Anonymous Breaches Booz Allen Hamilton to Reveal 90,000 Military Passwords

Anonymous continued its "AntiSec" activities, this time disclosing log-in credentials for 90,000 military employees, dumping the database and stealing source code.

The hacking collective Anonymous released documents it claims were stolen from government contractor Booz Allen Hamilton as part of its anti-government AntiSec campaign.

The documents Anonymous released July 11 on The Pirate Bay contained personal and official email addresses and passwords of an estimated 90,000 United States military employees. Anonymous announced the massive data dump on its Twitter feed as part of "Military Meltdown Monday."

The approximately 190MB data torrent included log-in information of personnel from US CENTCOM, SOCOM, the Marine Corps, Air Force facilities, Department of Homeland Security, Department of State and other private-sector contractors. The passwords were unsalted SHA1 hashes stored as a text string, making them vulnerable to being cracked using brute-force methods, Alex Rothacker, director of security research for Application Security's TeamSHATTER, told eWEEK.

"It's slightly better than MD5, but still considered easily crackable with the tools available today," Rothacker said.

The group also claimed to have uncovered "maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies." Anonymous also stole 4GB of source code from its Subversion code repository and erased it from the servers.

Despite working with the federal government on "defense and homeland security matters," Booz Allen Hamilton was more like a "puny wooden barge" and not a "state-of-the-art battleship" when it came to network security, Anonymous said in its statement posted on Pirate Bay.

The server it compromised "had no security measures in place," allowing the attackers to run its own application on the box and dump the SQL database. During the four-hour-long intrusion, Anonymous gained access to other unspecified servers uncovering credentials.

"As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems," the consulting giant posted on Twitter.

The group claimed to have targeted Booz Allen Hamilton partially for its participation in government surveillance and intelligence-gathering programs as well as for potential illegal activities.

Anonymous linked Booz Allen Hamilton with HB Gary Federal, and claimed both companies were working on a project to "manipulate social media." The hacker collective uncovered HB Gary Federal's activities after breaching the company's systems and stealing all its emails in February, when the company's CEO claimed to have unmasked the group's top members.

The Booz Allen data release followed the data dump on July 8 from IRC Federal, a contractor that works with the Army, Navy, NASA, the Department of Justice and other government agencies. Anonymous found emails with information about various contracts, development schematics, internal proposals and various log-in credentials.

Snippets were posted on text-sharing site Pastebin, and a complete 107MB torrent file was posted onto Pirate Bay. Anonymous said it obtained an administrator's log-in credentials via a SQL injection attack on the Website to first gain a foothold in the network. It used other techniques to grab database information and emails. The attack was helped along by the fact that some administrators reused their passwords across various systems.

"So we laid nuclear waste to their systems, owning their pathetic Windows box, dropping their databases and private emails, and defaced their professional-looking Website," Anonymous wrote on Pastebin.

Anonymous is doing exactly what many security experts have warned: By compromising one server, the attackers transform themselves from intruders to trusted insiders. Attackers often go after "softer, easier targets" to gain a foothold in the network, Josh Shaul, CTO of Application Security, told eWEEK. Once the attackers are inside the network, they can look for other user accounts to gain access to more critical and valuable systems, Shaul said.

The group LulzSec launched the AntiSec campaign with Anonymous against private-sector firms and government agencies, with the stated purpose of exposing their alleged corruption. LulzSec disbanded in late June after 50 days of data-breach mayhem. But Anonymous has continued the attacks. It appears that some of the LulzSec members have just switched names and are continuing their activities under the Anonymous banner.