Martin Seeger

PostMortem: Assumed DOJ Montana Leak of Phone Dumps

Type of leak

Highly confidential information on a public SMB share without authentication

Threats from the leak

I see the following threats:

  • Integrity and Confidentiality of investigations into serious crimes compromised
  • Privacy of U.S. citizens compromised (very likely to contain most intimate data)
  • Providing 3rd parties hostile to the U.S. with blackmail material

1/4

Jun 21 at 1:36pmWeb
Show threadMartin Seeger4d ago

Timeline

  • May 14th 2025: Scanner of Security Researcher flags a public SMB share for inspection (leak open at latest at this date)
    • IP addresses involved: 216.220.10.217 and 216.220.10.222
  • June 5th 2025: Security Researcher analyses the SMB share and discovers phone dumpy created with Graykey. Some data is mere hours old, therefore this is a live leak.
  • In between: File names show that some investigations are tied to child abuse as directories contain "CSAM" as part of the directory names.
    • Remark: Usually investigations are identified by three parameters in thge file name: type of crime, location and some keyword (optional). In case of major crimes, using those identifiers one could easily identify those crime through press reports.
    • One directory name seemed to indicate the dump to be done from a police officers phone who comitted suicide.
  • June 12th 2025: As the Security Researcher could not identify a clear owner and previous contacts to CISA and FBI didn't produce any reply, he contacts me and asks for support. I receive as supporting material:
    • One extraction report by Graykey for "Policy Violation" investigation
    • List of file names in the leak
  • June 12th 2025 06:42 UTC: Asking friends in my environment for contacts in the U.S. to help with this leak.
  • June 12th 2025 ~19:00 UTC: Start discussing the leak with journalists in the U.S. Due to the CSAM topic, there is great reluctance to engage.
  • June 13th 2025, 19:20 UTC: From the extraction report I assume that this investigation is done by the Cascade County Police Department. I attempt to contact Sheriff Jesse Slaughter him by: mobile (spoke on his voice box), text message (iMessage) and email. As of today there is no answer.
  • June 17th 2025, 07:22 UTC: A second security researcher informs the Bozeman PD about one of their investigations to be in the leak
  • June 17th 2025: Second security researcher also reaches out to the former Attorney General and former Governor of Montana Steve Bullock via LinkedIn to help with the leak. As of today there is no answer.
  • June 17th 2025, 08:47 UTC: Bozeman PD reaches out to the second security researcher
  • June 17th 2025, 09:10 UTC: My initial post on Mastodon (https://infosec.exchange/@masek/114697924639525296) asking for help
  • June 17th 2025, 11:36 UTC: On recommendation received, I contacted the Attorney General of Montana by Email. As of today there is no answer.
  • June 17th 2025 12:46 UTC: Former FBI employee offers to create a contact.
  • June 17th 2025, 16:20 UTC: Contact with employees of the software vendor (came through the SM post above). I provide them with serial# from the extraction report and additional information in the next 30min. They say they identified the owner of the license and will attempt to contact them.
  • June 17th 2025, 17:21 UTC: On recommendation received, I contacted the County Attorney of Lewis and Clark Counry. As of today there is no answer.
  • June 17th 2025, ~20:00 UTC: Initial two-way contact with FBI
  • June 17th 2025, ~20:00 UTC: Leak is closed (according to my information the communication chain through the vendor and Bozeman PD reached the lab at pretty the same time)
  • June 18th 2025 between 08:42 and 16:11 UTC: Further communication with the FBI
Martin Seeger (@masek@infosec.exchange)

**Update 3:** You can find my PostMortem here: https://infosec.exchange/@masek/114721620930871030 **Update 2:** As far as I can tell, the servers that caused the leak belonged to the DOJ in Montana. We reached them in two ways: - Through this post we got contact to the vendor of the software. With the Serial# (in the extraction reports) they could identify whom to call. - A friend had a contact in one of the affected police department and they reached out to the DOJ. Thanks to this community I was also able to get a contact within the FBI. Furthermore some media contacted me and a lot of Mastodon users provided me with additional contacts. Event though I contacted the AG in Monatana and one PD, no one has reached out to me from the DOJ side. **Update 1:** Leak is closed. Will write more tomorrow. Thank you to everyone who helped. **Phone forensics** Usually law enforcement is very secretive about them analyzing the phones of suspects. But a forensic lab in #montana is extremely transparent about it. They put the dump of every phone on a public share. Everyone with Internet access can access those dumps. While I am usually a proponent of government transparency, this takes it a bit too far even for my taste. Every phone dump is one directory and some case names can be easily connected to crime & death headline news in the U.S. So for one case I am pretty sure, that I can even say which Sheriff is responsible for that one of the investigations. I sent that Sheriff an email, i sent him a text message and I even spoke on his voicebox. I even sent him the extraction report from Graykey. It is really frustrating that I get no response at all. The leak is still open. The security researcher that found the leak also tried some contacts but had as little success as I do. I personally believe that this leaks even constitutes a federal crime. Some cases have names ending on CSAM. The security researcher stayed away from any of those and I did not access the files on that server at all. So does anybody know someone within the #fbi that would give a shit about that. I am getting very tired. #graykey #cellebrite #forensics

Infosec Exchange
Show threadMartin Seeger4d ago

Analysis

This is not a complete failure analysis. This are only my observations. A full detailed analysis is most likely to be even more shocking.

