BlueLeaks target public safety data files in disturbing hack attacks
The recent release of over 270 gigabytes worth of sensitive law enforcement data to the Denial of Secrets website has been in the news recently, as they’ve dubbed the collection “BlueLeaks.” The collection, verified by the National Fusion Centers Association, includes over ten years’ worth of sensitive data, including Personally Identifiable Information (PII), banking information, images of people under investigation and sensitive government and law enforcement reports. It is the latest in a long series of data breaches that revealed sensitive government information to the public at large.
This release of sensitive data from more than 200 police departments and the FBI could be a sign that law enforcement agencies are becoming a prime target for attacks, given recent civil unrest.
What motivates attackers in these breaches can vary widely. Some are activists working towards a specific civic goal, while others are political actors or rival state actors looking to achieve some political end or even criminal organizations. In any case, as information security professionals, it is our role to try to prevent these breaches from happening in the first place and to mitigate the damage as much as possible when they do.
In this case, the data was acquired during a breach of a “Fusion Center” operated by Netsential, a web development firm based in Houston, Texas. Fusion centers serve as a clearinghouse that disseminates law enforcement and public safety information between partners. Typically, the Fusion Centers’ partners are law enforcement and safety organizations at the local, county, tribal, state, and federal levels.
Concerning Breach, But Not Uncommon
Security researcher Brian Krebs reported that the data was exposed by a group known as Distributed Denial of Secrets, or DDoSecrets, which provides an anonymous platform for publishing of “materials submitted by sources, both leakers and hackers.”
DDoS Secrets announced on Twitter that it had posted “ten years of data from over 200 police departments, fusion centers, and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”
Krebs reported that among the trove of leaked personnel and departmental confidential information exposed were names, email addresses, phone numbers, PDFs, images, text and video, including suspect data.
While the timing of this release during a period of civil and political tension makes it especially relevant, it is unusual only in character. Breaches of financial, personal, medical, business, and intellectual property data all result from a similar set of circumstances using comparable tools and techniques. While the details of the Netsential breach are not public, they did confirm that the leak was most likely caused by a compromised user account that allowed the attackers to upload malware that ultimately led to the data exfiltration.
These are common tactics and the techniques we can use to prevent them are also common. User education is often the easiest first step, especially with our current environment. Much of the workforce has gone remote since the early months of 2020, but how many organizations have updated their policies and processes to compensate for this shift in the attack surface? How many users can identify the common techniques attackers use to steal credentials or compromise home systems? When was the last time the workforce was tested against the kinds of real-world attack scenarios that they’re likely to see?
What about user authentication? How many organizations are using multi-factor authentication as their standard procedure? While there have been some attacks against these systems, they have proven to be much more effective than simple passwords. We can’t tell from the publicly revealed information whether improved education or MFA would have thwarted this particular breach. It’s possible that multi-factor authentication was in place and the users had recent training and the attackers got in through some other breach, but these are still best practices worth implementing.
How a SOC Can Help Mitigate
The organization’s Security Operations Center and SecOps team can play a vital role in mitigating a breach. When an attacker manages to compromise a user or system in the environment, they still need to identify their target, reach it, and exfiltrate it from the network. The right tools and training in the SOC can often break the attack chain and prevent malicious actors from completing their mission. The challenge is identifying an attack early enough to mitigate the effect, which has been made more complex by the shift to more remote workers and the ongoing moves to third party and SaaS applications.
Even with the latest generation of tools in place, such as AI-based advanced security analytics, it can be difficult for an organization to see into the partner environments, SaaS applications, third-party vendors, contractors, etc., to make sure they are also up to the security standards the organization has set for itself. Difficult, but not impossible. By educating users, deploying the most effective tools, leveraging machine learning, and requiring that partner organizations follow the same best practices, it is possible to manage risk even in our rapidly evolving environments.
And these techniques, education and team strategies are more important than ever. In today’s climate, both law enforcement and enterprises are intended targets for this type of data breach, and a wide range of threat actors, from activists to nation-states, are seeking to reveal and exploit confidential information. Going forward, especially with the current election cycle, we can expect to see more events like this – both on public institutions and enterprises.
About the author: Saryu Nayyar is CEO of Gurucul, a global cybersecurity company that is changing the way organizations protect their most valuable assets, data and information from insider threats and external cyberattacks, both on-premises and in the cloud. She is an internationally recognized cybersecurity expert, author and speaker with more than 15 years of experience in information security, identity and access management, IT risk and compliance, and security risk management sectors. She was named EY Entrepreneurial Winning Women in 2017. She has held leadership roles in security products and services strategy at Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun) and Disney, and held senior positions in the technology security and risk management practice of Ernst & Young.