Table of Contents
USDoD is a threat actor known for data breaches and leaks, gaining notoriety for targeting a wide range of organizations, including corporations, government agencies, and professional networks. Their actions have resulted in the exposure of vast amounts of sensitive personal information, posing significant risks to individuals and organizations alike. Unlike many threat actors, USDoD does not appear to be part of a larger, established group, making their origins and motivations more difficult to ascertain. Their operations are characterized by the use of social engineering, data exfiltration, and subsequent public release of stolen data, sometimes via dark web marketplaces. The scale and impact of their breaches, including the high-profile compromise of the FBI's InfraGard database, have positioned USDoD as a considerable threat in the cybersecurity landscape. They also have a high capacity for causing significant damage.
Origins & Evolution
USDoD, previously known as "NetSec" on RaidForums, began gaining notoriety with the "#RaidAgainstTheUS campaign," targeting the U.S. Army and defense contractors. The transition to the "USDoD" moniker occurred on Breached.vc in December 2022. The person behind USDoD is a man in his mid-30s with roots in South America, his real name is Luan G. and currently residing in Minas Gerais, Brazil.
Initially, there were allegations of pro-Russian alignment due to collaborations with Russian individuals on projects like the "Tulip" AI project. However, USDoD has explicitly denied any political motivation, stating that these collaborations were purely for personal or business reasons. He also refuses to attack Russia, China, South and North Korea, Israel, and Iran.
USDoD's evolution has seen a shift from primarily conducting cyber operations to also administering eCrime forums. In October 2024, USDoD announced a departure from public breaches, stating a desire to focus on personal life. However, this was framed as a transition to independent work, suggesting continued activity, albeit with reduced public scrutiny. This departure was marked by the release of the Bureau van Dijk Database 2024 and a US Consumer Database. It was discovered that USDoD is actually Luan G., also known as EquationCorp. The actions of USDoD highlight the challenges of international cybercrime enforcement.
Tactics & Techniques
USDoD's primary modus operandi revolves around social engineering, particularly impersonation. This tactic has been consistently employed to gain access to sensitive data and systems. Some of their key tactics include:
Social Engineering: USDoD has demonstrated a sophisticated understanding of social engineering techniques. They have successfully impersonated high-ranking individuals, such as CEOs, to gain the trust of targets and acquire access credentials or sensitive information. This was notably used in the InfraGard breach.
Data Breaching: USDoD specializes in gaining unauthorized access to databases and exfiltrating large volumes of data. This includes both targeted attacks and potentially opportunistic exploitation of vulnerabilities. They were involved in the MOVEit breach.
Data Leaking: A defining characteristic of USDoD is the public release of stolen data. This is often done through online forums (like BreachForums) or dark web marketplaces. The leaking of data serves multiple purposes, including notoriety, potential financial gain (though indirect), and possibly exerting pressure on targeted entities.
Web Scraping: USDoD has employed web scraping techniques, as evidenced by their claimed breach of LinkedIn. This suggests an ability to automate the collection of data from publicly accessible sources, which can then be used for further targeting or sold/leaked.
Impersonation: The InfraGard breach exemplifies USDoD's skill in impersonation. By posing as a CEO, they successfully bypassed security measures and gained membership to a sensitive FBI-affiliated platform.
Diversionary Tactics: Publicly threatened Lockheed Martin and Raytheon as a diversion. USDoD has also been linked to phishing campaigns.
Targets or Victimology
USDoD's targets have been diverse, spanning multiple sectors and geographic locations. This broad targeting suggests a lack of strict ideological or geographic constraints, although USDoD has stated that they do not target some countries (Russia, China, South and North Korea, Israel, and Iran). Their known targets include:
Corporate: Airbus (via vendor access), Metropolitan Club of the City of Washington.
Governmental: U.S. Environmental Protection Agency (EPA), FBI (InfraGard), claimed targeting of NATO Cyber Center Defense and CEPOL.
Professional Networking: LinkedIn (claimed breach).
Other: Bureau van Dijk Database, US Consumer Database, hp-medical, dhsi2.
The motivations behind USDoD's actions are not entirely clear, and there are potentially multiple factors at play:
Financial Gain: While direct financial gain from data leaks is not always apparent (unless sold), it remains a possible motive.
Notoriety/Ego: USDoD has demonstrated a desire for recognition within the cybercriminal community. High-profile breaches and public leaks contribute to building a reputation.
Personal Vendettas: USDoD has admitted that personal vendettas play a role in target selection, alongside a general interest in challenging cyber exploits.
Ultimate Goal: According to USDoD, he wanted full control and influence, aiming to establish a private company to sell military intelligence on the dark web. First target: Constellis.
