A hacker group with ties to Palestinian activists and expressing sympathy for Islamic State extremists has published a list of about 9,000 employees of the Department of Homeland Security as well as a partial list of employees of the Federal Bureau of Investigation.
Examination of the lists, which were posted on an encrypted server, reveals that the DHS listing is several years out of date. The listing of 22,000 FBI employees is partial, with the names ending with last names starting with J.
The hackers communicated with the online publication Motherboard and told contributor Joseph Cox that they’d had trouble getting access to an email account of a Department of Justice employee.
The hackers said that the DOJ help desk provided the necessary log-in information to allow them access to a workstation used by that employee. They said that their access even included access to the agency’s internal servers. A hacker using the Twitter account @dotgovs posted a screen shot of the server access.
In his Twitter postings, the hacker expressed support for the Free Palestine movement, quoted frequently from ISIS posts, and in his posts supported that cause. The hacker also expressed support for ending Israeli occupation of the Gaza Strip and for destroying the state of Israel altogether.
While the breach apparently occurred on a computer located at the Department of Justice, the hacker took a list of employees from DHS. The list included the names, and in nearly every case, the phone numbers, email addresses and job titles of those employees.
I examined the list for everyone I happen to know at DHS and found none of them, indicating the list is fairly old. Confirming that, I found a few names of people I know to have left the agency some years ago.
The list of the FBI employees, which appeared online Feb 8, is potentially more damaging since it includes, among the other personal data, the location of the employees. Assuming the list is accurate, this could expose FBI employees located outside the United States, perhaps including those who are working covertly.
The FBI and the DHS aren’t saying much about the breach. The FBI, in response to an inquiry from eWEEK, said they were referring all questions to the DOJ for comment.
A spokesperson for the Department of Homeland Security expressed concern when contacted by eWEEK earlier in the day. “We are looking into the reports of purported disclosure of DHS employee contact information,” the spokesperson said in an email. “We take these reports very seriously; however, there is no indication at this time that there is any breach of sensitive or personally identifiable information.”
A DOJ spokesperson responded to eWEEK by email, “The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information. This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information.
ISIS-Inspired Hackers Breach DOJ Network, Release FBI Staff List
The department “takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation,” the DOJ email said.
There was some initial speculation that the information about the DHS employees might include Social Security numbers or perhaps credit card numbers; however, that does not appear to be the case. In addition, while most email addresses were listed, there was no information regarding passwords, financial information or even locations for the DHS data.
Now that the data is on the Internet, the next question is, how did this happen? Perhaps more important, what was DHS employee information doing on a computer in the Justice Department? For that matter, what was FBI employee data doing on that computer?
It’s highly unlikely that anyone at DOJ will discuss what they were doing with a list of DHS employees. It’s equally unlikely that the agency will explain the existence of an FBI employee list on an unsecured computer.
But, thanks to the braggadocio of the hackers, we have an idea how the data was breached, although not how they targeted the person they chose. Sadly, they apparently got into the account simply by calling the help desk and asking for access by posing as a user locked out of his or her account.
Apparently, the hackers weren’t able to get past a requirement for a security key and called the help desk. The help desk asked if they were new and then provided them a key. Yes, just like that.
“They social-engineered the internal IT,” said Stu Sjouwerman, founder and CEO of security awareness training company KnowBe4. “The help desk is most prone to social engineering because they get rewarded for helping.”
Sjouwerman said that his company just completed a study showing that the help desk and human resources are among the most vulnerable areas because their mission is to help users and that can mean also helping hackers inadvertently. He noted that this doesn’t explain how such sensitive information happened to be on the computer that was breached. “The fact that there is a full list of everyone’s personal data is just unconscionable,” he said.
The success of this social-engineering ploy is no shock, Sjouwerman said. “It isn’t surprising, but it should be,” he said. “You’d assume after major government hacks, everyone would be thinking three times before they gave out this type of information.”
This is one instance in which security awareness training is a critical factor that’s missing from whomever gave out the access information. “Obviously, stepping people through effective security awareness training is necessary,” Sjouwerman said. But he cautioned, “Exposing them to death by PowerPoint just doesn’t cut it” as an adequate security training strategy.
Part of the problem is that people confuse compliance with security, Sjouwerman explained. He added that it’s critical to sell internal security to all employees, but especially those who will be on the front lines of support. “You need to sell an internal security culture,” he said.