This Bulletin is an analysis of the hacktivist group Anonsec, which claimed to have exfiltrated data from NASA servers and drones on January 31, 2016.
On January 31, 2016, Default Virusa, an administrator of the hacktivist group Anonsec, contacted journalist Mikael Thalen, claiming to have exfiltrated between 100-276GB of data from NASA servers and drone systems. The group also claims to have entrusted Wikileaks and TheGuardian with copies of the encrypted data. The following day, Anonsec released “samples” of the data online. The full store of data supposedly contains 631 aircraft and radar videos, 2143 flight logs, and information on 2414 employees. AnonSec official members include: Mr.lele , AnonSec666, 3r3b0s, d3f4ult, MS08-067, Hannaichi, ap3x h4x0r, OverKiller, Cyb3r Shzz0r, Mr. Blacklist, Mr.WWW, AN0NT0XIC, Ny0g3n, and cyberhack al. Members behind the attack on NASA include: Shimo7even, pangeran, Bashtien, Sh1n0d4, d3f4ult, and TGab. Others may have been involved, but their monikers were not included in the group’s self-publication.
Along with the attack on NASA (dubbed OpNASADrones), Anonsec released its own “zine,” a self-published whitepaper of their work. The zine is a clear cry for publicity. The “breach” of NASA is less a breach and more of a minor (insignificant) attack; however, the script kiddies are trying to capitalize on the weight of NASA’s name to grab major headlines. Hence, the concurrent release of the OpNASADrones zine and the decision to send breach information to Wikileaks, the Guardian, and Infowars prior to release. The group wanted articles about their work to dominate the day of release. All of Anonsec’s work in this operation and others, capitalizes on human vulnerability. Based on the writing style and a few references (to popcorn and conspiracy theories among other things) the zine was likely authored by members of Bastien and TGab, with assistance from others. The rants and conspiracy theories in sections of the document seem to belong to TGab. Evidence in the document suggests that at least 3-7 Anonsec members participated in the NASA attack.
Humans are the weakest link in cybersecurity defense. A single compromised account (as is the case with the NASA attack) affords adversaries access to otherwise secured systems. The zine is dedicated to the “baby boomer secretaries world-wide, without [whose] lack of training and irresistible urge to open attachments in spoofed emails from the HR department, this would have never happened.” The dedication is in reference to the2013 spread of the Gozi virus, which granted the initial foothold in a NASA system.
Disclaimer: A majority of the information reported and analyzed hereafter derives from the zine and should be treated with deserved skepticism.
Anonsec was founded in November 2011 by a member from Kurdistan (Mr.Lele) and a member from the United States (Anonsec666). Mr.Lele was an AnonGhost admin, but has allegedly been called to military service in his home region to combat ISIS. Anonsec now has members in the United States, the United Kingdom, Germany, Japan, Malaysia, Morocco, Indonesia, India, Pakistan, Iraq, Italy, Romania, and Latvia. The group is known for its “dark-grey-hat” attacks against other websites and other groups, such as OpDeathEaters (targeting online pedophile rings), OpBeast (targeting bestiality sites in Denmark), OpDetroit (ransoming the Detroit government to turn water back on), and OpISIS (targeting ISIS websites, forums, and twitter accounts). The active members of Anonsec are young and the operating language for communication is English. Based on the language in the document, the writing style of the zine, the “hack the planet group slogan” (a reference to 1980’s-1990’s hackers and the movie Hackers(1995), and the choice of targets (and lack of identifiers of less mature script kiddies), we postulate that the author of the zine and most of the members are men ages 18-26. Some of the members developed their own scripts for portions of the attack, which suggests that some members either had formal programming or information security training or have been active for long enough to learn. The epilogue confirms the suspected age range, citing that members have real jobs, families, and children. The zine is a curiosity of particular interest to this security researcher because it is formatted to resemble a formal technical white paper, complete with a table of contents, information about the threat actor, a TTP section, etc. This could indicate that members of the group have formal information security training.
The foothold into NASA’s network was purchased from two (presumably Chinese hackers based on characters in their monikers) to seven members of Anonsec in 2013. The foothold was established after a Gozi virus infection (which was cleared from the network). Anonsec paid for the foothold with hacked BTC-E accounts. BTC-E is a cryptocurrency exchange hosted in Bulgaria. The price of the exchange and some other identifiable information was redacted from the IRC chat published in the zine.
