[BreachExchange] Kapustkiy: The 17 Year Old Man, The Myth, The Motivations

Inga Goddijn inga at riskbasedsecurity.com
Tue Dec 27 09:35:47 EST 2016 

https://www.riskbasedsecurity.com/2016/12/kapustkiy-the-17-year-old-man-the-myth-the-motivations/

A few months ago an individual using the handle Kapustkiy
<https://twitter.com/Kapustkiy> kicked off a spree of data breaches focused
mostly on government websites from around the world.  The first incident
was published close to two months ago on November 6th, when Kapustkiy
announced a leak of data coming from seven Indian embassies located in
various different countries.  Since that time, there have been an
additional 13 data leaks from government services – mainly embassies and or
related services – as well as leaks from various other targets including
universities located around the world; in all impacting 17 different
countries from 21 different breaches.

While this isn’t the first group or researcher to do something of this
nature, piecing together the history and timeline of events revealed some
interesting findings. As was mentioned
<https://twitter.com/BiellaColeman/status/808375193794060288> this “hacker
is on a roll”, affecting tens of thousands of users with personal
information being leaked.

*The Breaches*

For the first few breaches, Kapustkiy had assistance from a hacker who uses
the name Kasimierz <https://twitter.com/Kasimierz_>.  Kapustkiy also teamed
up with the well known figure CyberZeist for one of the incidents.
CyberZeist has had a presence for many years, including links to the
collective UGNAzi <https://en.wikipedia.org/wiki/UGNazi> who have had various
members arrested for hacking and credit card fraud.
<https://arresttracker.com/> CyberZeist recently surfaced on a backup
account they reserved almost four years ago, only to start attacking and
leaking data from various political based targets before teaming up with
Kapustkiy to breach
<https://www.cyberwarnews.info/2016/11/21/hackers-team-up-hungarian-human-rights-foundation-gets-hacked/>the
Hungarian Human Rights Foundation on the November 21st.

On the November 26th, Kapustkiy leaked data from the High Commission of
Ghana & Fiji in India and also announced that he had joined
<http://securityaffairs.co/wordpress/53783/hacking/kapustkiy-pga.html> a
group called Powerful Greek Army (PGA) <https://twitter.com/powerfularmygr>,
who has a history of DDoS attacks. At the beginning of August, the
website Security
Affairs spoke with PGA
<http://securityaffairs.co/wordpress/49901/hacking/hacker-interviews-pga.html>.
In that interview, PGA stated that they were a new team of 7 skilled
hackers and that their motivations were to go after pedophiles and ISIS
supporters. Shortly after joining up with PGA, on the 2nd of December,
Kapustkiy leaked data from the Venezuelan Army website. In the announcement
for that leaks, Kapustkiy stated that he was no longer a member of PGA. We
at Risk Based Security have been in contact with Kapustkiy and asked him
the reason behind leaving PGA, which he stated it was due to the fact that
they lacked skills and he was the only one contributing.

I left them because they were not skilled as a I thought and they were only
DDoSing all the time. I did the most work.

Not long after leaving PGA, Kapustkiy started work with another group known
as New World Hackers (NWH) <https://twitter.com/newworldhacking>. If that
name sounds familiar, its because they made some very big headlines recently
<http://www.cbsnews.com/news/new-world-hackers-claims-responsibility-internet-disruption-cyberattack/>
after claiming responsibility for the attack on Dyn DNS
<http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/>. The October
DDOS attack against Dyn disrupted service and resulted in a major Internet
outage, impacting popular services such as Twitter, Netflix and Paypal. On
December 7th, NWH was the focus of an in depth research article published
by Zack Whittaker
<http://www.zdnet.com/article/these-college-students-were-behind-bbc-trump-cyberattacks/>
of zdnet.com. The article exposed the identities of the group’s core
members, which did not include Kapustkiy.  Kapustkiy explained he only
became a member NWH a week ago, which is why his identity was not included
in the research conducted by Zack.

So who is Kapustkiy?  What are the motivations behind all of these breaches?

In a recent interview with Motherboard
<http://motherboard.vice.com/read/hacker-claims-theft-of-thousands-of-passport-numbers-from-russian-consulate>,
Kapustkiy states he is 17 years old. In our interactions with him, he has
described himself a security researcher who is a 17 year old male and still
at school studying IT. When inquiring about the motivations behind these
breaches he gave the following statement:

“The main motivation about that I breach all those websites is to let them
understand the consequence of a databreach and how dangerous it is when you
have a bad security.”

