A known threat actor has leaked online classified documents from the US government and its allies that they claim were stolen from a government IT contractor.
IntelBroker took credit for the breach, alongside Sanggiero and EnergyWeaponUser, according to a screenshot posted to X (formerly Twitter) by security researchers HackManac.
“Today I am releasing the documents belonging to the Five Eyes Intelligence Group,” the post noted. “The data was obtained by breaching into Acuity Inc, a company that works directly with the US government and its allies.”
Acuity is a Virginia-based federal technology consultancy which claims to have “deep expertise” in areas such as IT modernization, DevSecOps, cybersecurity, data analytics and operations support.
According to the post on an underground cybercrime forum, the threat actors have classified information including full names, government and military email addresses, office and personal phone numbers, and “classified information and communications between the Five Eyes, 14 Eyes and US allies.”
#DataBreach Alert ⚠️
— HackManac (@H4ckManac) April 3, 2024
🇺🇸#USA: Alleged Acuity Inc breach leads to leak of sensitive Five Eyes Intelligence Group (FVEY) documents.
The threat actor group consisting of IntelBroker, Sanggiero, and EnergyWeaponUser claims to have breached Acuity Inc, a federal tech consulting firm,… pic.twitter.com/qGV8IUmkT7
There’s good reason to suspect that IntelBroker’s claims are legitimate, with the actor linked to a string of successful high-profile breaches in the past.
In March 2023, they obtained personal data on 170,000 individuals including members of the US House of Representatives, after compromising health insurance marketplace DC Health Link, which is managed by the DC Health Benefit Exchange Authority (HBX).
In November of the same year, they advertised for sale sensitive information purportedly stolen from industrial giant and US government contractor General Electric.
“Data includes a lot of DARPA-related military information, files, SQL files, documents etc,” they said at the time.
Threat intelligence specialist Dark Web Informer claimed on X that IntelBroker had made the breach fully available in unredacted form on their X account. However, that account was rapidly suspended by the social media firm, indicating at least the seriousness of the claims.
Acuity CEO, Rui Garcia, said in a statement to Infosecurity: "Acuity recently identified a cybersecurity incident related to GitHub repositories that housed dated and non-sensitive information. Immediately upon becoming aware of this zero-day vulnerability, Acuity applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance.
"After conducting our own analysis and following a third-party cybersecurity expert investigation, Acuity has seen no evidence of impact on any of our clients’ sensitive data. In addition to cooperating with law enforcement, Acuity takes the security of its customers’ data seriously and is implementing appropriate measures to secure its operations further," Garcia concluded.
Article updated on April 5 with statement from Acuity CEO.