April 13, 2019 at
Techcrunch has broken the news on the hack of several FBI-affiliated websites. The hackers got into the websites and downloaded all the data, which they then uploaded to their own website and made available for download.
FBI affiliate websites were insecure
The FBI National Academy Association (FBINAA) which is located at Quantico, VA, is the organization that was breached. The FBINAA is responsible for promoting federal law enforcement leadership and training across all 50 states in the US. FBINAA works with various chapters around the country to organize its activities and events. Three of the websites of its chapter members were breached by the hackers, allowing the attackers to download all information off their servers.
One of the hackers talked to Techcrunch through a secure chat said that the security flaws in the websites they had hacked were mainly public exploits. They did not use anything undiscovered or flaws that had not been fixed. This indicates that the three websites that they downloaded the information from where running older software that had not been updated. Server software and plugins that are not updated often are massive security risks, and most website administrators keep their systems as up to date as possible.
More to come from the hacker group
During the encrypted chat with one of the hackers, Techcrunch also managed to find out more regarding the future of the hacker group. The hacker they talked to sai that there are ten people in the group and that the three FBI affiliated websites were only the tip of the iceberg.
They said that they managed to hack over 1000 websites, and were in the process of organizing the data they had collected. They plan to sell the data on the dark web as soon as they have seen exactly what records they have been able to get and structure the data accordingly. They also stated that they would be publishing more stolen data from government-affiliated websites.
The hackers know that the police data might be used against federal agents and police offers, but say that they are not personally worried. The data uploaded onto their servers contains 4000 records which include names, addresses, emails and job titles. The hacker said that the full database they are combing through has over one million data records from various organizations. Those include public service organizations as well as more law enforcement agencies.
When asked for proof, the hacker sent the Techcrunch journalist a link to another site that was affiliated with FBINNA. When opening the website, the website was defaced with a screenshot of the chat from moments earlier. The hacker provided more proof by doing the same with other breached websites. One was a subdomain of Foxconn. Foxconn is a Taiwanese manufacturing giant that is best known for making the iPhone.
The domain in question was accessed without a password or username, that was the backend of a Lotus webmail system. The system had provided them with the names and contact details of thousands of employees of the company.
Ultimately, the hacker admitted that all the group was after was fame and money. There were no political or social statements made. They didn’t do it to shed some light on the poor security of many law enforcement agencies, though it is a lesson that every single one should learn.