*Breach Methods*

The method used by Kapustkiy in all but one of the breaches has been SQL
Injection. The one exception was the Ministry of Industry Argentina, in
which he explained he used brute force against the target.  When looking
further into the breaches it becomes clear that there are various common
exploits being used on similar targeted systems, making it possible to pull
off so many intrusions in a short amount of time.

Kapustkiy disclosed to Softpedia some additional details
<http://news.softpedia.com/news/russian-consulate-hacked-passport-numbers-and-personal-information-stolen-510928.shtml>
about the breach to the Consular Department of the Embassy of the Russian
Federation in the Netherlands.  He explained that he was able to breach the
website using a specific method. He shared that he was then able to hack
the Russian National Visa Bureau website using the exact same vulnerability
and hosted on the same server.  This is a significant discovery as the
system administrator of the Consular Department’s website had already been
made aware of that particular vulnerability.

*Leaked Data*

The type of data leaked in each of the breaches ranges from personal
identifiable information (PII) such as first and last names, home contact
numbers to login credentials and website related information. It is
important to note that in each Kapustkiy breach, he has not provided the
entrie obtained data set, making a conscious decision not to leak certain
information to the general public.

Kapustkiy has been actively speaking with quite a few journalists and
in an interview
with Softpedia he claimed that he should by no means be considered a hacker
<http://news.softpedia.com/news/kapustkiy-breaks-into-indian-regional-council-server-17-000-users-exposed-510355.shtml>,
Rather he is exposing security vulnerabilities to allow administrators to
patch them.

“I’m a Security Pentester,” he said. “People think I’m a hacker, but this
is not true. I only try to help most of the time,” he continued.

When we interviewed Kapustkiy, we specifically asked him about his feelings
towards the innocent people who are affected by these breaches.  His reply
was perhaps not what you might expect.

“I exactly feel bad for them that they can’t trust there security”

So far the countries affected by the data breaches include Switzerland,
Italy, Romania, Mali, South Africa, Libya, Malawi, India, United States,
Ghana, Fiji, Argentina, Venezuela, the Netherlands, Russia, Slovakia and
China.

*Coordination Disclosure Attempts?*

In several of the interviews that Kapustkiy has conducted, he routinely
mentions that he is a security pentester or security researcher, indicating
that he believes that he is one of the good guys and that his intention is
to help companies improve. Many in the security industry as well as the
organizations that have been breached would disagree that Kapustkiy’s
approach is a positive one.

As for referring to himself as a pentester – anyone that is currently
employed as a professional pentester knows there are rules for such
engagements that must be followed. First and foremost among them being the
target organization must grant their permission for the test to occur. From
there, the scope of work should be clearly defined before testing gets
underway and most importantly, always have the “get out of jail free” card
to show that this work has been approved as to avoid tangling with the
wrong side of the law.  Kapustkiy has not been working within these rules
and structure.

He also mentions that he contacts companies in order ensure they are
notified and can fix the vulnerabilities that he finds. From the interviews
he has conducted thus far and the timelines of the breaches, it does appear
that he is in fact contacting the impacted organizations. However, it
doesn’t seem to be a long or reasonable window as it appears he waits only
a few days for a response before leading data (and it is clear some of the
contacts are occurring on a weekend).

And just like that, the vulnerability disclosure
<https://www.riskbasedsecurity.com/2016/08/uncoordinated-vulnerability-disclosure-causing-heart-palpitations-for-st-jude-medical-shareholders/>
debate
<https://www.riskbasedsecurity.com/2016/10/help-us-tell-telly-that-they-have-exposed-8m-subscribers/>
is a topic that we are covering yet again.

Even with the concerns in coordination, there are some that are seemingly
thankful for his work.  One the data breaches on an Indian embassy resulted
in the government thanking Kapustkiy for discovering the breach – despite
the fact he had to leak data to get their attention since all earlier
communication attempts had failed. This type of complaint isn’t an uncommon
one by any means. Security researchers and hackers alike can feel ignored
and for good reason. Anyone that has tried getting an organization to
respond to an unsolicited security alert knows just how unreceptive – or
even hostile – companies can be. Kapustkiy has provided Risk Based Security
with three screen captures that show three different countries’ governments
are actually responding to his email notifications.

