Full Report
A cartel affiliate notified an FBI agent about a hacker who infiltrated cameras and phones to track an FBI official’s meetings, the DOJ inspector general said. The post Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report appeared first on CyberScoop.
Analysis Summary
# Incident Report: Cartel Hacking to Compromise FBI Investigation and Endanger Sources
## Executive Summary
A sophisticated hacker, affiliated with the Sinaloa drug cartel, successfully infiltrated the mobile devices and surveillance systems used by an FBI official investigating El Chapo. This breach allowed the cartel to track the official's movements and identify sources, resulting in the intimidation and, in some documented instances, the killing of potential witnesses aiding the FBI investigation. The DOJ Inspector General later found the FBI's initial internal "Red Team" efforts to mitigate ubiquitous technical surveillance (UTS) risks were inadequate.
## Incident Details
- Discovery Date: 2018 (as reported by a cartel affiliate to the FBI case agent)
- Incident Date: Predates and occurs around 2018, based on the report timeline.
- Affected Organization: Federal Bureau of Investigation (FBI), specifically an Assistant Legal Attache (ALA T) operating in Mexico City.
- Sector: Government / Law Enforcement
- Geography: Mexico City, Mexico
## Timeline of Events
### Initial Access
- Date/Time: Unknown, activities observed prior to 2018 notification.
- Vector: Hired "hacker" offering services related to exploiting mobile phones and other electronic devices.
- Details: The hacker provided surveillance capabilities to the cartel, including monitoring the communications and location of the FBI ALA T.
### Lateral Movement
- **Device Exploitation:** The hacker used the ALA T’s mobile phone number to obtain call logs and geolocation data.
- **Physical Tracking:** The hacker utilized Mexico City’s camera system to physically follow the ALA T throughout the city.
### Data Exfiltration/Impact
- **Intelligence Gathering:** The surveillance identified "people of interest," including the ALA T, and tracked individuals the ALA T met with.
- **Impact:** The cartel allegedly used this intelligence to intimidate and kill potential sources or cooperating witnesses for the FBI investigation into El Chapo.
### Detection & Response
- **Detection:** An individual affiliated with the cartel notified an FBI case agent about the existence and services offered by the hacker.
- **Response:** The FBI opened an assessment via the DOJ Office of the Inspector General (OIG) to review how sensitive investigations were protected against ubiquitous technical surveillance (UTS). An internal FBI "Red Team" was formed to address these threats.
## Attack Methodology
- **Initial Access:** Exploitation of mobile phones and electronic devices via a hired third-party hacker.
- **Persistence:** Not explicitly detailed, but implied through continued access to phone data and city camera systems.
- **Privilege Escalation:** Not directly applicable; the attack focused on surveillance and collection against an external target (FBI official).
- **Defense Evasion:** The nature of the hack bypassed existing physical and electronic security measures protecting the agent and their sources.
- **Credential Access:** Obtaining crucial data (call logs, geolocation) likely via SIM swapping, malware, or sophisticated exploitation of the telecommunications infrastructure related to the phone number.
- **Discovery:** The hacker observed individuals entering and exiting the US Embassy in Mexico City to identify targets of interest.
- **Lateral Movement:** Using compromised data (geolocation, contacts) to physically track the ALA T through surveillance cameras.
- **Collection:** Phone call records, geolocation data, and visual confirmation via city cameras.
- **Exfiltration:** Intelligence derived from the surveillance was passed to the cartel for operational use.
- **Impact:** Death and intimidation of human intelligence sources.
## Impact Assessment
- **Financial:** Not disclosed in the context provided.
- **Data Breach:** Highly sensitive operational data regarding an ongoing high-profile criminal investigation (El Chapo case), including identities and locations of confidential sources.
- **Operational:** Severe compromise of an active FBI investigation, leading to the loss of human intelligence assets and potential destruction of the investigative case integrity.
- **Reputational:** Significant reputational damage to the FBI resulting from the OIG finding that security protocols failed to adequately protect sensitive investigations from advanced technical surveillance.
## Indicators of Compromise
- **Network indicators:** No specific IoCs (URLs/IPs) provided in the summary context. (Defanged)
- **File indicators:** Not specified.
- **Behavioral indicators:** Unauthorized access to FBI personnel geolocation data and call records derived from a mobile phone number; observation of agency personnel movements via municipal camera systems.
## Response Actions
- **Containment:** The OIG review assessed the adequacy of existing measures.
- **Eradication:** Creation of an FBI "Red Team" to address UTS-related threats.
- **Recovery:** The overarching goal was to restore the integrity and security of sensitive investigations against UTS, though the Red Team's initial efforts were deemed inadequate.
## Lessons Learned
- The FBI’s initial "Red Team" efforts to identify specific, enterprise-wide risks related to ubiquitous technical surveillance (UTS) were not adequate.
- Mitigation efforts did not sufficiently consider existing FBI security efforts against UTS threats.
- There is a demonstrable lack of a sufficient long-term vision for how the FBI will approach the evolving UTS threat landscape.
## Recommendations
- Develop and rigorously implement comprehensive, long-term strategies to mitigate risks from advanced technical surveillance techniques affecting personnel and investigations abroad.
- Improve internal threat modeling to ensure "Red Team" assessments adequately consider known adversary capabilities, especially concerning the exploitation of commercial or municipal surveillance infrastructure.