The hackers responsible for breaching the Department of Justice (DoJ) computer systems may have abandoned their joint Twitter profile – which was used to post links to around 29,000 stolen federal credentials – but the search for the culprits is only going to intensify. That's the view of Leo Taddeo, a former special agent in charge of special operations at the FBI's cyber-division in New York, who told IBTimes.co.uk that the hackers' days are numbered.
"What is as certain as tomorrow's sunrise is the fact that the FBI will put significant resources into finding whoever is responsible," he said. "Many criminals try to gain notoriety by embarrassing the FBI. Sooner or later, most of them wind up in a federal penitentiary.
"While the FBI can't catch all hackers, it can identify and arrest almost any hacker when it decides it's important enough. The hackers in this case just made a huge mistake in their risk-reward calculation."
Taddeo speaks from experience. During his time at the FBI – which is one of several law-enforcement agencies administered by the DoJ – he led more than 400 agents and was involved with a number of high-profile hacking cases, from the Silk Road investigation to the landmark breach at banking giant JP Morgan. Now he is responsible for analysing the cyber-security landscape for US-based security firm Cryptzone.
The next moves
"There are very few options for the FBI and Department of Justice," Taddeo admitted. "Recalling the information is not possible. The FBI may request that sites hosting the information take it down, but it would be very unlikely the [agency] could obtain authority to compel a site to remove the list.
"Most likely, the FBI will warn employees of the loss of data and monitor for any anomalous activity that can be attributed to the loss. While the risks from this type of loss will never dissipate completely, over time, the information will become less sensitive due to employee rotations and turnover."
While the US government would always be a landmark target for hackers and cyber-criminals seeking to earn their stripes, the amount of successful hits has been mounting over the past 12 months – from the breach at the Office of Personnel Management to the most recent case in which hackers used common 'social engineering' tactics to access DoJ computer systems.
And while it is surprising that this attack vector worked against a major entity such as the US government, Taddeo indicated that this is not as revelatory as it may seem. "The hackers could have socially engineered the password from a user who holds valid credentials. This is not that hard, especially if the hacker had open-source information about the user," he said.
In order to fight this rising tide of cyber-attacks, the former FBI cyber expert explained that agencies need to move beyond simple two-factor authentication and enforce better checks on what he defined as the 'digital identity'. "By checking multiple attributes an enterprise can create a 'digital identity' that is almost impossible to socially engineer," he said.
However, echoing the official line of the US government, Taddeo downplays the long-term impact of the hack. "Organisations are forced to balance information security against user-access requirements. The success of what appears to be a social-engineering attack does not mean DHS [Department of Homeland Security] and the FBI need to rethink their approach to securing unclassified data," he added.
"The information lost was important, but not critical. Both agencies may, however, need to figure out what happened and fix whatever went wrong. In the end, it's likely both agencies will find they need to re-examine employee awareness, training and helpdesk procedures."