Attacks/Breaches
12/10/2012
12:41 PM
Connect Directly
RSS
E-Mail
50%
50%

Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches

Group boasts "juicy release" of 1.6 million records and accounts drawn from defense contractors, government agencies, trade organizations and more.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Hacking group Team Ghostshell Monday announced its latest string of exploits, as well as the release of 1.6 million accounts and records gathered as part of what it has dubbed Project WhiteFox. The hacked organizations allegedly include everyone from the European Space Agency (ESA) and the Japan Aerospace Exploration Agency (JAXA), to the Department of Defense and defense contractor L-3 Communications.

"'Kay, let's get this party started! ESA, NASA, Pentagon, Federal Reserve, Interpol, FBI try to keep up from here on out because it's about to get interesting," said the group in a Pastebin post, making reference to some of the organizations with servers it claimed to have hacked.

The resulting data that was copied and released by Team Ghostshell, and which largely appears to be in the form of server database tables, spans over 140 separate uploads -- all mirrored to multiple sites. Seventeen of those uploads relate to data grabs allegedly obtained from the Credit Union National Association (CUNA), which bills itself as "the premier national trade association serving credit unions." Team Ghostshell said the related data dump puts "over 85 mil. people at risk," while noting that "we've keep (sic) the leak to as little as possible." As of press time, CUNA's website was offline.

[ Read Bank Hacks: 7 Misunderstood Facts. ]

Meanwhile, 36 of Team Ghostshell's uploads appeared to involve data stolen from airport transfer firm World Airport Transfer, which is based in Ohio and owned by Tours & Co; 23 uploads are from California Manufacturers & Technology Association; 19 from Crestwood Technology Group; and eight from NASA's Center for Advanced Engineering Environments. Some of the other breached organizations appeared to include the Institute of Makers of Explosives, law firm Glaser Weil, the Defense Production Act (DPA) Title III Program, intelligence company Aquilent, the Texas Bankers Association, and the University of Texas at Austin School of Law's continuing education program.

The hackers apparently were also able to access servers that are part of ICS-CERT, the Department of Homeland Security Information Network, the FBI's Washington division in Seattle, intelligence company Flashpoint Partners, and Raytheon. It promised to warn affected organizations, via an email from deadmellox@tormail.org. "The email will also contain another 150 vulnerable servers from the Pentagon, NASA, DHS, Federal Reserve, intelligence firms, L-3 CyberSecurity, JAXA, etc. consider it an early Christmas present from us," said Team Ghostshell.

In what it has dubbed its year-end wrap up, the hacking group also detailed an identity -- "DeadMellox" -- which it said that its members had created to trace the flow of information relating to hackers. "'DeadMellox' was a ghost to begin with. Never existed. No, really. Before we created 'him,' he never exited (sic) on the internet, zero searches on google and all that jazz. Starting to get it now? We used the name afterwards to trackback all mentions of that name all over the place," said the group via Pastebin.

As part of its massive dox -- aka data dump -- Team Ghostshell included a briefing document allegedly stolen from Flashpoint Partners, the private intelligence firm that recently scored an interview with the U.S. bank attackers. The document lists the Twitter feed of DeadMellox as a source for the company's Team Ghostshell intelligence. To obtain the document, the hacking group claimed to have penetrated the Flashpoint network. "Interesting fact is that we weren't the only ones in there doing espionage," it said.

Earlier efforts by Team Ghostshell have included the release of 50,000 user accounts stolen from a jobs board that focuses on Wall Street, and the release of 120,000 records from 100 of the world's top universities, including Harvard and Oxford.

Last month, meanwhile, after "declaring war on Russia's cyberspace" as part of what it dubbed Project BlackStar, the group claimed to have leaked 2.5 million records and accounts related to a number of Russian government, law enforcement, and business organizations.

Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management. Watch now or bookmark for later.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio