Attacks/Breaches
12/10/2012
12:41 PM
Connect Directly
RSS
E-Mail
50%
50%

Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches

Group boasts "juicy release" of 1.6 million records and accounts drawn from defense contractors, government agencies, trade organizations and more.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Hacking group Team Ghostshell Monday announced its latest string of exploits, as well as the release of 1.6 million accounts and records gathered as part of what it has dubbed Project WhiteFox. The hacked organizations allegedly include everyone from the European Space Agency (ESA) and the Japan Aerospace Exploration Agency (JAXA), to the Department of Defense and defense contractor L-3 Communications.

"'Kay, let's get this party started! ESA, NASA, Pentagon, Federal Reserve, Interpol, FBI try to keep up from here on out because it's about to get interesting," said the group in a Pastebin post, making reference to some of the organizations with servers it claimed to have hacked.

The resulting data that was copied and released by Team Ghostshell, and which largely appears to be in the form of server database tables, spans over 140 separate uploads -- all mirrored to multiple sites. Seventeen of those uploads relate to data grabs allegedly obtained from the Credit Union National Association (CUNA), which bills itself as "the premier national trade association serving credit unions." Team Ghostshell said the related data dump puts "over 85 mil. people at risk," while noting that "we've keep (sic) the leak to as little as possible." As of press time, CUNA's website was offline.

[ Read Bank Hacks: 7 Misunderstood Facts. ]

Meanwhile, 36 of Team Ghostshell's uploads appeared to involve data stolen from airport transfer firm World Airport Transfer, which is based in Ohio and owned by Tours & Co; 23 uploads are from California Manufacturers & Technology Association; 19 from Crestwood Technology Group; and eight from NASA's Center for Advanced Engineering Environments. Some of the other breached organizations appeared to include the Institute of Makers of Explosives, law firm Glaser Weil, the Defense Production Act (DPA) Title III Program, intelligence company Aquilent, the Texas Bankers Association, and the University of Texas at Austin School of Law's continuing education program.

The hackers apparently were also able to access servers that are part of ICS-CERT, the Department of Homeland Security Information Network, the FBI's Washington division in Seattle, intelligence company Flashpoint Partners, and Raytheon. It promised to warn affected organizations, via an email from deadmellox@tormail.org. "The email will also contain another 150 vulnerable servers from the Pentagon, NASA, DHS, Federal Reserve, intelligence firms, L-3 CyberSecurity, JAXA, etc. consider it an early Christmas present from us," said Team Ghostshell.

In what it has dubbed its year-end wrap up, the hacking group also detailed an identity -- "DeadMellox" -- which it said that its members had created to trace the flow of information relating to hackers. "'DeadMellox' was a ghost to begin with. Never existed. No, really. Before we created 'him,' he never exited (sic) on the internet, zero searches on google and all that jazz. Starting to get it now? We used the name afterwards to trackback all mentions of that name all over the place," said the group via Pastebin.

As part of its massive dox -- aka data dump -- Team Ghostshell included a briefing document allegedly stolen from Flashpoint Partners, the private intelligence firm that recently scored an interview with the U.S. bank attackers. The document lists the Twitter feed of DeadMellox as a source for the company's Team Ghostshell intelligence. To obtain the document, the hacking group claimed to have penetrated the Flashpoint network. "Interesting fact is that we weren't the only ones in there doing espionage," it said.

Earlier efforts by Team Ghostshell have included the release of 50,000 user accounts stolen from a jobs board that focuses on Wall Street, and the release of 120,000 records from 100 of the world's top universities, including Harvard and Oxford.

Last month, meanwhile, after "declaring war on Russia's cyberspace" as part of what it dubbed Project BlackStar, the group claimed to have leaked 2.5 million records and accounts related to a number of Russian government, law enforcement, and business organizations.

Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management. Watch now or bookmark for later.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio