While America was getting ready to watch the Super Bowl on Sunday, a hacker promised he would dump online a list of more than 20,000 agents of the Federal Bureau of Investigation and 9,000 Department of Homeland Security officers.
Right after the big game's kickoff, the cybercriminal carried out part of his promise, publishing a list of 9,000 DHS employees. On Monday, less than 24 hours later, the hacker, who wishes to remain anonymous, has fulfilled the remaining part of his promise.
"Long Live Palestine, Long Live Gaza," reads a message at the top of the dump, which also included the hashtag "#FreePalestine."
The hacker provided Motherboard with a copy of the data on Sunday. The list includes names, email addresses (many of which are non-public) and job descriptions, such as task force deputy director, security specialist, special agent, and many more. The list also includes roughly 1,000 FBI employees in an intelligence analysis role.
Motherboard reached out to some random numbers on the list, and most corresponded to the names listed, while a small number went through generic FBI operator desks. The FBI did not respond to a request for comment, deferring to the Department of Justice.
A spokesperson for the DOJ told Motherboard on Monday that the department "is looking into the unauthorized access of a system operated by one of its components containing employee contact information."
"This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information," DOJ spokesperson Peter Carr said in a statement.
Carr's statement seems to confirm what the hacker told Motherboard. The cybercriminal reached out to Motherboard through an apparently compromised DOJ email account earlier last week, and claimed to have obtained the stolen data by compromising that account and then using it to access a DOJ portal.
After tricking a department representative into giving him a token code to access the portal, the hacker claimed he used the compromised credentials to log into the portal, where he gained access to an online virtual machine. From here, the cybercriminal was presented with three different computers to access, he said, one of which belonged to the person behind the compromised email account. The databases of DHS and FBI details were on the DOJ intranet, the hacker said.
"This is not one hack. This is an ongoing hack against the United States government."
Some of the data from the DHS list appears to be outdated, according to The Guardian. In any case, a DHS spokesperson said the agency is looking into the reports, though "there is no indication at this time that there is any breach of sensitive or personally identifiable information."
Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, criticized the US government for its failure to protect data, especially in the aftermath of the embarrassing and damaging hack on OPM, the government agency that handles employee information.
"What has anybody in the United States government learned?" Adams told Motherboard in a phone interview. "They're not doing information security fundamentals, obviously. It's just fucking unacceptable."
This latest data dump comes on the heels of a long series of attacks on US government employees. In October, a group of hackers calling itself "Crackas With Attitude" (CWA) broke into the AOL email of CIA director John Brennan. The hacktivists then targeted several other high-profile government employees, including the US spy chief James Clapper, a White House official, and others.
Last year the hacktivists were also able to break into a US law enforcement portal, gaining access to a series of information sharing tools. This hack allegedly allowed them to download one or more databases of US government employees. In November, the CWA hackers released two lists of law enforcement agents from several departments, one containing around 2,300 names, and another containing almost 1,500 names. Both lists seemed incomplete, given that they were in alphabetical order and only included names starting with the first letters of the alphabet.
The CWA hackers appear to have shared the databases stolen last year with others. In January, another group of cybercriminals released a list of 80 police officers from Miami, Florida.
It's unclear if this new dump was carried out by the same hackers behind these past exploits. The person or people behind the Twitter account that first tweeted the DHS list on Sunday told Motherboard that this data doesn't come from last year's portal hack, and said that they were not Cracka, the leader of the hacking group CWA.
The account, however, used the hashtag #FreePalestine in several of his tweets. This is the same hashtag Cracka and his associates have used since the beginning to show support to Palestine, which they claimed is the motivation behind their hacks.
The data dump on Sunday opened with a quote from the rap song Long Live Palestine: "This is for Palestine, Ramallah, West Bank, Gaza, this is for the child that is searching for an answer."
In one of its first tweets, which has since been deleted, the Twitter account that shared the stolen data also mentioned "@Fruityhax" as their "leader." Last year, after the Brennan hack, the Twitter account Fruityhax was linked to a hacker only known as Cubed, who claimed to be one of the leaders of CWA, along with Cracka.
"This is not one hack," Adams said. "This is an ongoing hack against the United States government, whether it's from one or more actors is unknown."
Joseph Cox contributed reporting for this story.