Hacker claims breach of US immigration services

Published: 4 April 2023
US Citizenship and Immigration Services
Image by Sundry Photography | Shutterstock

A well known hacker claimed to have breached the US Citizenship and Immigration Services (USCIS), but the US agency now says those claims are false.

The hacker, known in the cyber underworld as IntelBroker, announced the breach Monday to the popular hacker repository, vx-underground.

But now a USCIS spokesperson put out an official statement Tuesday that after a thorough review, the agency was definitely not hacked.

ADVERTISEMENT

"Social media claims that a third-party gained unauthorized access to internal USCIS information are wrong. USCIS conducted a thorough review and determined that allegation is inaccurate," the USCIS said.

“The images in the claim are from a vendor-provided demo account with fake names and contact information,” the statement explained.

“No immigration records managed by USCIS have been compromised, and personal identifiable information provided to the agency by applicants and petitioners remains safe," USCIS said.

According to vx-underground – who has since apologized for the “bad information” – the USCIS statement was reported on Twitter by two known security journalists, who received the ‘false breach’ statement directly from the agency.

One Twitter user yesterday seemed to be suspicious right of the bat, directly asking about the legitimacy of the info.

“Are we sure this isn’t test data? Because the domain in those redacted emails does not exist,” the user tweeted along with a screen shot of the failed domain query.

ADVERTISEMENT

IntelBroker originally told vx-underground they had breached the US agency by exploiting vulnerabilities in the AWS government cloud storage.

Vx-underground then broke the news on Twitter to its nearly 200k followers.

“IntelBroker, a notorious initial access broker from Breached, has returned from his hiatus,” the group tweeted.

“He has informed vx-underground he's compromised the United States Citizenship and Immigration Services by discovering a publicly exposed AWS bucket.” the tweet said.

The group insinuated that typically known weak credentials – “Admin:Password1”– could have been what possibly resulted in the breach.

The AWS bucket, which IntelBroker said was the weak link he used to breach the system, is essentially a cloud container where an agency stores their data on for easy accessibility.

The leaked data, now known to be part of a government test website, showed what appeared to be information from an actual United Nations agency that handles refugee applications for the United States, known as the UN Refugee Agency (UNHCR).

The samples posted by vx-underground showed parts of a ‘fake’ database of ‘fake’ refugee names, and a site that the refugees would use to schedule an appointment with the agency.

The sample also showed, what we now know to be, fake employee names and email addresses, apparently set up as a test demo site for the agency.

ADVERTISEMENT
UN refugee data exposed by IntelBroker
Alleged data sample, IntelBroker, vx-underground
UN employee data exposed by IntelBroker
Alleged data sample, IntelBroker, vx-underground

If this kind of information had been exposed in the wild, such a leak could have exposed refugees, their families, and UN employees, opening them up to persecution, extortion, and blackmail.

Because the AWS GovCloud (US) is supposed to supply the “most stringent U.S. government security and compliance requirements,” this kind of breach would have been a big deal.

Over 7,500 US government agencies are presently using the Amazon Web Services (AWS) cloud platform aka AWS GovCloud (US), according to Amazon.

Meanwhile, its not the first time the infamous hacker has claimed to have compromised US government related entities.

IntelBroker made headlines just last month for hacking into a Washington DC health insurance company and exposing dozens of records belonging to members of the US House and Senate.

The notorious serial hacker, also known as “thekilob,” had posted the leak and was actively trying to sell the data on the now defunct BreachedForums hacker marketplace.

IntelBroker was banned from BreachForums for violating the sites criminal code of ethics.

According to vx-underground, IntelBroker was not planning on selling access or sharing the data, he obviously thought was legitimate.

ADVERTISEMENT

One Twitter user had joked that under a US government bug bounty program designed to reward ethical hacking, “If he reports then they will award him a $150 bounty. WOWOW.”

IntelBroker had been an active member of the Breached site since it came online to replace RaidForums (another hacker forum busted by the feds in spring 2022), boasting a high-scoring reputation among his fellow hackers.

BreachedForums was infiltrated by the FBI in March – and voluntarily taken down by its 2nd in charge – following the arrest of its alleged mastermind, a 20-year old hacker from New York.

Intelbroker has also claimed responsibility for a number of high profile leaks in the past year, including T-Mobile, US Cellular, and US-based online grocery delivery service Wheee!

Since the Breached takedown, multiple hacker forums have popped up on the web in recent weeks, all claiming to be its official replacement.

The influx of these alternative sites has led to fears among the hacker community that the so-called subs are really just fake sites – known as honeypots – being set up by the feds to infiltrate the cybercriminal world.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT