Wednesday, July 1, 2015

Anatomy of ISIS hack of the JIS Website - How and Why Hactivists couldn't access sensitive GOJ Databases

Monday June 22nd, 2015 was a sensational day for IT Security peeps in Jamaica. Clearly ISIS doesn't like Jamaica!

I guess the GOJ (Government of Jamaica) claim to have begun securing their Websites against attack as reported in my blog article entitled “GOJ securing Government Websites against Hackers - Linux-based GovNET to remove Windows vulnerabilities and change Human Behaviour” was not actually true based on what transpired.

The JIS (Jamaica Information Service) Website got hacked Monday June 22nd, 2015 as reported in the article “UPDATE: JIS Website Hacked, Sensitive Data Not Lost – Management”, published Monday June 22, 2015, The Jamaica Gleaner.

But it wasn't just the JIS Website alone that was hacked. Five (5) other Websites hosted on the same Server as the JIS were also hacked:

1.      CHASE (Culture, Health, Arts, Sports and Education) Fund
2.      GC Foster College
3.      SDC (Social Development Commission)
4.      Houses of Parliament
5.      Jamaica National Commission for the UNESCO (United Nations Educational, Scientific and Cultural Organization)

When the Website had been check by the Jamaica Observer up to 10:00pm on Monday June 22nd, 2015 as noted in the article “5 Websites hosted by JIS defaced”, published Tuesday, June 23, 2015, The Jamaica Observer the Hackers had left their mark.

They’d left the following message was posted on the JIS Website: “Hacked by Team System Dz: I am Muslim & I love jihad. I love Islamic state (heart). Message to all the peoples of the world and especially to governments, Islamic State List to restore the rights of Muslims who have been killed by your governments savage and unjust, Islamic state will restore dignity for Muslims. Will purge the land of the Muslims from the hypocrites infidels. It intervenes you will equip you to dwell in cemeteries. Op USA & Israel. Hackers Islamic State/.2015” Facebook”.

Based on the basic verb-subject agreement, it's fair to say that English isn’t the first language the attackers, lending credibility to the idea that the hack was carried out by Muslim Fundamentalists, possibly “Hactivist” supporters of the IS (Islamic State).

JIS Websites hacked – Hours after Hactivists hacked the GOJ Website, it was back up

A few hours after 10:00pm, the Website landing page had gone blank, except for the words “hacked by Holako”, possibly the Hacker's call sign as used in Chatrooms online.

Apparently what was a happening behind the scenes was that the Website administrators had gone to work around 9:02 pm and 9:38 pm, setting about the task of restoring the Website, a procedure which involved first deleting the old setup files and then replacing them with an image of the backup copy taken a few days before.

Within four (4) hours, the JIS Website was restored as the investigators began their investigations of the hacking attempt. Preliminary conclusions thus far indicate that they only managed to change the main page of the Website but had not gotten to any of the connected Databases or services that can be accessed via the JIS or other Websites.

According to  JIS CEO, Donna-Marie Rowe, the hackers merely deface the JIS Website and did not get access to sensitive information and they'd be have the site up and running, which fits with what was observed, quote: “The aggressor's attempts at breaching our system did not result in access to  sensitive data but was constrained to 'surface defacement'. Our security team is undertaking recovery and reinforcement procedures as we speak and the JIS Website will resume normal function in short order”.

So how did this hack occur?

Anatomy of JIS Website - Hackers tied up Strong Man using Keyloggers

Well, in order for anyone to deface a Website, they'd have to have the login and password for your Website. In order to obtain your login and password without your permission, they'd have to steal it from you, most likely via a phishing attack as explained in my blog article entitled “Russian Gang steals 1.2 billion Logins and Passwords - Defense Against the Dark Arts on How to protect yourself  against Hacking and Phishing”.

So clearly what must have happened was that the hackers, after scraping the Website to determine the login page was well as email addresses for JIS employees, they may have bombarded them with an email offer to encourage them to click on a link to receive something free.

