Cyber Incident Victim: Law Enforcement Inquiry and Alerts
Date:
May 2022
Location:
United States of America
Summary
A breach of the Drug Enforcement Administration's Law Enforcement Inquiry and Alerts system allowed unauthorized actors to access federated searches across 16 federal law enforcement databases using compromised credentials. The attackers, linked to a cybercrime community known for impersonating officials and filing fraudulent data requests, potentially viewed sensitive records including vehicle, firearm, and seizure data, and could submit false information to law enforcement systems. The portal's security relied solely on username and password authentication despite supporting stronger government-issued verification methods, prompting concerns about broader vulnerabilities in federal data systems. The agency confirmed an investigation into the incident but did not validate the specific claims of access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 8, 2022, KrebsOnSecurity received a tip that unidentified hackers obtained credentials for an authorized user account within the Law Enforcement Inquiry and Alerts (LEIA) system managed by the U.S. Drug Enforcement Administration (DEA). The compromised portal, esp.usdoj.gov, provided federated search access to 16 federal law enforcement databases, including the DEA’s El Paso Intelligence Center (EPIC) and the National Seizure System (NSS). EPIC systems contained law enforcement-sensitive data accessible to federal, state, local, tribal agencies, the Department of Defense, and intelligence communities, while NSS tracked assets seized from criminal activities. Screenshots shared by the hackers demonstrated their ability to query records related to motor vehicles, boats, firearms, aircraft, and drones. The breach was linked to members of Doxbin, an online harassment community known for impersonating officials to harvest personal data, whose previous administrator had ties to the LAPSUS$ cybercrime group.
The DEA confirmed an investigation into the incident but declined to validate specific claims, stating only that it took cybersecurity intrusions seriously. Forensic analysis of the screenshots indicated attackers could view sensitive information and potentially submit false records to law enforcement databases, raising concerns about data integrity and operational security. Researchers highlighted the access’s potential value to criminal organizations, particularly cartels seeking intelligence on rivals. Security weaknesses were evident, as the portal accepted username-password authentication despite offering stronger Personal Identity Verification (PIV) card access, with no multi-factor authentication prompts observed during the illicit login. The incident underscored systemic vulnerabilities in federal authentication protocols, as the Department of Justice’s data inventory listed thousands of repositories, many potentially relying on similarly weak safeguards. No evidence of data manipulation or specific operational disruptions was confirmed at the time of reporting.