Failures:

  • The PC with that kind information should never have been "internet facing" (architecture mistake)
  • The informations do not belong on any file share (organisational mistake)
  • Shares should never allow unauthenticated access (configuration mistake)
  • The information should never have been stored unencrypted (lack of data security)
  • Incoming SMB traffic should never be allowed to such a network (firewall policy mistake).
  • Any such network should include a monitoring of the external attack surface that could easily identify such a leak (lack of posture management, lack of attack surface management).
  • It was out of scope for our involvement, but is very likely that the systems could have been used to compromise any attached network
  • SUMMARY: A complete and utter failure of IT-Security on the technical and organisational level for that lab

Impact

It can be safely assumed (due to duration and easiness to discover) that all data on those shares is now in the hands of inttelligence services with non-friendly attitude towards the United States of America (e.g. Russia, China)

3/4

Show threadMartin Seeger4d ago

Acknowledgments

The greatest thanks belong to @JayeLTee , who discovered the leak, clearly recognised the severity and started the chain of events that led to the closure of the leak.

Special thanks to "Dissent Doe" of DataBreaches.net for reaching out to the Bozeman Police Department, who responded promptly by calling her to get IP addresses and details so they could investigate and follow up. They made contact with the state lab, who notified the police that they had just heard from the vendor and had unplugged everything while they investigated.

Thanks to the FBI and Bozeman PD for the prompt and professional contact. Beside them, no official that was contacted reached out.

I also wish to thank (in alphabetical order) Abraham, Andy, Ben, Cody, Dhruv, Emma, Frank, Harlo, Jeff, Jerry, JollyOrc, Judie, Royce, Russ and Rysiek for providing assistance. If I omitted someone, I apologise for the oversight. The communication turned into a frenzy on June 17th and some may have escaped the analysis for my PostMortem.

Closing Remarks

It is clearly necessary that we have at least one public contact in each country that investigates and closes data leaks reported to them. The effort to close even the worst leaks is unbearable and currently rests on the shoulders of security researchers and their supporting environment.

Time spent on this leak from my side (without the time for this report) is 12+ hours. My best estimate on the effort of all people involved closing this leak would be in the multiple hundreds of hours. The amount of time spent by the person responsible for the leaking system on security issues: None.

I assume the the leak is somehow tied to the DOJ Montana. This is not 100% sure, but i received multiple indicators that they are closely connected the leak.

There were more attempts to reach official contacts than documented here in the PostMortem. The list only includes those I could pinpoint with a reasonable degree of certainty.

I will not answer questions on how the forensics software works. This is out of scope for me. If you want to keep your phone safe: make it stay in the BFU state most of the time, choose a long and complex PIN, avoid cloud backups and do not install tracking apps.

I do not know if the share was writeable for everyone. This is also out of scope. Therefore I cannot say how difficult it would have been to manipulate an investigation. But my guess would be, that at least for a skilled atacker this would seem quite possible.

Purpose of the PostMortem is to provide an opportunity to learn for the affected party and those in danger of making similar mistakes. Futhermore I feel responsible to give all the people involved some closure.

Show threadDr. Russ 4d ago
@masek @JayeLTee Glad ya got this solved!
Show threadbabble encat4d ago

@masek
> inttelligence services with non-friendly attitude towards the United States of America (e.g. Russia, China)

Russia China and USA

Show threadMartin Seeger4d ago
Also blogged: https://blog.literarily-starved.com/2025/06/postmortem-assumed-doj-montana-leak-of-phone-dumps/
PostMortem: Assumed DOJ Montana Leak of Phone Dumps

The last week I spent a lot of time on closing a serious leak of confidential information from what I assume to be the DOJ Montana. This is my PostMortem on the incident.

Literarily Starved
Show threadMartin Seeger4d ago
Though they decided not to answer to my leak reports, one recipient found the time to install a block for my email address:
Show threadMichał "rysiek" Woźniak · 🇺🇦4d ago
@masek ah yes the "out of sight out of mind" approach to infosec
Show threadMistake not ...4d ago

@rysiek @masek
"Didn’t they know that the only unhackable computer is one that’s running a secure operating system, welded inside a steel safe, buried under a ton of concrete at the bottom of a coal mine guarded by the SAS and a couple of armoured divisions, and switched off?"

—Charles Stross

Show threadnowhereman (nicht der andere!)4d ago
@masek
As a non-technical person, it seems to me that you never know whether it is a honeypot or a real leak.
The reaction tends to the first one.
Show threadMartin Seeger4d ago
@Nowhereman This was no honeypot.
Show threadJayeLTee4d ago

@masek

Thanks to you and @PogoWasRight for all the help with this and other incidents 

Without that help, it would be a way bigger challenge to get this closed, as any time I try to contact any agency or LE in the US, I just get ignored 

Show threadDissent Doe  4d ago
@JayeLTee @masek I often get ignored, too. I call it the "Ostrich Syndrome" approach to incident response. Just stick your head in the sand and hope all those nasty researchers and journalists will just go away.