That appears to be the case, as two (2) weeks earlier on Wednesday June 10th 2015, an email with the subject “Problems with invoices” was found to have contained a virus in an attachment labeled “New.zip”.

GOJ employees has apparently been receiving the mysterious email and after opening its contents, it began crippling the Computer Networks of the PIOJ (Planning Institute of Jamaica) as confirmed by JCF (Jamaica Constabulary Force) report in the article “Computer Virus Attacking Government Networks, PIOJ Affected”, published Wednesday June 10, 2015, The Jamaica Gleaner.

The Ministry of Science, Technology, Energy and Mining soon took action that very same day, issuing an advisory to all GOJ (Government of Jamaica) employees not to open this or any suspicious email as detailed in the article “Ministry issues e-mail virus alert”, published Friday, June 12, 2015, The Jamaica Observer.

Unfortunately, the email must have been forwarded to others within the various Ministries and Executive Agencies of Government, including the JIS. At that point, someone ignored this warning, clicked on the email and open the attachment.

The virus, most likely containing a keylogger as described in my blog article entitled “Professor Marco Gercke warns of Scammers using Keyloggers for Spear Phishing - How to use Keyloggers and how to Protect yourself from Scammer's American Hustle for Fast Cash”, sprang to life, installing itself on the various computers.

The virus also began to spread itself within the GOJ’s Intranet and the Intranet of the various Ministries and Executive Agencies of Government without the help of hitchin’ a ride as an email attachment. It spread itself to other computers via the JIS Intranet and its connection to the Internet, installing itself and using its keylogger functionality to record keystrokes on the infected machines.

As explained in my blog article above, the hackers most likely got updates from their virus keylogger function, which emailed them copies of keystrokes from various computers infected with the virus, possibly via a *.bin or *.txt email attachment or upload to a designated location on a Cloud Server.

Eventually, one of those infected computer belonged to the Website Administrator, who entered his password while doing routine maintenance on one of the Websites that got hacked.

The keylogger captured it along with possibly hundreds of other passwords, sent it to the hackers, who after patient trial and error, succeeded in gaining access to the web server for the JIS, which also happened to be where the five (5)Websites and thus proceeded to deface those Website.

Why the JIS hack wasn’t worse – Hactivists failed Validation to access sensitive GOJ

The reason they couldn't get access to any critical Databases was because those Databases had possibly required validation i.e. comparisons against another Database for verification. That is, the individual gaining access had to possibly enter a GOJ ID i.e. TRN (Tax Registration Number), Passport Number or Driver's License in order to be allow to view any information.

Even then, if they had gotten such access, they would have had to have a higher level access, such as a Database Administrator, in order to gain actual access to ALL Databases file entries and execute read/write commands or delete the Database. Such Databases include:

1.      TRN (Tax Registration Number)
2.      Passport Number
3.      Driver's License
4.      Credit Card Payment

Thanks to verification using a GOJ ID, effectively a form of TSV (Two Step Verification) similar to a described in my blog article entitled “How to enable Apple iCloud TSV using Apple ID – Apple iCloud Fappening created Hipster Trend of Flip Cellphones, Vinyl Records and Polaroids”, the Hackers did not get very far.

Some possibly speculate that they were “hactivists” out to prove a point. But it could have been much worse.

They could have hacked the JIS Websites and NOT made such a big fuss about it, silently gathering an army of hacked email and Database logins and passwords until they eventually got access to one that gave them read/write access to a Database.

This hack is therefore a wake-up call for the GOJ to implement GovNET based on Linux Servers and re-train staff on how to recognize hacking attempts, the weakest linking their security.
Otherwise, the next time, hackers may make a bigger statement by not only defacing the Website, but hacking the GOJ's Databases and publishing its contents online.



No comments:

Post a Comment

Please register and leave you comments. For contact, leave an email or phone number and I'll be sure to get back to you.