Cyber Incident Victim: Federal Bureau of Investigation
Date:
Dec 2022
Location:
United States of America
Summary
The FBI's InfraGard program, designed to facilitate cyber and physical threat information sharing between the bureau and critical infrastructure operators, experienced a breach when hackers impersonated a financial sector CEO to gain approved membership. Using falsified credentials that bypassed FBI vetting—without contacting the legitimate executive—the attackers accessed and scraped contact data for over 80,000 members via an exposed API, subsequently listing the database for sale on a cybercrime forum. The compromised actor maintained active portal access, messaging verified members through the platform while negotiating the sale, which was escrowed by the forum administrator known for prior FBI system exploits. The bureau confirmed awareness of the fraudulent account but provided no further details, noting the incident as ongoing. Exposed information included names and contact details, though critical fields like Social Security numbers remained empty, limiting immediate identity theft risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On December 10, 2022, a threat actor using the alias "USDoD" advertised the sale of a database containing contact information for over 80,000 members of InfraGard on the cybercrime forum Breached. InfraGard, an FBI-managed program designed to facilitate threat information sharing between the Bureau and private sector entities overseeing U.S. critical infrastructure sectors—including energy, finance, healthcare, and transportation—had its member directory compromised through a fraudulent application process. The attacker claimed to have impersonated the CEO of a major U.S. financial corporation by submitting an application in November 2022 using the executive’s real name, Social Security Number, date of birth, and phone number, paired with an email address controlled by the hacker. The FBI approved the application in early December without contacting the impersonated CEO for verification, granting access to InfraGard’s portal. The FBI confirmed awareness of a "potential false account" associated with the portal but declined to provide further details, stating the matter was under active investigation.
The attacker exploited an Application Programming Interface (API) integrated into InfraGard’s communication systems to extract member data, including names, employer details, and partial contact information, using a custom Python script. While approximately half of the records lacked email addresses, and fields like Social Security Numbers were empty, the intruder leveraged ongoing portal access to send direct messages to InfraGard members—including a security executive at a U.S. technology firm—using the impersonated CEO’s account. USDoD priced the database at $50,000, acknowledging the limited sensitivity of the data but emphasizing its value for targeting high-profile individuals. The Breached forum administrator Pompompurin, previously linked to the defunct RaidForums marketplace and a 2021 FBI email system breach, acted as the transaction guarantor. The compromised portal access raised concerns about potential social engineering against critical infrastructure personnel, though no additional malicious activities were confirmed. The FBI continued investigating the incident as of the article’s publication, with updates confirming the impersonated CEO’s lack of FBI contact during the fraudulent application review.