A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries.
Earlier this week, miscreants who frequent the Hell cybercrime forum (a “Deep Web” site reachable only via the Tor network) began passing around a text file that contained more than 23,000 records which appeared to be a user database populated exclusively by user accounts with dot-gov email addresses. I thought it rather unlikely that the file had anything to do with the OPM hack, which was widely attributed to Chinese hackers who are typically interested in espionage — not selling the data they steal on open-air markets.
As discussed in my Oct. 2014 post, How to Tell Data Leaks from Publicity Stunts, there are several simple techniques that often can be used to tell whether a given data set is what it claims to be. One method involves sampling email addresses from the leaked/hacked database and then using them in an attempt to create new accounts at the site in question. In most cases, online sites and services will allow only one account per email address, so if a large, random sampling of email addresses from the database all come back as already registered at the site you suspect is the breached entity, then it’s a safe guess the data came from that entity.
How to know the identity of the organization from which the database was stolen? In most cases, database files list the users in the order in which they registered on the site. As a result, the email addresses and/or usernames for the first half-dozen or more users listed in the database are most often from the database administrators and/or site designers. When all of those initial addresses have the same top-level domain — in this case “unicor.gov” — it’s a good bet that’s your victim organization.
According to Wikipedia, UNICOR is a wholly owned United States government corporation created in 1934 that uses penal labor from the Federal Bureau of Prisons to produce goods and services. It is apparently restricted to selling its products and services to federal government agencies, although recently private companies gained some access to UNICOR workforce. For instance, companies can outsource call centers to UNICOR. Case in point: If you call UNICOR’s main number off-hours, the voicemail message states that during business hours your call may be handled by an inmate!
On Tuesday, I reached out to UNICOR to let them know that it appeared their user database — including hashed passwords and other information — was being traded on underground cybercrime forums. On Wednesday, I heard back from Marianne Cantwell, the public information officer for UNICOR. Cantwell said a review of the information suggests it is related to an incident in September 2013, when Federal Prison Industries discovered unauthorized access to its public Web site.
“Since that time, the website software has been replaced to improve security. Assessments by proper law enforcement authorities were conducted to determine the extent of the incident, at the time it was discovered,” said Cantwell, who confirmed the incident hadn’t been previously disclosed publicly. “Limited individuals were deemed to be potentially impacted, and notifications were made as a precautionary measure. Federal Prison Industries is sensitive to ensuring the security of its systems and will continue to monitor this issue.”
The “website software” in question was ColdFusion, a Web application platform owned by Adobe Systems Inc. Around that same time, hackers were running around breaking into a number of government and corporate Web sites and databases using ColdFusion vulnerabilities. In October 2013, I wrote about criminals who had used ColdFusion exploits to break into and steal the database from the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.
There is no information to link the hack at UNICOR to the crooks behind the NW3C compromise, but it’s interesting to note that those responsible for the NW3C attack also had control over the now-defunct identity theft service ssndob[dot]ms. That service, which was advertised on cybercrime forums, was powered in part by a small but powerful collection of hacked computers exclusively at top data brokers, including LexisNexis, Dun & Bradstreet, and HireRight/Kroll.