Hacker working with computer in dark room showing data theft

Threat Actor Claims to Have Stolen DARPA Files From GE, Data Theft Remains Unconfirmed

IntelBroker, one of the bigger names in the ransomware and data extortion world over the past year, claims to have broken into General Electric (GE) and stolen sensitive military files belonging to DARPA. GE has yet to confirm the data theft, only saying that it is still investigating the incident.

Though IntelBroker is a legitimate criminal hacker with a track record of confirmed data theft, there are some elements of the breach that raise questions about its authenticity. Not the least of which is the fact that access to the supposed DARPA files were offered for only $500 on a hacking forum (and apparently had no takers). The hacker has posted images that appear to be from GE Aviation’s military projects, but has not shared sample files.

Possible GE data theft may have included military secrets

GE has multiple contracts with DARPA that range from vaccine delivery systems to the development of military drones. GE Aviation develops hypersonic jets and “flying boat” planes for the US military among other projects.

IntelBroker first appeared on BreachedForums in early November offering access to GE’s development and software pipelines for $500. When that apparently had no takers, the hacker threw in the claimed plunder from its data theft to sweeten the pot in a November 22 update to the original post.

GE has told the media that it is aware of the hacker’s claims and is investigating the alleged data theft, but has yet to confirm anything. It added that it would take “appropriate measures” to ensure that its systems are secure.

IntelBroker is a threat actor that has been active since at least late 2022, and is somewhat unique in racking up substantial incidents of data theft while claiming to operate as an individual. Former IntelBroker attacks include an early 2023 hit on the Weee! grocery chain, resulting in the exposure of personal information for over one million customers that placed delivery orders, and the March breach of the District of Columbia’s D.C. Health Link program that exposed the contact information of some members of Congress as well as Social Security numbers. That latter attack prompted a flurry of action by House and Senate members including a hearing, but the hacker’s use of BreachedForums to attempt to sell such sensitive information led some in the security community to conclude that they were an inexperienced amateur. IntelBroker has also claimed breaches of Volvo, Dr. Martens and The Body Shop that involved data theft.

Data theft remains in question pending GE confirmation

Until GE confirms the breach, there is reason to believe that it may not be legitimate. Aside from the oddly low asking price for such sensitive information, and a somewhat thin layer of proof, IntelBroker’s known history seems to mostly involve locating misconfigured and unprotected internet-facing databases rather than advanced hacking or phishing skill. While it is not impossible for GE to expose a database containing DARPA project information in this way, it seems unlikely. That may well be why there was such trouble in finding “serious buyers” to take this offer.

GE has certainly not proven itself immune to breaches and data theft, however. A 2020 incident that involved a third-party vendor, Canon Business Process Services, resulted in the loss of sensitive employee data such as banking information and identification documents. And an insider threat was caught and sentenced in early 2023; an engineer of Chinese descent was caught passing confidential company aviation information to the Chinese government and was sentenced to two years in prison for it. However, this would be a first for an exposed database containing military secrets if that turns out to be the cause.

Troy Batterberry, CEO and founder of EchoMark, believes that it is entirely likely that a misconfigured or otherwise exposed database was left facing the internet for this threat actor to walk right into: “Unfortunately, we see this every day. Highly skilled and well-funded organizations are working hard to protect their data with security stacks that include security gap discovery and analysis, EDR, Cloud security, UEBA, Identity & Access Analytics, SOAR and even ransomware killswitches, but then leave much of their most sensitive data both unprotected and readily sharable. The recent leaks of sensitive government and judicial information are just a few examples. By digitally watermarking data and assets, organizations get several key benefits. First, they can help deter insider leaks from ever happening in the first place by motivating better stewardship of the private information. If malicious or accidental insider leaks do happen, the source can be quickly identified and remediated. In the case of a successful external attack, watermarks can help quickly identify the compromised assets for fast remediation.”

Though it is relatively small with just around 200 employees spread between six office locations, DARPA is arguably the most influential government research agency in world history, influencing everything from space missions to satellites to personal computers to the Covid-19 vaccine. The agency’s mission focuses it on national security and defense projects, of which it runs about 250 at any given time, but the influence of that research often ends up driving advances in a wide variety of consumer technology. If the data theft turns out to be legitimate the most likely impacted office would be the Aerospace Projects Office (APO), a relatively new branch tasked with maintaining US military air dominance.

Tom Kellermann, SVP of Cyber Strategy at Contrast Security, notes that this breach must be taken seriously regardless of how thin the evidence might be simply because of the extremely sensitive nature of the materials that could have been accessed: “This breach has serious national security implications. Aside from the theft of classified information, I am very concerned that GE’s environment is being used to conduct island hopping into Federal agencies. IntelBroker is notorious for selling access to compromised systems.”

“Since the breach occurred in the development environment runtime security must be immediately implements in conjunction with expansive threat hunting to identify the backdoor,” added Kellermann.

Darren Williams, CEO and Founder of BlackFog, adds: “IntelBroker has already been responsible for a handful of high-profile attacks, with a reputable ability to steal very sensitive information. This attack will not only have a negative impact on the company itself but could have substantial implications for the current sensitive military projects the company tends to work on, which could in turn threaten U.S. national security. Data related to the government is highly prized, so companies in collaboration with government agencies need to be reminded that they also have a responsibility to protect that data from exfiltration and malicious use. With the adoption and implementation of cybersecurity defenses that prevent data exfiltration both in the network and through third-party suppliers, the U.S. and affiliated companies can ensure they stay one step ahead of cybercriminals.”