It’s been some time since Team GhostShell was active, but the hacker group kicked into high gear, referenced “dark hacktivism” and started tweeting about hundreds of hacked sites and linking to dumps with plundered data. The group should sound familiar as back in 2012 the hacktivists pounded on government agencies such as the Pentagon, NASA, ESA, the Federal Reserve and Interpol before dumping 1.6 million records.
Who knows precisely why, but Team GhostShell tweeted numerous potential reasons for a new season of hacking such as:
GhostShell allegedly hopes hacks will raise awareness.
In other words, Team GhostShell is proving that the cybersecurity of many sites still stinks.
Reports say that the data dumps reveal compromised account details numbering in the thousands at the lower estimate; however, this number is probably much higher. Information contained in the dumps supposedly includes emails, user names, addresses, telephone numbers, Skype names, dates of birth, and other personally identifiable information. Reports also say that some passwords were salted and hashed, while others were just hashed. Some passwords, however, were apparently stored in plain text. Unsurprisingly, there were several examples of the infamously weak “123456” password found in the data dumps.
Some of the hacks seem hard to explain, take the Smithsonian photo contest as an example, other than the group was just looking for any vulnerable site which can be exploited. Other “why-in-the-world-hack-it” sites included Socialblade, which was big into Digg by ranking the top 1,000 users, The Church of Jesus Christ of Latter-day Saints scripture citation and the Exploratorium in San Francisco. Symantec suggested the group previously liked to compromise “databases by way of SQL injection attacks and poorly configured PHP scripts.” The reason to dump the data from other sites might be for spite as Team GhostShell taunted @TrendMicro and @BoozAllen.
The dumps are not focused on one country as the hacktivists tweeted “picking countries at random since you’re most likely not gonna find a single one well-protected.” Many tweets about hacked sites were from education institutions, but that is supposedly because the group “didn’t feel like copy/pasting gov databases all day.”
Hacked by Team GhostShell
I’m not linking to the dumps as you can find them yourselves by scanning @TeamGhostShell’s tweets; you might not even want to click on the educational institutions listed as several of the specific URLs are down, result in a 403 forbidden access denied error, or a warning such as that on the University of Texas at San Antonio Office of Information Technology, which states “Access to the Web page you were attempting to visit has been blocked due to the reported presence of malware on the website.”
The hacks are not exclusive the US, but the following are a few US universities and colleges Team GhostShell claimed to have hacked and tweeted links to data dumps.
Universities and colleges:
Princeton University; University of Southern California; UCLA Electrical Engineering Department; University of Maryland “outlook” and its Department of Visual Arts in Baltimore; Texas A&M University’s science division; University of North Dakota; University of California with a weird URL starting with senate; Wittenberg University in Springfield, Ohio; Clemson University in Clemson, South Carolina; University of Wisconsin UWMilwaukee; Columbus State University (Georgia) Financial Aid site; California State University at Sacramento Engineering and Computer Science Department; University of Texas at San Antonio Office of Information Technology; Clarkson University Potsdam in New York; University of Miami College of Engineering; Portland State University in Oregon; University of Indianapolis Department of Music; Northern Arizona University in Flagstaff; University of South Carolina School of Medicine in Greenville; Idaho State University College of Pharmacy; Rice University Alumni at Houston, Texas; Old Dominion University in Norfolk, Virginia; the admission page for Bradley University in Peoria, Illinois; California Lutheran University; Deaf Studies Digital Journal Department of Gallaudet University in Washington, DC; Drury University in Springfield, Missouri; Florida International University Health Department; Saint Mary's University of Minnesota "Graduate Professional Development for Educators;" Valdosta State University in Georgia and its Herbarium; another link led to a site asking asks users to pick either Southern University or A&M College in Baton Rouge, Louisiana; University of West Georgia in Carrollton; University of Nevada, Las Vegas, photo services; and Webster University in St. Louis, Missouri.
Links leading to hacks of the University of Michigan go to several different pages such as the University of Michigan initiative, its Surveys of Consumers, Michigan Channel and the University of Michigan's Center for Education Outreach. A couple other links led to media servers for the University of Alabama in Huntsville and the media server for the Florida Institute of Technology in Melbourne.
Math departments: The hackers have been pwning math departments, tweeting links that lead to the University of Massachusetts' Math Department; the University of Wisconsin Whitewater's Department of Mathematics; and Montclair State University's Teaching Information System for its Department of Mathematical Sciences Montclair in New Jersey.
Other colleges: Team GhostShell also said it hacked the New York Academy of Art; Illinois Institute of Technology; Chaffey College in Rancho Cucamonga, CA; Lanier Technical College in Oakwood, Georgia; The Scripps Research Institute which has campuses in California and Florida; Bevill State Community College in Alabama; Del Mar College; Metropolitan Community College in Omaha, Nebraska; and Mott Community College in Flint, Michigan.
Libraries: US college libraries thus far mentioned include Cornell University Library; the Mercer College of Medicine Library; Vassar College Library in Poughkeepsie, NY; the Moody Bible Institute’s Moody Library; and the Paul V. Galvin Library at the Illinois Institute of Technology in Chicago.
Other: Here are a few others linked to as hacked by GhostShell. State of New Jersey Department of Education; The Oregonian "your government" site; Minnesota State Colleges & Universities Academic & Student Affairs; and Arianna Huffington at The Huffington Post.
So far the hacks have been from all over the world, spanning numerous industries. The Fidelity Group is mentioned as is the Alliance for Coastal Technologies; another potential big ouchie the group claimed to have hacked is Los Alamos National Laboratory. But when looking at the link tweeted, it takes you to page that suggests visiting another site “if you are looking for the Supercomputing Challenge.”
I can’t guarantee those sites have been hacked, but Team GhostShell links to them as well to dumps allegedly from those US sites. As mentioned previously, the hacktivists mentioned governments, taunted FireEye and sneered at security products the group must not respect.
Team GhostShell’s Twitter account is on fire as the dumps continue on poorly secured sites; for Americans about to celebrate July Fourth, the bang of fireworks may not just be in sky but also in the cloud as GhostShell claims it will bring the pain to cloud providers too.