Hackers Breach US Government, Sell Attack Source Code

Hackers responsible for stealing internal data and security credentials from US government employees are now offering to sale the source code of the malware used to breach those systems, according to researchers.

One of the hackers, previously linked to breaches of sites including LinkedIn and Twitter, is offering a previously unknown trove of more than 30,000 records on US government employees, which could be used in conjunction with the tools to launch further targeted attacks, the researchers said.

GovRat 2.0

The tool, called GovRat, went up for sale on black-market web marketplaces in mid-May and is an update to malware first identified late last year, said IT security firm InfoArmor in a new study.

The individual who developed GovRat, and who uses the pseudonyms “popopret” or “bestbuy”, seems to have distributed the malware to government and military staff using malicious code embedded in web pages or malicious advertisements, the study found.

In this way the attacker apparently stole a number of login credentials to US government servers, which were then listed for sale on black market sites including The Real Deal, InfoArmor said.

The tools used to collect the data are also being sold on The Real Deal and a secretive marketplace called Hell, according to the study.

New US government breach

The hacker appears to be linked to another individual who uses pseudonyms including “Peace of Mind” and “PoM”, and who has been linked to some of the most serious breach of personal data in recent months, including troves stolen from LinkedIn, MySpace, Twitter, Tumblr and Russian site VK.com, in all more than 800 million records, according to InfoArmor.

“Peace of Mind” is now selling a trove of 33,000 records claimed to be those of US government employees and which can be used in conjunction with GovRat for the targeted delivery of malware.

The firm said it determined that most of the data appears to have been stolen from the US’ National Institute of Building Sciences (NIBS), which has members in the research, educational, government and military sectors.

“This database has over 33,000 users and their contact information from various government, military and educational organizations, along with stored passwords in hashed form,” wrote InfoArmor chief intelligence officer Andrew Komarov in the report.

The passwords are stored in an encrypted form but can be decoded, according to Komarov.

Mega-breaches

The apparent breach of the NIBS has not been previously reported but, if found to be legitimate, would surpass the estimated 21.5 million records stolen from the US government’s Office of Personnel Management (OPM) beginning in 2014 and disclosed last year.

The NIBS has yet to respond to a request for comment.

Little is known about “Peace of Mind” or “popopret”, but in an interview published by technology website Wired earlier this year “Peace of Mind” stated that most of the hacked data being sold was initially obtained by a group of Russian computer hackers.

The data was first used by the group to conduct its own targeted attacks before later being sold directly to other hackers, “Peace” said in the interview.

The OPM hack, by contrast, was probably carried out by China, US director of national intelligence James Clapper said last year.

Are you a security pro? Try our quiz!