*Lessons Learned*

First, the single biggest lesson we hope will finally be learned once and
for all is that security is important and every organization must take the
risks seriously. Yes, security is hard and getting it “right” is
complicated, but difficulty doesn’t excuse ignoring security shortcomings.
Each year since Risk Based Security’s founding we have ended the year with
some snippet about how “this year has been the worst year on record for
breaches”. Sadly 2016 is no exception, with over 4.2B records exposed.
<https://www.cyberriskanalytics.com/>

It should be apparent that it is VERY important to clearly communicate how
self identified pentesters and researchers who are trying to “help you”
should communicate with your organization.  Here are some lessons for
organizations wanting to avoid a similar data breach fate:

   - Have a security contact clearly listed on your website
   - Explain the process for responding to reports and the expected
   timeline for a response
   - Understand that right or wrong, ethical or not in your view,
   researchers expect to be taken seriously and want a reply almost immediately
   - If you do not engage or reply to a researcher, they will most most
   likely publicly disclose the issue pointing out not only the problem they
   have discovered but also the lack of response from the responsible
   organization
   - Ensure your security contact method (email or other) is consistently
   monitored, even after hours, over weekends and holidays
      - If you can’t staff it properly, get help or a engage a service
      provider


   - Consider implementing a Bug Bounty program as part of your security
   program
      - While not the holy grail of security, it goes a long way to engage
      and help to manage the disclosure process when issues are found on your
      systems

Here are some thoughts for aspiring pentesters, that exploit live systems
without permission and leak data:

   - Understand that what you are doing is illegal and can result in law
      enforcement taking action
      - Understand the reasons motivating your actions, while they may be
      admiral and well-intentioned, it will not make you any less vulnerable to
      the legal ramification of your actions
      - Consider using your skills in a more directed manner and make some
      money with Bug Bounties
         - Watch a DEF CON video
         <https://www.youtube.com/watch?v=759ZalgD1vg> from Carsten Eiram
         and Jake Kouns to learn more
      - Understand that there is a great career waiting for you in the
      security industry and *you are needed*! A criminal record might put
      an end to that career before it can truly take off.

We did not ask Kapustkiy whether he was participating in Bug Bounty
programs or would consider this option. It does seem to be a good outlet
given his skills and the fact that most 17 year olds in school could use
the money these programs provide. In doing a quick search, we have found
that Kapustkiy just might have had the same idea recently.  We found that
as of December 10, 2016 he setup an account on the HackerOne platform
<https://hackerone.com/kapustkiy/badges>.


While he doesn’t have any badges or results to show yet through the
platform, we plan on following his work here as well. HackerOne is either
going to make him a lot of money at the rate he is going, or get him busted
if he provided any personal details that can be tracked.

At time of interviewing Kapustkiy, he posted on Twitter another breach
<https://twitter.com/Kapustkiy/status/811897146018566144>, this time to the
Costa Rica Embassy in China and provided a screen capture showing that the
website was offline.

Following breach activity from actors such as Kapustkiy can be extremely
tricky. Many times leaks that are published are quickly removed or the
content is made private shortly after the original announcements. But we at
Risk Based Security continue to keep our eyes open and our ears to the
ground, tracking everything that we can to better understand how breaches
are occurring, predict their likelihood and ensure they can be avoided!

Based on a recent Tweet, we might not have to wait to long before we have
more breaches to analyze from Kapustkiy.

*Breach Timeline*
*Date* *Description* *Data Impacted* *Countries Affected* *Motivation*
*Method* November 06, 2016
<http://thehackernews.com/2016/11/indian-embassy-hacked.html> Indian
embassy websites in seven different countries Data includes full name,
residential address, email address, passport number and phone number, of
Indian citizens living abroad


Affected countries: Switzerland, Italy, Romania, Mali, South Africa, Libya,
and Malawi “We did it because their security was poor, and several domains
related to the Indian Embassy had the same vulnerability. This proves that
a lot of people can not trust the “Embassy.” We hope that this problem will
be fixed in the future.” SQLi November 11, 2016
<http://securityaffairs.co/wordpress/53329/data-breach/paraguay-embassy.html>
Paraguay
Embassy of Taiwan (www.embapartwroc.com.tw)




Real names, phone, numbers, and emails of the users, emails of employees ? Poor
Security SQLi November 11, 2016
<http://www.ehackingnews.com/2016/11/indian-embassy-website-in-new-york.html>
Indian
Embassy in New York Over 7,000 (but not all published due to personal
identifiable information) individuals first name, last name, email-id, and
mobile number


USA “I’m tired to report all the errors that I find in a there website that
I decided to breach them, NOW FIX YOUR SECURITY F***** ADMINS!”


