the stolen data, stating he awaited a direct response from the FBI, which did not materialize promptly. The FBI eventually contacted the hacker to request the leaked information, though no further details about their internal remediation efforts were disclosed. CyberZeist confirmed that the Plone CMS vulnerability remained exploitable during the FBI’s initial response period, allowing him to maintain access to backend systems, though he emphasized he never obtained root privileges. The incident exposed additional organizations using the same vulnerable CMS components, including the Intellectual Property Rights Coordination Center and the EU Agency for Network Information and Security. Media outlets in Germany and Russia reported the breach, while U.S.-based publications initially ignored it. CyberZeist, who had previously targeted the FBI in 2011 as part of the Anonymous collective, declined requests from third parties seeking the leaked data and refrained from publishing the zero-day exploit himself. The FBI did not publicly acknowledge the compromise or detail corrective actions taken to secure the affected systems.