Infragard is a cybersecurity organization that partnered with the Federal Bureau of Investigation (FBI) with the goal of helping protect critical US infrastructure. It has 80,000 members; mostly cybersecurity and C-Suite professionals from industries across the US. Membership entitled members to critical information from other members and the FBI on emerging threats to cybersecurity.
In November, a hacker applied for membership under a fake profile created using an infrastructure Executive’s social media information, their actual mobile phone number, and a fake (most likely typo-squatted domain) email address. Early in Dec. Infragard granted them membership and they were able to log in and begin researching members. The hacker located scripts to automatically extract every Infragard member’s profile information (addresses, company names, email addresses, and more).
On Dec. 10, 2022, a darkweb cybercrime forum called Breached offered up a new sales thread: “The user database for Infragard, including names and contact information for tens of thousands of Infragard members.” To add credibility, they published at least one profile of a high ranking utility company C-Suite member.
Infragard is suppose to be a “vetted membership” for critical infrastructure professionals. Backgrounds and identities are suppose to be checked. Multiple factors of authenticating the applications should be checked. That was not done here. According to an interview with the hacker themselves (anonymously) all Infragard needed to do was call the legitimate phone number of the executive being impersonated and the social engineering attack would have failed. A phone call was never placed, or if it was, they listened to a voicemail to confirm the identity instead of speaking to the actual applicant (a major short-cut).
Implications of this Breach
Unfortunately, the damage is done to this organization Infragard. When security companies are breached, they loose a good deal of credibility. Whether the membership survives this breach remains to be seen. However, what it teaches us is more important.
The larger damage may be the industry cybersecurity professionals and C-Suite who’s personal information, however much or little was part of this breach. now puts these individuals and their contacts at increased risk of social engineering and compromise. Hackers parlay this type of information into Spear-phishing attacks. Anyone with an Infragard membership and reasonable amount of information needs to be extra vigilant watching for social engineering and phishing attacks.
Lesson’s Learned
Vetting applications to any organization needs to leverage multi-factor authentication methods. A single phone call to the applicant would have identified this hacker and prevented this breach, at least using this simplistic approach used.
Vet Identities Every Time in Multiple Ways
Every company out there needs a privacy policy on their website. If you collet personal non-public information on your employees or clients, then they are legally allowed to request what data you have about them and many other things (please see this article for data privacy rights). However, hackers are using these data privacy requests to sneak information out of unsuspecting companies that do not properly authenticate the identify of the requestor.
Whether a data privacy request or a membership application, identity verification is critical to avoiding granting an imposter access to critical and sensitive information.
If it can happen with Infragard, it can happen with your company. Beef up your identify and authentication practices across the board and educate your users on the required processes for verification.