SQLi November 12, 2016
<http://www.ehackingnews.com/2016/11/virgina-and-wisconsin-universitys.html>


Virginia and Wisconsin University’s

ECE Engineering department (www.ece.virginia.edu)
MEMS laboratory (www.mems.ece.vt.edu)
Wisconsin University’s e-library
First name, last name, phone number, city, and zip code, unique
identification number of the students, their login number, password,
email-id, access, and name USA “For ignoring me they don’t reply to my
emails” SQLi November 18, 2016
<http://news.softpedia.com/news/hacker-breaks-into-italian-government-website-45-000-users-exposed-510332.shtml>
Italian
government 45,000 total with 9,000  leaked login credentials


Italy “I did not get any response from them. I hope that they will look in
the database now after this breach and make their security better,”
SQLi November
20, 2016
<http://news.softpedia.com/news/kapustkiy-breaks-into-indian-regional-council-server-17-000-users-exposed-510355.shtml>
Eastern
Indian Regional Council 17,000 total but only 2,000 leaked

membership numbers, names, passwords, and email addresses
India ? SQLi November 21, 2016
<http://news.softpedia.com/news/human-rights-foundation-website-hacked-thousands-of-accounts-exposed-510384.shtml>
Hungarian
Human Rights Foundation


personal information, including phone numbers and home addresses.
count: 20,000 Hungary ? SQLi November 26, 2016
<http://news.softpedia.com/news/powerful-greek-army-hacker-breaches-high-commission-websites-in-india-510519.shtml>
High
Commission of Ghana

High Commission of Fiji
200 credentials India, Fiji, Ghana “after local authorities failed to boost
security and address the vulnerabilities that he previously discovered and
which he used to access credentials of thousands of users.” SQLi December
2, 2016
<http://news.softpedia.com/news/venezuelan-army-website-hacked-details-of-3-000-accounts-exposed-510676.shtml>
Venezuelan
army CATROPAEJ 3,000 full names, email addresses, and telephone numbers.
Venezuela “to help authorities find out about their security issues and
address them.” SQLi December 5, 2016
<http://securityaffairs.co/wordpress/54068/data-breach/national-assembly-of-ecuador-hacked.html>
National
Assembly of Ecuador 930 credentials Ecuador ? SQLI December 7, 2016
<http://news.softpedia.com/news/argentinian-government-site-suffers-major-breach-personal-information-exposed-510780.shtml>
Argentinian
Ministry of Industry (produccion.gob.ar,) 18,000 credentials and private
documents Argentinian ? SQLi December 12, 2016
<http://motherboard.vice.com/read/hacker-claims-theft-of-thousands-of-passport-numbers-from-russian-consulate>
Consular
Department of the Embassy of the Russian Federation in the Netherlands (
ambru.nl) 30,000 email address, phone number, passport number and IP
address Netherlands,
Russian ? SQLi December 15, 2016
<http://news.softpedia.com/news/russian-visa-website-hack-exposes-data-of-thousands-of-users-510996.shtml>
Russian
National Visa Bureau in the Netherlands 13,000 email address, phone number,
passport number and IP address Netherlands, Russian ? SQLi December 19, 2016
<http://news.softpedia.com/news/slovak-chamber-of-commerce-and-industry-hacked-511094.shtml>
Slovak
Chamber of Commerce and Industry (scci.sk) 8,000 total but only 4,000,
leaked names, phone numbers, hashed passwords, and emails, user logins.
Slovak ? SQLi December 22, 2016
<http://www.mediafire.com/file/nr524euy3dz42zg/costa_rica_embassy_in_china_-_hacked.txt>
Costa
Rica Embassy in China ? China ? SQLi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161227/d51815cd/attachment.html>

More information about the BreachExchange mailing list