Attacks/Breaches
12/10/2012
12:41 PM
50%
50%

Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches

Group boasts "juicy release" of 1.6 million records and accounts drawn from defense contractors, government agencies, trade organizations and more.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Hacking group Team Ghostshell Monday announced its latest string of exploits, as well as the release of 1.6 million accounts and records gathered as part of what it has dubbed Project WhiteFox. The hacked organizations allegedly include everyone from the European Space Agency (ESA) and the Japan Aerospace Exploration Agency (JAXA), to the Department of Defense and defense contractor L-3 Communications.

"'Kay, let's get this party started! ESA, NASA, Pentagon, Federal Reserve, Interpol, FBI try to keep up from here on out because it's about to get interesting," said the group in a Pastebin post, making reference to some of the organizations with servers it claimed to have hacked.

The resulting data that was copied and released by Team Ghostshell, and which largely appears to be in the form of server database tables, spans over 140 separate uploads -- all mirrored to multiple sites. Seventeen of those uploads relate to data grabs allegedly obtained from the Credit Union National Association (CUNA), which bills itself as "the premier national trade association serving credit unions." Team Ghostshell said the related data dump puts "over 85 mil. people at risk," while noting that "we've keep (sic) the leak to as little as possible." As of press time, CUNA's website was offline.

[ Read Bank Hacks: 7 Misunderstood Facts. ]

Meanwhile, 36 of Team Ghostshell's uploads appeared to involve data stolen from airport transfer firm World Airport Transfer, which is based in Ohio and owned by Tours & Co; 23 uploads are from California Manufacturers & Technology Association; 19 from Crestwood Technology Group; and eight from NASA's Center for Advanced Engineering Environments. Some of the other breached organizations appeared to include the Institute of Makers of Explosives, law firm Glaser Weil, the Defense Production Act (DPA) Title III Program, intelligence company Aquilent, the Texas Bankers Association, and the University of Texas at Austin School of Law's continuing education program.

The hackers apparently were also able to access servers that are part of ICS-CERT, the Department of Homeland Security Information Network, the FBI's Washington division in Seattle, intelligence company Flashpoint Partners, and Raytheon. It promised to warn affected organizations, via an email from deadmellox@tormail.org. "The email will also contain another 150 vulnerable servers from the Pentagon, NASA, DHS, Federal Reserve, intelligence firms, L-3 CyberSecurity, JAXA, etc. consider it an early Christmas present from us," said Team Ghostshell.

In what it has dubbed its year-end wrap up, the hacking group also detailed an identity -- "DeadMellox" -- which it said that its members had created to trace the flow of information relating to hackers. "'DeadMellox' was a ghost to begin with. Never existed. No, really. Before we created 'him,' he never exited (sic) on the internet, zero searches on google and all that jazz. Starting to get it now? We used the name afterwards to trackback all mentions of that name all over the place," said the group via Pastebin.

As part of its massive dox -- aka data dump -- Team Ghostshell included a briefing document allegedly stolen from Flashpoint Partners, the private intelligence firm that recently scored an interview with the U.S. bank attackers. The document lists the Twitter feed of DeadMellox as a source for the company's Team Ghostshell intelligence. To obtain the document, the hacking group claimed to have penetrated the Flashpoint network. "Interesting fact is that we weren't the only ones in there doing espionage," it said.

Earlier efforts by Team Ghostshell have included the release of 50,000 user accounts stolen from a jobs board that focuses on Wall Street, and the release of 120,000 records from 100 of the world's top universities, including Harvard and Oxford.

Last month, meanwhile, after "declaring war on Russia's cyberspace" as part of what it dubbed Project BlackStar, the group claimed to have leaked 2.5 million records and accounts related to a number of Russian government, law enforcement, and business organizations.

Storing and protecting data are critical components of any successful cloud solution. Join our webcast, Cloud Storage Drivers: Auto-provisioning, Virtualization, Encryption, to stay ahead of the curve on automated and self-service storage, enterprise class data protection and service level management. Watch now or bookmark for later.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report