The potential impact of USDoD's activities is substantial:
Data Breaches: Exposure of sensitive personal and organizational information, leading to potential identity theft, financial fraud, and reputational damage.
Operational Disruption: While not their primary focus, breaches can lead to disruption of services, particularly in cases involving government agencies or critical infrastructure.
Erosion of Trust: Breaches of trusted platforms, like InfraGard, erode public trust in institutions and security measures. This erosion of trust is one of the challenges of cybersecurity.
Attack Campaigns
USDoD has been linked to several significant attack campaigns, demonstrating their capabilities and evolving tactics:
InfraGard Breach (December 2022): This breach is arguably USDoD's most notable operation. By impersonating a CEO, USDoD gained membership to InfraGard, an FBI-affiliated platform for information sharing between the private sector and law enforcement. This granted access to a database containing contact information for thousands of InfraGard members.
Airbus Vendors Breach (September 2022): USDoD gained access to Airbus systems through stolen credentials of an employee at a Turkish airline, a supplier to Airbus. This resulted in the leak of data from approximately 3,200 Airbus vendors.
Metropolitan Club of the City of Washington Breach (date unknown): USDoD hacked the Metropolitan Club using the personal identifiable information (PII) of the club's General Manager.
LinkedIn Data Scraping (claimed): USDoD claimed to have breached LinkedIn, resulting in a dataset of millions of records. The veracity of this claim has been debated, but it highlights USDoD's use of web scraping techniques. They used advanced social engineering techniques.
Claimed CrowdStrike Data Breach (July 2024): USDoD claimed to have leaked CrowdStrike's "entire threat actor list" on BreachForums. While providing a sample, skepticism remains due to USDoD's history of exaggeration.
National Public Data (NPD) Breach (April 2024): A massive data breach, believed to have started around April 2024, impacting almost three billion people. The source was National Public Data (NPD), a background check company. The stolen data is highly sensitive and includes 277.1 gigabytes of data spanning at least 30 years. This includes Social Security numbers, and is reportedly being sold on the dark web.
Bureau van Dijk Database 2024 and US Consumer Database (October 2024): Shared as final breaches when announcing stepping away from public breaches. The attack campaigns demonstrate USDoD's evolving tactics.
Defenses
Defending against threat actors like USDoD requires a multi-layered approach, focusing on both technical and human factors:
Robust Data Security Measures: Implement strong access controls, multi-factor authentication, encryption (both in transit and at rest), and data loss prevention (DLP) solutions. Regularly patch and update systems to address known vulnerabilities. Microsoft issues updates for vulnerabilities.
Social Engineering Awareness Training: Educate employees about social engineering tactics, phishing, and impersonation attempts. Promote a culture of security awareness and encourage skepticism regarding unsolicited requests for information or access. Phishing simulation is also useful.
Vulnerability Management: Conduct regular vulnerability scans and penetration testing to identify and remediate weaknesses in systems and applications.
Threat Intelligence: Leverage threat intelligence feeds and platforms to stay informed about emerging threats, including tactics, techniques, and procedures (TTPs) used by actors like USDoD.
Dark Web Monitoring: Use Dark Web monitoring solutions to track threat actors and detect the sale or leakage of sensitive data.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a swift and effective response to any potential breaches. A CIRP can help with this.
Vendor Risk Management: Thoroughly vet third-party vendors and ensure they adhere to strong security standards, particularly those with access to sensitive data or systems.
Network Segmentation: Implement network segmentation to limit the impact of a potential breach by isolating critical systems and data. Defending against USDoD requires a robust patch management strategy.
Conclusion
USDoD represents a significant and evolving threat in the cybersecurity landscape. Their reliance on social engineering, coupled with their ability to breach diverse and high-profile targets, makes them a formidable adversary. While their motivations are complex and not fully understood, their actions have demonstrated a clear capacity for causing significant damage. The lack of known affiliations and the evolving nature of their operations highlight the ongoing need for vigilance, proactive security measures, and continuous monitoring of the threat landscape. Organizations must prioritize data security, employee training, and threat intelligence to mitigate the risks posed by USDoD and similar threat actors. The revelation of USDoD's identity as a Brazilian citizen adds a layer of complexity regarding legal recourse, highlighting the challenges of international cybercrime enforcement.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Microsoft Unveils Advanced North Korean and Chinese Cyber Operations at CYBERWARCON 2024
Intel 471: Report Highlights Evolving Cyber Threats from Chinese APT Groups
North Korean Lazarus Group Hacks Bybit Crypto Exchange for $1.5 Billion
White House Reveals Ninth Telecom Breach Linked to Chinese Hackers
Chinese State Hackers Breach BeyondTrust Enabling US Treasury Cyber Intrusion
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 12, 2025
- March 12, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 12, 2025
- March 12, 2025
