On Friday, Motherboard reported that a teenager allegedly behind the hacks of CIA Director John Brennan, and a host of other audacious breaches, was recently arrested in the East Midlands, UK. But despite the arrest of the alleged hacker, more worrying details about the extent of the hack are continuing to come to light.
In a previous interview with Motherboard, the hacker who dumped details about 20,000 Federal Bureau of Investigation and 9,000 Department of Homeland Security employees claimed he had also downloaded around 200GB of internal government files.
A number of other hacked files have been obtained by Motherboard, and include apparent digital forensics reports from the Drug Enforcement Administration as well as emails from the State Department.
The hacker also took several screenshots while he was inside the Department of Justice’s intranet, highlighting what a serious data breach this really was. However, the obtained cache is much smaller in size than the 200GB originally claimed, totaling only around 20MB, and it has not been publicly released. It is not totally clear whether the hacker downloaded more data than what has been shared with Motherboard.
Two PDF files, named “SMS Data Report” and “Device Locations Report_Redacted” are explicitly marked as coming from the DEA Digital Evidence Laboratory.
The first appears to come from a real DEA investigation, listing the case number and name, the name of the examiner and agent, the device analysed (in this case, an Apple iPhone 5), and includes the content of tens of thousands of text messages, as well as those that had been deleted. The examination was carried out using Cellebrite, an established piece of forensics software. The report is over 1,000 pages long, and many of the text messages are in Hebrew.
The second file includes around 60 pages of location data from a suspect's device. It appears to be related to the same case as the previous PDF, and is dated as June 2015.
Two other large PDF files include reams of Facebook and Viber metadata, seemingly obtained from the suspect's device. A spreadsheet included in the cache lists metadata for Apple Facetime and calls made from the iPhone.
“They appear to be documents from a forensic search conducted on a phone or Facebook account related to an actual DEA investigation,” Melvin S. Patterson from the DEA’s public affairs office told Motherboard in an email. He continued that these sort of documents don’t come from DEA databases that contain sensitive investigative case files, but are instead sent by a forensics laboratory.
None of this data may be that interesting in and of itself, but it does show the breadth of information that the hacker was able to access. In an earlier interview with Motherboard, the hacker claimed he breached the DoJ systems by pretending to be a new employee in order to gain access to the institution's web portal, and in turn a shared computer network.
In one of the newly obtained screenshots, the hacker appears to have reached a section of the Department of Justice network that allows him to look up information on more than two dozen agencies, including the DEA, the Department of Justice's Criminal Division, the Tax Division and the Office of the Inspector General.
According to CNN's report of the arrest, investigators found that the hacker had reached sensitive documents such as those related to investigations and legal agreements. The cache of files obtained by Motherboard seem to support that.
The hacker also seemingly downloaded just under 400 emails from the State Department. However, many of these appear to be from the HR division, and are marked as unclassified.
The files were shared with Motherboard by Thomas White, a UK-based technologist who regularly mirrors hacked data, including the recent FBI and DHS data dumps. White said he was provided the data by the hacker responsible.
Peter Carr, a spokesperson from the Department of Justice, as a matter of policy, declined to confirm the authenticity of any of the documents.
In a statement, Carr wrote, “The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information. This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information. The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation."
On Thursday, Motherboard reported that the FBI was attempting to remove the dumped data from websites by sending takedown requests to those hosting the data. The subject line of the FBI agent's email read “Sensitive Information Leaked on your site.”
The FBI declined to comment.
If the FBI and UK law enforcement really have arrested the teenager behind these breaches, then perhaps this wave of activity will now cease. Regardless, the breach has revealed that multiple US agencies need to seriously rethink their strategy for keeping data secure.
Screenshot: Lorenzo Franceschi-Bicchierai