Cyber-attack: the Stratfor case
Date : February 08, 2012
On December 24, 2011, a massive attack affected the Stratfor US intelligence company, thus closing a year already rich in cyberattacks (see on this topic the Cert-IST annual review on computer attacks of the year 2011). We go through this attack in the present article.
Introduction
Stratfor (Strategic Forecasting) is an American private intelligence company (think tank), funded in 1996 and located in Austin (Texas). Due to its statute and its reputation, it disposes of a large database, in particular in the US intelligence area. It provides to its subscribers analyses and previsions, in political, military and security domains (as newsletters).
The Stratfor client lists is confidential and includes among its members administration and government agency employees, US army personals (some of them belonging to the US State Department or working for international banks). We will note in this list names like Bank of America, JP Morgan Chase or well known names such as IBM or Microsoft.
Stratfor is regularly mentioned like an intelligence expert for strategic and tactical matters and has even been called "The Shadow CIA" in particular by the US weekly Barron newspaper.
The attack
On Christmas day, a group of hackers claimed (under the Anonymous banner) to have attacked Stratfor web site and collected not only the list of the agency clients, but also banking data of thousands of clients (stored as clear text). Altogether, around 860 000 e-mail addresses, as well as postal addresses, phone numbers and credit card numbers have been stolen. Among the data gathered, there were also passwords stored as MD5 hashes.
Regarding the attack itself, the Exploitability blog gives some tracks. Hackers compromised the web site thanks to a flaw in an Apache server and would have then used other flaws to gain "root" access. According to the analysis performed by the author’s blog, the gathered logs show weaknesses that go against security good practices (presence of source files and various folders in the "/root" directory, presence of SSH keys without passwords, use of the server for development…). The attackers also seem to have been able to access all the servers hosted on the DMZ thanks to a single key.
The hackers, like a modern Robin Hood, declared to have used the stolen data to make a one million dollars gift to charity associations.
Some Anonymous latter denied these information and declared on "pastebin.com" that they were not responsible for the attack. It would more likely be the fact of a dissident branch (coming from the dissolution of the LulzSec group, named "LulzXmas" (contraction of LulzSec and Christmas), but the claim question remains.
As soon as the attack was announced on the Internet, Stratfor launched an investigation and put its site off line. According to a video spread by the agency founder and CEO, George Friedman, the attack would go back to early December and the FBI would have started investigations at this date (the FBI would have recommended to the agency not to make the attack public as long as hackers do not disclose it). Friedman apologised to its clients to have stored banking data in clear text and since have left this task to a third party.
Regarding password security
With stolen hash passwords, several researchers launched programs using dictionaries or Rainbow Tables (these tables contain lists of passwords associated to their hashes) to see what kind of passwords had been used, in order to study their complexity. The results speak for themselves and show that some passwords are very weak.
We will note that the Stratfor registration form does not give recommendations on password robustness and does not prevent the use of weak passwords (which is surprising for this kind of organisation). Passwords had moreover been stored directly as MD5 hashes, without using salt (the use of a salt makes the decryption operations more difficult).
We can see how important it is to choose complex passwords, with sequences containing at least 8 or 9 characters, lowercases and capital letters, numbers and special characters (many recommendations are available on the Internet regarding password security, we can mention for example the US-CERT ST04-002 Cyber Security Tip).
Conclusions
In the case of Stratfor, we may wonder what the attacker's objectives were. Without debating on the ethic of this hacktivist movement (already largely debated since the attacks that followed the shutdown of the Megaupload site), previous attacks had motives that could be seen as rational: Visa had been hacked after having suspended the WikiLeaks payments, HB Garty after having participated to an operation aiming at identifying Anonymous members, etc. For Stratfor, the question of the attack intent is more difficult to determine.
Friedman, on his side, describes the attack as an "act of censorship" and points at the server destruction: "this attack had been clearly built to silent us by destroying our records and our web site, unlike other attacks of this group". Some sources think that, beyond Stratfor, it is more Stratfor team members that were targeted. Such sources link the Stratfor attack with the attack that targeted "SpecialForces.com" (a company specialised in military equipment supply).
Friedman apologised, recognising his responsibility in this attack. The success of the latter underlines the weakness of the agency security, yet actor in the information and security domain. And it is not the first time that such an observation can be made; we will remember Diginotar, a Dutch certification authority that was victim (in July 2011) of an intrusion with several hundreds of certificates stolen during the attack.
For more information:
"Security Week" article dated December 27, 2011:
http://www.securityweek.com/analysis-data-exposed-stratfor-cyber-attack
"Troy Hunt" blog dated December 29, 2011:
http://www.troyhunt.com/2011/12/5-website-security-lessons-courtesy-of.html
"IdentityFinder" article dated December 30, 2011:
"Tech Herald" article dated January 2, 2012:
http://www.thetechherald.com/articles/Report-Analysis-of-the-Stratfor-Password-List
The Monde article dated January 9, 2012:
http://www.lemonde.fr/technologies/article/2012/01/09/des-responsables-americains-et-britanniques-pieges-par-des-hackers_1627211_651865.html