The U.S. Department of State is investigating a data breach that leaked sensitive government data belonging to the Pentagon and the Five Eyes intelligence alliance.
The data breach was carried out by an infamous hacker trio IntelBroker, Sanggiero, and EnergyWeaponUser and was first spotted by Dark Web Informer.
It affected Acuity Inc., a Reston, Virginia-based consulting firm that provides data analytics, cybersecurity, DevSecOps, and other IT services to federal and civilian government agencies.
Acuity data breach impacts the Five Eyes Alliance
On April 2, 2024, IntelBroker posted on BreachForums that they would publish government data stolen from the March 2024 Acuity data breach.
“Today, I am releasing the documents belonging to the Five Eyes Intelligence Group. This data was obtained by breaching into Acuity Inc, a company that works directly with the US Government and its allies,” posted IntelBroker.
The allegedly stolen government data included full names, emails, office numbers, personal mobile numbers, and email addresses of government, military, and Pentagon employees.
It also includes classified information and communications between members of the Five Eyes and Fourteen Eyes alliances and other US allies.
Comprising the US, UK, Canada, New Zealand, and Australia, the Five Eyes alliance seeks to improve its members’ security through information gathering and sharing on various global threats, including cybersecurity.
The Fourteen Eyes alliance includes the original members of the Five Eyes and other non-English-speaking countries such as France, Germany, Denmark, the Netherlands, Norway, Belgium, Italy, Spain, and Sweden.
“Data exfiltration continues to plague government institutions which hold invaluable information pertaining to both national security initiatives as well as those who work on national security initiatives,” said Darren Williams, CEO and Founder of BlackFog. “Those members will likely be targets of phishing and social engineering attacks for some time. Government entities should be incredibly careful of which third-party firms they work with, especially regarding IT and cybersecurity efforts. Any third-party which handles sensitive information should be vetted to ensure they invest in technology such as anti-data-exfiltration tools, which will prevent any unauthorized data from leaving the system.”
State Department investigating the government data breach
When contacted, the Department of State said it was aware of the alleged government data leak but withheld critical details for national security reasons.
“The Department is aware of claims that a cyber incident has occurred and is currently investigating,” a State Department spokesperson told news outlets. “The Department takes seriously its responsibility to safeguard its information and continuously takes steps to improve the Department’s cybersecurity posture. For security reasons, we will not provide details on the nature and scope of the claim.”
IntelBroker is notorious for leaking sensitive government data from various agencies, including the Immigration and Customs Enforcement (ICE), US Citizenship and Immigration Services (USCIS), and the Department of Defense.
The threat actor claimed they exploited a zero-day vulnerability to steal Acuity’s GitHub security tokens to exfiltrate government data and perform other malicious actions. The hacker trio did not disclose if the Five Eyes data breach was related to that incident.
The threat actor has not disclosed their motive for infiltrating one of the largest intelligence alliances. However, they tried selling the government data stolen from Acuity for $3,000 in Monero cryptocurrency (XMR), suggesting their actions were financially motivated.
The threat actor was also linked to the DC Health Link data breach that exposed over 170,000 individuals, including the U.S. House of Representatives members, their staff, and families.
IntelBroker was also responsible for the T-Mobile, USCellular, AT&T, Facebook Marketplace, Hewlett Packard Enterprise (HPE), and General Electric Aviation data breaches.
Meanwhile, Acuity Inc. and the Department of Homeland Security have challenged IntelBroker’s claims, including the validity of the leaked data. Acuity said the data breach affected GitHub repositories with “dated and non-sensitive information,” and its assessment found “no evidence of impact on any of our clients’ sensitive data.”
The tech firm was also cooperating with law enforcement authorities and has implemented additional security measures, including vendor security updates to prevent further exploitation.