Full Report
I wonder what's in 'external-secret-repo-creds.yaml' and 'AWS-Workspace-Firefox-Passwords.csv'?
Analysis Summary
# Incident Report: Exposure of CISA Production Infrastructure Secrets on Public GitHub
## Executive Summary
A public GitHub repository belonging to a CISA contractor was discovered containing 844 MB of sensitive production data, including plain-text passwords, AWS/Azure keys, and Kubernetes manifests. The repository remained exposed for approximately six months due to improper backup practices and the use of a personal GitHub account for professional data. While CISA has taken the repository offline and stated there is currently no evidence of compromise, the breadth of the leak posed a catastrophic risk to the agency's internal build and deployment pipelines.
## Incident Details
- **Discovery Date:** May 14, 2026
- **Incident Date:** Repository created/exposed circa November 2025 (exposed for 6 months)
- **Affected Organization:** Cybersecurity and Infrastructure Security Agency (CISA)
- **Sector:** Government / Cybersecurity
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Circa November 2025
- **Vector:** Improper Data Handling / Insider Error
- **Details:** A contractor created a public GitHub repository named "Private-CISA" using a personal GitHub account and uploaded unencrypted backups of production infrastructure materials.
### Lateral Movement
- **N/A:** No confirmed lateral movement by unauthorized actors has been reported; however, the exposed credentials provided direct paths for lateral movement within CISA’s Azure, AWS, and Kubernetes environments.
### Data Exfiltration/Impact
- **Data Exposed:** 844 MB of material, including:
- JFrog Artifactory tokens
- Azure registry keys and Entra ID SAML certificates
- AWS GovCloud credentials and "Important AWS Tokens.txt"
- Kubernetes manifests and ArgoCD application files
- Terraform infrastructure-as-code
- Firefox browser passwords (CSV format)
- Manual instructions on how to disable GitHub secret scanning.
### Detection & Response
- **May 14, 2026:** Researcher Guillaume Valadon (GitGuardian) discovered the repository.
- **May 14, 2026 (AM):** Researcher reported the leak via CERT/CC portal.
- **May 15, 2026 (AM):** After receiving only an automated response, the researcher alerted journalist Brian Krebs to accelerate the response.
- **May 15, 2026 (6:00 PM EST):** CISA successfully took the repository offline.
## Attack Methodology
- **Initial Access:** Publicly accessible repository (Information Disclosure).
- **Persistence:** Exposed GitHub Personal Access Tokens and SAML certificates would have allowed long-term, quiet persistence if exploited.
- **Privilege Escalation:** Exposed "Kube-Config.txt" and "external-secret-repo-creds.yaml" provided high-privilege access to infrastructure orchestration.
- **Defense Evasion:** The repository contained explicit guides on how to disable GitHub's native secret scanning.
- **Credential Access:** Plain-text CSVs (Firefox passwords) and TXT files containing AWS/Azure secrets.
- **Collection:** Bulk backups committed directly to Git (e.g., `Backup-April-2026/`).
- **Exfiltration:** Standard `git clone` or browser-based download.
## Impact Assessment
- **Financial:** Unknown; costs associated with audit and credential rotation.
- **Data Breach:** High-risk exposure of infrastructure secrets; potential access to Government Cloud environments.
- **Operational:** Massive effort required to rotate all SAML certificates, API keys, and internal passwords.
- **Reputational:** High; significant embarrassment for the lead federal agency tasked with defending national infrastructure.
## Indicators of Compromise
- **File indicators:**
- `external-secret-repo-creds.yaml`
- `AWS-Workspace-Firefox-Passwords.csv`
- `Important AWS Tokens.txt`
- `Kube-Config.txt`
- **Behavioral indicators:** Use of personal Yahoo email addresses for commits involving official CISA infrastructure code.
## Response Actions
- **Containment:** Repository "Private-CISA" was deleted/made private within 26 hours of the initial report.
- **Eradication:** CISA is currently investigating the scope to determine if secrets were accessed.
- **Recovery:** Ongoing rotation of all leaked tokens, keys, and certificates.
## Lessons Learned
- **Shadow IT/Personal Accounts:** The use of personal GitHub accounts for professional government work bypasses organizational security controls and oversight.
- **Secret Scanning Evasion:** Explicitly documented methods to bypass security tools indicate a cultural issue regarding security compliance.
- **Report Friction:** The initial 24-hour delay via traditional reporting channels (CERT/CC) required journalist intervention to trigger emergency remediation.
## Recommendations
- **Enforce Corporate GitHub Use:** Strictly prohibit the use of personal accounts and non-enterprise repositories for any agency-related code or configuration.
- **Automated Secret Scanning:** Implement mandatory, non-bypassable secret scanning (e.g., pre-commit hooks and server-side scanning) across all repositories.
- **Policy Enforcement:** Conduct regular audits for "Shadow IT" and personal email addresses in git commit histories.
- **Zero Trust Architecture:** Ensure that compromise of a single token or manifest does not grant broad access to the entire deployment pipeline.