In a memo released to insiders and experts in the public sector, the FBI has asked for additional details on the CENTCOM social media compromise, with a particular focus on IP addresses released by Anonymous shortly after the attack, which the faceless, loosely-associative group says were used by the attacker(s).
Earlier this week, the official Twitter and YouTube accounts for the U.S. Central Command (CENTCOM) were compromised by an attacker(s) claiming to support the terrorist group ISIS. In a statement, CENTCOM called the act a case of cyber vandalism, largely dismissing the issue.
"CENTCOM's operational military networks were not compromised and there was no operational impact to U.S. Central Command. CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cyber vandalism," the CENTCOM statement said in part.
"In the meantime, our initial assessment is that no classified information was posted and that none of the information posted came from CENTCOM's server or social media sites. Additionally, we are notifying appropriate DoD and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible."
Those responsible for the CENTCOM account hijacking claimed to have targeted mobile devices, and posted images of documents they were said to have hacked. However, additional research into the documents, including those released as a download, showed that many of them were publicly available.
Online, supporters of Anonymous, operating from TheAnonMessage Twitter account, claimed to have located the person responsible for the CENTCOM incident. From that point, the Anons operating the account posted various bits of information on the suspect, including IP addresses.
We're scanning to see if any proxies were used but we're certain the source is from Maryland.— TheAnonMessage (@TheAnonMessage) January 12, 2015
At this point, they're either really smart or we're dealing with a 17 year old who can barely spell 'I love u ISIS'.— TheAnonMessage (@TheAnonMessage) January 12, 2015
On Friday, a memo from the FBI forwarded the IP address information to a wider audience of security professionals, giving the data released by Anonymous some additional credibility. Calling the data actionable, the FBI has asked those on the distribution list to check their networks and logs for any additional information, including recent activity.
"On 12 January 2015, at 2:01PM CST, @TheAnonMessage, a Twitter account associated with the Anonymous hacking group, tweeted 11 IP addresses involved with the CENTCOM hack with the message," the memo explains.
"The FBI is providing a list of IPs obtained from @TheAnonMessage Twitter Account, and encourages recipients to examine their networks for any activity related to these IP addresses."
After the IP data was released by Anonymous, the person(s) alleged to be responsible for the CENTCOM incident also took control of The Anon Message twitter account, which they were able to recover after brief period of compromise.
It isn't unusual for the FBI to ask for outside help when it comes to collecting additional information on data they've collected as part of an active investigation. However, it's unusual for the FBI to give any weight to something that comes from Anonymous.
The IP addresses in question are: