A hacker is selling stolen credentials that purportedly give access to servers of the US Navy, Centres for Disease Control, US Postal Service, and other US government sites.
Listings for the accounts were found recently by Tech Insider on a dark web marketplace called The Real Deal, a popular site many cyber criminals use for buying and selling everything from illegal drugs to zero-day software exploits. It’s unclear when the postings were made, since the site offers no dates for when sellers create their listings.
In all, the seller “popopret” was offering file transfer protocol (FTP) access to servers of noaa.gov (National Oceanic and Atmospheric Administration), usps.gov (The US Postal Service), cdc.gov (Centres for Disease Control), jpl.nasa.gov (NASA Jet Propulsion Laboratory), and navy.mil (US Navy).
Prices range from .5 Bitcoin ($329) for the CDC to 3.5 Bitcoin for the Navy, or about $2,300 at current market rates.
Popopret told Tech Insider the credentials were acquired by “sniffing a botnet,” which suggests the hacker had hijacked a large number of computers (a botnet) and was actively keeping an eye on them (sniffing) for interesting traffic being passed through, such as usernames, passwords, and documents.
Neither this claim nor whether the seller’s credentials are legitimate could be independently verified by TI. However, it’s worth noting that The Real Deal is often the source of major data breaches and hacker exploits. And the site allows payments to be placed into escrow, so a buyer can confirm what they are buying is as described before their money is transferred to the seller.
What the purported credentials can actually be used for also remains unclear.
Since the seller is offering accounts for either FTP (file transfer protocol) or SFTP (secure file transfer protocol), it’s likely these give access to the backend of public-facing websites. Web developers typically upload changes to websites via FTP, so a hacker with that same level of access could deface a website by replacing a file with one of their own.
For instance, a hacker could potentially connect to the CDC server and upload a new homepage with a hoax warning of a dangerous Ebola outbreak in the US, or to the Jet Propulsion Laboratory with a faked message claiming that a devastating asteroid was headed toward Earth. While such defacements would likely be corrected quickly, they have the potential to be market-moving events.
Still, a hacker could move on to other things if the user accounts being sold are at a higher level.
“If you had root access, you should be able to … do whatever you wanted,” a hacker told Tech Insider on condition of anonymity, since he is a “grey hat” who wants to maintain personal security. “I would personally save the server to attack another site from a .mil,” he added, meaning that he could potentially hack into some other network that would likely trace the intrusion back to the US government.
Tech Insider reached out to all of the government agencies with purported credentials being sold. The Centres for Disease Control, Jet Propulsion Laboratory, and US Navy declined to comment.
The US Postal Service told Tech Insider its corporate information security office would conduct “criminal investigations into these activities.”
The National Oceanic and Atmospheric Administration provided the following statement:
“NOAA takes all cyber threats seriously,” Ciaran Clayton, a spokesperson for NOAA, told Tech Insider. “Our Cyber Security Division reviewed the purported NOAA File Transfer Protocol sites found for sale online in the Dark Web. NOAA has concluded that these are not valid sites, and the agency is under no risk for any cyber vulnerability.”