Someone Appears to Have Hacked the USDA's Website to Share Pirated Movies

Something at the website of the United States Department of Agriculture (USDA) has gone bad.

Though the federal department is typically known for handling policy about agriculture and food safety, it looks like it’s been dipping its toes into a new area: pirated movies. 

A large cache of publicly-accessible PDFs recently started appearing on USDA.gov that link to pirated media including movies, TV shows, sporting events, and video games in what appears to be either a hack, an inside job, or some kind of bizarre glitch.

Check out these links, archived from USDA.gov, for illegal streams of "Spider-Man: No Way Home," "The Matrix Resurrections," or the new "Ghostbusters" movie. Or maybe you want to take in a pirated sporting event like a football match between Liverpool and Arsenal, or a UFC fight. Other PDFs offer links to what are clearly scams to buy Instagram followers or Robux for the video game Roblox.

"What is surprising is how widespread it is," Richard Forno, the assistant director of the University of Maryland, Baltimore County’s Center for Cybersecurity, told Futurism of the apparent breach. "How has this not been noticed?"

The PDFs were specifically appearing on a subdomain of USDA.gov dedicated to SNAP-Ed, a program aimed at educating people on food assistance about shopping and cooking healthy meals. The PDFs, which contain spammy links to pirated media on third-party websites along with garbled text, were sandwiched between wholesome pages on the subdomain about topics such homemade holiday meals and onions.

After Futurism reached out to the USDA, the entire SNAP-Ed subdomain disappeared from the department's site, replaced with a landing page decked out with lorem ipsum text.

"USDA takes security — both in the online and physical spaces — very seriously," a USDA spokesperson told Futurism. "We are working with our cybersecurity teams to investigate the issue and will resolve it as quickly as possible."

Jake Moore, the global cybersecurity advisor for internet security company ESET, said that he believed the apparent intrusion was likely an effort by a hacker to boost the SEO ranking of streaming sites by piggybacking off a government domain. SEO analysis company Ahrefs estimates that USDA.gov has an ironclad domain authority of 92, making any outbound links it hosts a prize for SEO operatives.  

In recent years, Google has changed its algorithm to fight piracy and voluntarily taken down countless piracy websites. This means that the people behind those sites have had to get more creative in order to boost their ranking with the search engine — and this could be one of their tactics. 

"Google doesn’t like to optimize pirated material," Moore told Futurism. "However, you can still find it in some shape or form in their search results. It’s not watertight. So a bad actor might simply be getting access to these PDFs on a government website and including these links, which will bump up the sites in the rankings."

Moore added that hackers could be taking a dual-pronged approach. Not only does the tactic help bump up their websites in search engines, but it could also be used to market their hacking skills to potential customers looking to access government servers. 

"If someone is trying to sell their credentials into this government site, they might want to show proof that they’ve gained entry," Moore explained. "With these PDFs, it’s very easy to throw in pirated material that the government would never advertise. So it proves that the hackers have been able to access these files."

"They’re also able to show real links to dark web marketplaces," he said. "This informs a buyer that they have access to potentially do more dangerous attacks on the site."

Perhaps most disconcerting, though, is the fact that this breach apparently flew under the radar of the federal government’s cybersecurity expertise. Forno told Futurism that the hack should have tripped "off sensors somewhere."

As to the question of how exactly the bad actors were able to access the USDA's systems, Moore believes that it’s likely the result of a phishing campaign. Alternately, he said, somebody with access to the department’s website could have also voluntarily given or sold their login credentials to hackers. 

However, both Forno and Moore said they wouldn’t rule out the possibility that the attack could be from a belligerent nation state conducting a coordinated cyberattack. Back in 2020, numerous US departments fell victim to the SolarWinds cyberattack, which resulted in the breach of top government officials’ emails and credentials. Though such an attack is highly unlikely in this case — not the least because state-sanctioned hackers would probably do something more devious than juice up streaming sites' SEO scores — it's still a possibility. 

Interestingly, some in the black hat SEO community have publicly discussed how to inject PDFs into government websites, including specifically the USDA, with directions that led to a login portal that the USDA pulled offline shortly after the SNAP-Ed subdomain.

It also appears that the same attackers, or others using a similar trick, have managed to place PDFs on other government sites. The Bureau of Indian Affairs, for instance, appears to have previously hosted similar files, though they were deleted before Futurism discovered the phenomenon and only cached versions remain.

Regardless of who's behind the apparent intrusion, it should be cause for concern for both the US government as well as the public. More than 41 million Americans rely on SNAP benefits to purchase food every day. While this hack is somewhat mundane, it indicates that the very website these Americans rely on to feed themselves and their families could be vulnerable to bad actors looking to access their personal information. 

It also raises the dark possibility that someone who had gained improper access to a .gov domain could upload a PDF with explosive ramifications, containing misinformation or designed to sow domestic or international discord.

"What else could be compromised on this server?" Forno asked. "Is the user data protected? Is this part of a larger security concern for this network? It absolutely raises questions."

Additional reporting by Jon Christian.

More on cybersecurity: A National Cybersecurity Council Just Lost 8 of Its 28 Members