More than three months after a hacker known as “USDoD” successfully breached the FBI’s InfraGard database in December 2022, the personal information of over 87,000 InfraGard members remains in active circulation on the Dark Web – free of charge.

The BlackCloak Threat Intel Team is warning all affected members of InfraGard and their respective organizations to remain vigilant as this openly circulated data could be utilized by a wide range of criminal actors. BlackCloak has determined that the InfraGard full data dump that was first posted for sale by the cybercriminals on December 10, 2022 and removed roughly one week later, was reposted only days later to other forums, including “Nulled.” This full database remains publicly available today for all who seek to access it. 

This leak has not been indexed by major threat intel providers as it lacks highly sensitive information (such as Social Security numbers); however, the large database containing the personal details and contact information of America’s leading corporate executives still poses a significant risk of social engineering and targeted attacks for major US companies. 

BlackCloak Bite: Corporate security teams, information security teams, CSOs, and CISOs in particular need to examine the data and educate their members on the potential risks associated with this membership list in the wild.

“The value of this repository has been minimized by some, as it does not contain what we normally consider to be high-value PII, but that is a very shortsighted analysis,” said Chris Pierson, CEO and Founder of BlackCloak. “There is no doubt that the cybercriminal community is looking at this database as yet another way to get reconnaissance on corporations and attack them outside the castle gates. Just because this database doesn’t include passwords, that doesn’t mean it is low risk.”

The InfraGard database is a “Who’s Who” of the country’s top security executives and can be used for dedicated attacks on their personal emails, which are often not publicly available except through certain paid data broker services. Even with partial information, criminal actors can combine first name, last name, and chapter location to derive a generalized area to begin “hunting” for anyone on the list. They could target these executives with InfraGard “re-enrollment” scams and other phishing attacks. 

What has not been fully appreciated is that this list provides a distinct roadmap on which key persons of interest can be targeted for attack. This InfraGard data can be further enhanced with data broker information, and effective campaigns can be run to attack personal email addresses and adjoining document stores or other aspects that lead to a corporate breach. The potential domino effects of this is quite troubling.

According to Pierson, it is a common mistake to overlook the long-term “combinational” value of stolen data, when assessing the potential risk of a data breach. “Too often, we evaluate the level of risk of a breach independent of other factors. We fail to recognize  how one set of stolen information can be combined with other breaches down the road. This is especially true for sophisticated criminal groups and nation-state actors, who may already have many different data sets to work with,” said Pierson.

If you are concerned about how this breach may impact you, your business, or your family, reach out to our team for assistance.