That'd make sense since what I read was that the attackers didn't actually target this company and that they gained the data by just randomly scraping. It'd also explain why they sat on this data for like two years.
In addition to that, while we know data was taken, it hasn't shown up in any of the customary haunts for stolen information. Someone got access, and squirreled away the data. Just some hacker looking to make some money from identity theft would be selling that left and right.
They might have discovered attack much earlier and hoping nobody else will find out, after all, it was made by government agencies so stolen data supposed to be in "safe hands" anyway. No proof, just a thought.
It could also be related to how they sell things. Given how commonly they redistribute this data I wouldn't be surprised if it turned out to be something like a customer portal where they can say it wasn't core because the attacker couldn't have altered data, etc.
I also believe that they actually know more than they are willing to quote in a paper. Likely Kaspersky was used to exfiltrate the data as well, but they aren't willing to say that. I don't have any evidence of this, but considering the closeness of Kaspersky to the govt, and the built in ability to directly upload files, it seems overkill to try to find a new exploit.
True, it may not have been as ultra-sophisticated as the article lets on, but the fact that there would be no obvious reason to pursue the attack on 34 different companies seems to belie the commercial-hack theory.
Doesn't add up if you look at the dates they claim the malware was injected and the dates of the most recent transactions of all the addresses swept. Some of those addresses hadn't been used in over a year.
While you can read that claim as being "we are too clueless/dumb to even realize we were hacked" an equally valid explanation is that they know that they either do not have the dataset being distributed, have sufficient canaries in said datasets that they know which ones come from them (for finding leaks, etc), and/or know that no one person has access to a broad non-targetted list with this info.
> We saw an unusual spike of activity that began on September 14, 2018, and we started an investigation. On September 25, we determined this was actually an attack and identified the vulnerability.
I'm unclear why it took 11-12 days to uncover this?
I wonder how they discovered they were hacked, and how they arrived at the 309,079 records number.
What logs are typically 'left behind' for forensics to analyze after the fact? It's not like they have packet captures of all network communications they can analyze, or a list of every SQL query that was run after the attacker found a way to inject...
This seems extremely far-fetched, see for example comment on Twitter pointing out some flaws.
Reminds me of that company that revived millions of dollars for their software for finding hidden messages on the internet and somehow predicting terror attacks.
Is there any signs that this data is actually out in the wild? From the article, it was found, reporter and fixed within 24 hours, and they claim there's no sign of other unauthorized access.
Among other things, Shodan was showing their public facing server as vulnerable to a known exploit several weeks before the attack.
The same individual is being interviewed across multiple newspapers and constantly repeats it was a state-led attack without providing any technical details about what happened.
We have been searching for three weeks and I think a friend finally found someone whose parent's data may have been in the database. If it is confirmed, we only need to convince her to get one of her parents to file a lawsuit. There are several lawyers here who will do it pro-bono. This could be the only way to finally get the truth behind this intrusion.
It’s moot anyway, since they can always filter their stolen databases by potential methods of exfiltration, so the dump looks like it only used a certain vulnerability.
reply