The U.S. Drug Enforcement Administration (DEA) says it’s investigating studies that hackers gained unauthorized entry to an company portal that faucets into 16 totally different federal regulation enforcement databases. KrebsOnSecurity has realized the alleged compromise is tied to a cybercrime and on-line harassment neighborhood that routinely impersonates police and authorities officers to reap private data on their targets.
Unidentified hackers shared this screenshot of alleged entry to the Drug Enforcement Administration’s intelligence sharing portal.
On Might 8, KrebsOnSecurity obtained a tip that hackers obtained a username and password for a licensed person of esp.usdoj.gov, which is the Regulation Enforcement Inquiry and Alerts (LEIA) system managed by the DEA.
KrebsOnSecurity shared details about the allegedly hijacked account with the DEA, the Federal Bureau of Investigation (FBI), and the Division of Justice, which homes each companies. The DEA declined to touch upon the validity of the claims, issuing solely a short assertion in response.
“DEA takes cyber safety and data of intrusions critically and investigates all such studies to the fullest extent,” the company stated in an announcement shared through electronic mail.
In accordance with this web page on the Justice Division web site, LEIA “supplies federated search capabilities for each EPIC and exterior database repositories,” together with knowledge categorized as “regulation enforcement delicate” and “mission delicate” to the DEA.
A doc revealed by the Obama administration in Might 2016 (PDF) says the DEA’s El Paso Intelligence Heart (EPIC) programs in Texas can be found to be used by federal, state, native and tribal regulation enforcement, in addition to the Division of Protection and intelligence neighborhood.
EPIC and LEIA even have entry to the DEA’s Nationwide Seizure System (NSS), which the DEA makes use of to establish property thought to have been bought with the proceeds of legal exercise (suppose fancy vehicles, boats and houses seized from drug kingpins).
“The EPIC System Portal (ESP) permits vetted customers to remotely and securely share intelligence, entry the Nationwide Seizure System, conduct knowledge analytics, and procure data in help of legal investigations or regulation enforcement operations,” the 2016 White Home doc reads. “Regulation Enforcement Inquiry and Alerts (LEIA) permits for a federated search of 16 Federal regulation enforcement databases.”
The screenshots shared with this writer point out the hackers might use EPIC to lookup quite a lot of information, together with these for motor automobiles, boats, firearms, plane, and even drones.
Claims concerning the purloined DEA entry have been shared with this writer by “KT,” the present administrator of the Doxbin — a extremely poisonous on-line neighborhood that gives a discussion board for digging up private data on folks and posting it publicly.
As KrebsOnSecurity reported earlier this 12 months, the earlier proprietor of the Doxbin has been recognized because the chief of LAPSUS$, a knowledge extortion group that hacked into a few of the world’s largest tech corporations this 12 months — together with Microsoft, NVIDIA, Okta, Samsung and T-Cell.
That reporting additionally confirmed how the core members of LAPSUS$ have been concerned in promoting a service providing fraudulent Emergency Information Requests (EDRs), whereby the hackers use compromised police and authorities electronic mail accounts to file warrantless knowledge requests with social media corporations, cell telephony suppliers and different expertise corporations, testifying that the knowledge being requested can’t look forward to a warrant as a result of it pertains to an pressing matter of life and loss of life.
From the standpoint of people concerned in submitting these phony EDRs, entry to databases and person accounts throughout the Division of Justice can be a serious coup. However the knowledge in EPIC would in all probability be way more worthwhile to organized crime rings or drug cartels, stated Nicholas Weaver, a researcher for the Worldwide Pc Science Institute at College of California, Berkeley.
Weaver stated it’s clear from the screenshots shared by the hackers that they may use their entry not solely to view delicate data, but in addition submit false information to regulation enforcement and intelligence company databases.
“I don’t suppose these [people] understand what they obtained, how a lot cash the cartels would pay for entry to this,” Weaver stated. “Particularly as a result of as a cartel you don’t seek for your self you seek for your enemies, in order that even when it’s found there isn’t a loss to you of placing issues ONTO the DEA’s radar.”
The DEA’s EPIC portal login web page.
ANALYSIS
The login web page for esp.usdoj.gov (above) means that licensed customers can entry the positioning utilizing a “Private Identification Verification” or PIV card, which is a reasonably sturdy type of authentication used government-wide to regulate entry to federal services and data programs at every person’s acceptable safety stage.
Nonetheless, the EPIC portal additionally seems to just accept only a username and password, which would appear to radically diminish the safety worth of requiring customers to current (or show possession of) a licensed PIV card. Certainly, KT stated the hacker who obtained this illicit entry was in a position to log in utilizing the stolen credentials alone, and that at no time did the portal immediate for a second authentication issue.
It’s not clear why there are nonetheless delicate authorities databases being protected by nothing greater than a username and password, however I’m keen to wager huge cash that this DEA portal isn’t solely offender right here. The DEA portal esp.usdoj.gov is listed on Web page 87 of a Justice Division “knowledge stock,” which catalogs the entire knowledge repositories that correspond to DOJ companies.
There are 3,330 outcomes. Granted, solely a few of these outcomes are login portals, however that’s simply throughout the Division of Justice.
If we assume for the second that state-sponsored overseas hacking teams can acquire entry to delicate authorities intelligence in the identical means as teenage hacker teams like LAPSUS$, then it’s long gone time for the U.S. federal authorities to carry out a top-to-bottom evaluation of authentication necessities tied to any authorities portals that site visitors in delicate or privileged data.
I’ll say it as a result of it must be stated: America authorities is in pressing want of management on cybersecurity on the govt department stage — ideally somebody who has the authority and political will to ultimately disconnect any federal authorities company knowledge portals that fail to implement sturdy, multi-factor authentication.
I understand this can be way more complicated than it sounds, significantly on the subject of authenticating regulation enforcement personnel who entry these programs with out the good thing about a PIV card or government-issued machine (state and native authorities, for instance). It’s not going to be so simple as simply turning on multi-factor authentication for each person, thanks partially to a broad variety of applied sciences getting used throughout the regulation enforcement panorama.
However when hackers can plunder 16 regulation enforcement databases, arbitrarily ship out regulation enforcement alerts for particular folks or automobiles, or doubtlessly disrupt ongoing regulation enforcement operations — all as a result of somebody stole, discovered or purchased a username and password — it’s time for drastic measures.
