AKINCILAR: New (?) Hacking attack on the Ministry of Foreign Affairs New (;) hacking attack on the website of the Ministry of Foreign Affairs, catalogue.mfa.gr, took place one hour ago from Turkish hacking team AKINCILAR was carried out.
According to information published by the Turkish user @ynsmroztas on Twitter, AKINCILAR targeted the site of the contact list of Foreign Ministry officials using technique SQL injection, which in most cases is combined with data breach and data leaks.. See the feature screenshot:
The hackers stated that they apparently gained access to the website catalogue.mfa.gr taking advantage of SQL injection vulnerabilities and succeeded to obtain contact details of employees of the Ministry. In addition, they appear to have gained access to backend database via the phpmyadmin add-on for managing the website database. Here are some screenshots of the attack by the Turkish hacker:
But who is the Turkish team? AKINCILAR
The AKINCILAR hacking team, is said to be a small and flexible group (Akincilar Cyber Warrior) directly related / motivated by the President of Turkey, Recep Tayyip Erdogan.
The Cyber Warrior group, also known as the Akıncılar, is a group founded in 1999. The group hierarchy is similar to that of the army as the group is defined as a fraternity as can be seen in its conditions for the recruitment of new people.
The team quotes the following phrase to determine which new members will be accepted: "You must be committed to our religion, traditions and customs." Also members can not use slang when communicating with other team members. When someone swears at one of us he swears at all of us.
The Cyber Warrior website claims that the group was active during the preparation of the Turkish Internet Law (No. 565196), which is probably evidence that they have contacts with Turkish decision-makers or the political elite.
The group says its task is to combat satanic and pornographic content that offends the country's faith and moral values online. It also states that the following are excluded from its attacks:
- The team will support non-profit institutions, websites and groups that share the same ideas as our mission
- The group will not attack sites or groups that do not oppose the group values
- In many online forums, the Cyber Warriors they claim that not attacked into a none Turkish site. This behavior seems consistent with the claim that the group has connections with the Turkish police at different levels. The group appears to have attacked several websites in countries such as Israel, Egypt, Austria and Armenia. France also seems to be a frequent target of the team. All available evidence indicates that the group has strong links with the state and that its actions are motivated by Recep Tayyip Erdogan and his foreign policy. Of course, Greece is a frequent target of the group as the group's actions are guided by the political developments of the country's foreign policy. So far in Greece they have carried out attacks against high profile targets, which is why the team is particularly well known in our country.
Members of the hacker team AKINCILAR, a sub-group of Cyber Warrior, have been praised by Turkish police for their attacks on RedHack and other entities that pose a threat to Turkish or Islamic ideals. Several AKINCILAR hackers are also part of the management team of Bilişim Güvenliği ve Bilişim Suçlarına Karşı Mücadele Derneği (Cybercrime Information Security and Anti-Crime System), which provides free information security support to domain names gov.tr.
HP's Cyber Security Research report released in 2015 described the group as state-funded based on the following data:
In April 2012, representatives of the Bilişim Güvenliği ve Bilişim Suçlarına Karşı Mücadele Derneği (Information Security and Counter Cyber Crime Association), including the director of the group Gökhan Şanlı, attended a meeting on . Şanlı, who uses the pseudonym Doktoray, manages the Cyber Warrior forum. Also Halit Uygur, who used the pseudonym Dogukan, was a key member of the Cyber Warrior team and was also an important figure in the Turkish Ministry of Education.
But what is a SQL injection attack?
SQL injection is one code injection technique, which allows the attacker to "Run" SQL statements against a target server. A successful SQL injection attack allows execute any query on the target database, which also means possibility collection of important information, such as passwords, usernames, emails, credit card numbers etc.
These attacks are being exploited vulnerabilities in web applications, which communicate with backend servers, where databases are stored. The abbreviation SQL comes from the words Structured Query Language (Structured Query Language). it is about a programming language used for adding, handling and retrieval data in a SQL database. Attackers can easily find out, with a few simple commands, if a page is vulnerable to SQL injection vulnerability. If it is, then it will be able steal data, destroy it, and even become database server administrators.
According to research, SQL injection vulnerabilities are among the most common application errors recent years. The first discussions about this attack started in 1998. From 2007 to 2010, SQL injection was one of the top 10 vulnerabilities in web applications. From 2005 to 2011, SQL attacks accounted for 83% of all (known) data breaches.
There are four subcategories of SQL injection attack:
- Classic SQL injection
- Blind SQL injection
- SQL injection based on the Database Management System
- Advanced SQL injection (SQL injection + inadequate authentication, SQL injection + DDoS attacks, SQL injection + DNS hijacking, SQL injection + XSS).
Attacking via SQL injection is a relatively simple type of attack as well no special tools are needed to make it happen. An experienced attacker can gain access to the entire system and not just the database. Therefore, companies and organizations should take it seriously, as after so many years of this attack, everyone should have been very more prepared.
- The most basic, perhaps, prevention measure is Proper design, good construction and constant monitoring of the database, so that it is not vulnerable to this attack.
- Restriction of server configuration elements: Restricting access to the wrong parameters can reduce the chance of attacking the target server. Although it does not offer 100% security, it is a first step towards security around databases.
- Good knowledge of all SQL Servers on the network by administrators: First, managers need to know how many SQL servers are there on the network. This process may not be as simple as it seems, as most servers run on dynamic TCP ports and usually these servers only work when the user "needs" them. Therefore, some servers may not be active. To find all SQL Servers could be used SQL ping, SQL scan and more specialized software.
- Continuous updates. Software companies often release updates to fix potential vulnerabilities. Therefore, organizations must take care to update the applications, software and generally the systems they use, in order to remain safe.
- Prohibit access to specific ports of servers by unknown users: It does not offer absolute security, especially in SQL injection attacks, but it is an important security measure for the entire network of a company or organization. For example, closing UDP Port 1434 [this port is used to map Microsoft SQL databases] and all the TCP ports that SQL Server "listens to" can enhance security.
- Adoption of strong admin-passwords. Using a strong password can prevent brute force, SQL injection and many other attacks. It is also recommended to change them frequently.
SecNews continues to investigate the incident and will keep you informed of anything new. The administrators should immediately download the website and conduct a forensics analysis of the attack data to determine if additional information systems of the Ministry have been affected, using as a jump point the said server that is affected!
[Updated- 23Sep2020: 23: 54] For optimal and reliable information, we publish the remark / note of a friend of the website. As a friend of our website mentioned on social media (his name is available to us), Notes that the dates shown in the video posted by the Turkish hackers are earlierς. This may mean:
a) that the attack took place at an earlier time (2018) and the screenshots were released today for reasons of impression (the opinion of the friend of the website)
b) that the attack took place at an earlier time where the relevant backdoors were placed but was used at a later time (the last days) to extract the data.
In any case, the notification of this post fully serves the information of those in charge to investigate which of the two scenarios applies.
Thanks to the friend of the website for the remark regarding the improvement of this article.
Stay tuned for more information and related events!