Report: Congressional staff data leaked on the dark web

Personal information of nearly 3,200 Capitol Hill employees, including passwords and IP addresses, is reportedly circulating on the dark web, in large part because some of them used their work email addresses to sign up for online services, including risky ones like dating and adult websites.

Swiss cybersecurity firm Proton, which works with another security firm, Constellation Intelligence, told the Washington Times that its researchers found 1,848 congressional staff passwords on the dark web, with 31 passwords belonging to one of those staffers themselves exposed. Proton executives told the news site that they plan to release more details about the leaked data later this week.

In a statement to the Washington Times, Proton said: “This situation indicates a critical security flaw where confidential, work-related emails were leaked to less secure third-party platforms.” The company added that the leaks likely occurred because the websites employees logged into were later compromised through data leaks.

The perpetrators responsible for the violation could not be identified.

Proton estimated that the information of nearly one in five congressional staffers was visible online and that the data of nearly 300 of them was disclosed in more than ten separate leaks.

“The volume of US politicians’ accounts exposed is alarming and the potential consequences of compromised accounts could be severe,” Eamonn Maguire, head of account security at Proton, told the Times in a statement. “Vigilance and strong security measures are essential to ensure personal and national security.”

Foreign opponents target elections

The leaked data comes to light just before the highly volatile and seemingly close U.S. presidential election, drawing the attention of adversaries such as China, Russia, Iran and North Korea, as well as the threat groups they support. An Iran-backed threat group hacked into both the Trump campaign and the Biden-Harris campaign this summer. The group had access to the email account of Trump crony Roger Stone and used it as a gateway into the Trump campaign’s systems.

A warning from CISA and the FBI last week said the violations were part of a larger effort by the Iranian government to disrupt elections that will now take place in less than two months.

“This malicious cyber activity is the latest example of Iran’s multi-pronged approach… to sow discord and undermine confidence in our electoral process,” the agencies wrote. “Foreign actors are increasing their election interference activities as November approaches. In particular, Russia, Iran, and China are seeking to some extent to exacerbate divisions in U.S. society for their own benefit, viewing election periods as moments of vulnerability.”

In a report Tuesday, security platform provider ReliaQuest wrote that “election-related attacks by state-affiliated groups, hacktivists and cybercriminals will pose a significant threat to organizations through phishing, distributed denial-of-service (DDoS) attacks and data theft, with the goal of disrupting operations, causing financial loss and exploiting heightened public interest.”

More to follow

Advanced persistent threat (APT) groups will use hack-and-leak operations, disinformation campaigns, and attacks on election infrastructure in the run-up to the election, Gautham Ashok, cyberthreat intelligence analyst at ReliaQuest, wrote in the report. They will also use fake social media profiles, bot networks, and troll farms to spread disinformation widely.

Already, scammers are sending election-themed phishing emails containing the SocGholish malware loader, while other cybercriminals are registering typosquatting domains to conduct cryptocurrency scams by tricking their victims into making fake donations and investment schemes. Threat groups are also likely targeting systems used in voter registration, vote counting, and the announcement of election results.

Congressional staffers are the latest victims of a rapidly expanding election-related cyber threat. Proton said it has warned victims whose data was leaked.