Anonymous continued its "AntiSec" activities, this time disclosing log-in credentials for 90,000 military employees, dumping the database and stealing source code.
The hacking collective
Anonymous released documents it claims were stolen from government contractor
Booz Allen Hamilton as part of its anti-government AntiSec campaign.
The documents Anonymous
released July 11 on The Pirate Bay contained personal and official email
addresses and passwords of an estimated 90,000 United States military employees.
Anonymous announced the massive data dump on its Twitter feed as part of
"Military Meltdown Monday."
The approximately 190MB data
torrent included log-in information of personnel from US CENTCOM, SOCOM, the
Marine Corps, Air Force facilities, Department of Homeland Security, Department
of State and other private-sector contractors. The passwords were unsalted SHA1
hashes stored as a text string, making them vulnerable to being cracked using
brute-force methods, Alex Rothacker, director of security research for
Application Security's TeamSHATTER, told eWEEK.
"It's slightly better
than MD5, but still considered easily crackable with the tools available
today," Rothacker said.
The group also claimed to
have uncovered "maps and keys for various other treasure chests buried on the
islands of government agencies, federal contractors and shady whitehat
companies." Anonymous also stole 4GB of source code from its Subversion code
repository and erased it from the servers.
Despite working with the
federal government on "defense and homeland security matters," Booz
Allen Hamilton was more like a "puny wooden barge" and not a
"state-of-the-art battleship" when it came to network security,
Anonymous said in its statement posted on Pirate Bay.
The server it compromised
"had no security measures in place," allowing the attackers to run
its own application on the box and dump the SQL database. During the four-hour-long
intrusion, Anonymous gained access to other unspecified servers uncovering
"As part of @BoozAllen
security policy, we generally do not comment on specific threats or actions
taken against our systems," the consulting giant posted on Twitter.
The group claimed to have
targeted Booz Allen Hamilton partially for its participation in government
surveillance and intelligence-gathering programs as well as for potential
Anonymous linked Booz Allen
Hamilton with HB
, and claimed both companies were working on a project to
"manipulate social media." The hacker collective uncovered HB Gary
Federal's activities after breaching the company's systems and stealing all its
emails in February, when the company's CEO claimed to have unmasked the group's
The Booz Allen data release
followed the data dump on July 8 from IRC Federal, a contractor that works with
the Army, Navy, NASA, the Department of Justice and other government agencies.
Anonymous found emails with information about various contracts, development
schematics, internal proposals and various log-in credentials.
Snippets were posted on
text-sharing site Pastebin, and a complete 107MB torrent file was posted onto
Pirate Bay. Anonymous said it obtained an administrator's log-in credentials
via a SQL injection attack on the Website to first gain a foothold in the
network. It used other techniques to grab database information and emails. The
attack was helped along by the fact that some administrators reused
across various systems.
"So we laid nuclear
waste to their systems, owning their pathetic Windows box, dropping their
databases and private emails, and defaced their professional-looking Website,"
Anonymous wrote on Pastebin.
Anonymous is doing exactly
what many security experts have warned: By compromising one server, the
attackers transform themselves from intruders
to trusted insiders
. Attackers often go after "softer, easier
targets" to gain a foothold in the network, Josh Shaul, CTO of Application
Security, told eWEEK.
attackers are inside the network, they can look for other user accounts to gain
access to more critical and valuable systems, Shaul said.
The group LulzSec
launched the AntiSec campaign with Anonymous against private-sector firms and
government agencies, with the stated purpose of exposing their alleged
corruption. LulzSec disbanded in late June after 50 days of data-breach
. But Anonymous has continued the attacks. It appears that some of
the LulzSec members have just switched names and are continuing their
activities under the Anonymous banner.