The discussion of the NASA attack in the TTP section begins with acknowledgement that NASA’s declassified network has been breached in the past and therefore the Anonsec attack is utterly unsophisticated. Anonsec purchased the foothold without intent. The opportunity arose and they made the exchange because exploring NASA’s network sounded fun. After the purchase, a member dubbed Bastien contacted an Italian hacker, Dr.d3v1l, who had previously attacked NASA subdomains, for information about where the network was weakest. Anonsec purchased access to a compromised user account, so the initial few days of attack were spent trying to elevate their privileges. The foothold was on a Debian server that was updated and patched against disclosed CVE’s. Further, Anonsec failed to spear phish user credentials. Further compromise was accomplished through “2014 bypasses and symlink exploits” that allowed the attacker to simulate a new linux directory, run commands, and move malware onto the network. The attack kit consisted of downloader scripts, a vulnerability scanner, port scanners, a brute force password cracker, packet sniffers (wireshark, tcpdump, dniff, mimikatz, egrep), and 0-day exploits (2014/symlink, CVE-2013-5065, CVE-2014-0038) and an exploit for Western Digital My Book World Edition (allowing ssh, root access, and remote enable). Next, the attackers mapped the network using their tools and IP/reverse-IP lookups. They fingerprinted detected systems in an attempt to target known vulnerabilities with publically available CVE’s. The attackers left a packet sniffer running on each compromised box (mostly unpatched Win XP and Ubuntu systems) in an attempt to capture ftp traffic. Systems running RDP, VNC, SSH, or MYSQL were targeted with the brute force credential tool because poorly trained system administrators leave credentials at default. A root/root credential combination was discovered in 0.32 seconds. From the initial compromise, the attackers pivoted to other systems through vulnerable ports. The initial attack lasted a few weeks. By their own admittance, the attackers realized that they had only compromised a portion of a subnet on a well segmented system.
Anonsec eventually compromised an Ubuntu 3.8.0-29 server (27workstation 239) belonging to administrator Eric Jensen, which had not been updated in a few months and was vulnerable to CVE-2014-0038. Throughout the document, the group credits Jensen with their successes because every time they were stonewalled, his credentials or neglected systems allowed them to push further into the network. It is not clear if this information is accurate or just a targeted attack against a NASA system administrator. After gaining access, the attackers mapped the server, installed malware and rootkits, and then deleted traces of their activities. The majority of the activity was done through Linux commands, but some processes such as hooking onto the system was accomplished through prewritten scripts. From workstation 239, the group were able to detect intranet systems (192.168.-.-, 172.16.-.-, and 10.0.-.-) on their network scans. The group located an identical Ubuntu server (possibly named Dryden 78) that was allegedly accessible through Jenson’s credentials via SSH. CVE-2014-0038 was then executed on the system and rootkits were installed. Security on the system was bypassed through a Squid proxy and socat port forwarding. From this vantage point, the attackers detected three 2TB WD My Book World Edition network storage devices that were labeled DRONE_BACKUPS, DRONE_Backups2, and DRONE_BACKUPS3. The exfiltrated information comes from these devices. It is worth noting that NASA issued a public statement that the information “exposed” was already publically available. As such, these devices were probably not sophisticatedly secured because the information contained within was open source. This further demonstrated by the observation that the compromised systems and the NAS devices were connected to the internet. The attackers could not gain access to the devices through ports 21 or 80 because the weak “Jensen” credentials did not work and because SSH was not enabled. Instead, they found a (publically disclosed) vulnerability in the firmware update process that allowed for the redirection of the perl update script to a malicious url that executes arbitrary commands such as granting root access. Even after the exploit, it took the attackers a significant amount of time (at least a week) to actually gain access to the devices and a web portal. In the meantime, members compromised unsecured security cameras within the base. After another 2-3 weeks, the actors (allegedly) caught Jensen’s credentials over an HTTP login, in a tcpdump. Allegedly, Jensen’s credentials for all three devices this time were jensen/ jensen123. Files were copied, renamed, and sent back to the Dryden78 system over port 80 via a series of cronjobs and then onto 27workstation239 via SSH. The data was then sent outside of NASA’s network to an overseas VPS.
The group’s big headline “seizing control of a drone” is a total over-exaggeration meant to seize headlines and bring NASA bad publicity. The actors admit in their document that at best, they only could have achieved “semi-partial control of a NASA drone during one flight.” NASA comments that at no time did their operators lose any amount of control over the drone. Anonsec attempted to hack the drone after Wikileaks and the Guardian ignored their attempts to publish the data that was finally released over the internet on February 1, 2016. In fact, some of the members attacking NASA opposed the attempt because the group’s objective was not destruction or terrorism. They wanted to check whether NASA was honest about chem-trail data relevant to Global Warming models. Anonsec claims that after attempting to alter the drone flight path file, NASA discovered the compromised systems and removed every single infection and attack vector on the network.
The group ends the document with an acknowledgement that at least 90% of the data released (they claim to have more) was publically available. They further clarify that the information appearing on their page accusing NASA of alien cover-ups is a mistranslation from a Japanese member who was using Google translate to describe conspiracy theories about NASA. They did not find any information about aliens.