Cybersecurity analysis: Results of independent security investigators' research on cyber attack in Cyprus Following SecNews' recent revelation of cyber-attacks on critical state and private systems in Cyprus by the Turkish hacker RootAyyildiz Turkish Defacer, the independent cybersecurity analysts, PROMETHEUS GROUP, published a relevant whitepaper with a thorough study of OS methodology (Open-source intelligence).
Learn more about hacking attacks:
SecNews presents you part of the PROMETHEUS GROUP survey, which you can find in its entirety here.. SecNews rebroadcasts this research with the aim of preservation of society as a whole and the investigation of recent incidents of violation that took place in Cyprus. The PROMETHEUS GROUP, according to them, consists of Cypriot independent cybersecurity researchers.
The following are exclusive findings and statements of the researchers. SecNews broadcasts part of the study, as shown below, without commenting or altering the content of the research. The study of independent researchers can be a technical methodology for investigating similar cases.
Citation of study translation https://github.com/prometheusgroup/YPAM-CyberAttack/blob/main/Cyprus%20Ministry%20of%20Defense%20Cyber%20Attack.pdf
——————————– Start Study Quote ——————————–
In the last two weeks, there has been a report of a cyber attack on the website of the Ministry of Defense by a well-known Turkish hacking group. The original news article was published by SecNews.gr (https://secnews.gr/331587/rootayyildiz-turkish-defacer-hacker-cyprus/) on 24 March 2021 and included a detailed analysis of the attack, along with photographic data of the stolen data.
On March 29, 2021, Philenews.com, among other things, published an article (https://www.philenews.com/koinonia/eidiseis/article/1157770/prospatheia-epithesis-apo-chakerstin-istoselida-toy-ypam) stating that the attack on the Ministry was successfully blocked and that the Ministry took all necessary measures to prevent similar future actions.
Some will argue that Cypriot politicians are accustomed to covering "silent" major incidents caused by incompetence, indifference, negligence, profit, self-promotion and / or self-preservation (Evangelos Florakis Naval Base Explosion, Haircut in 2013, Banking deposits COOP and Laiki bankruptcies, etc.) Therefore, we decided to present the potential impact of the aforementioned cyber attack.
According to the SecNews article, the attacker managed to endanger one of the websites of the Ministry of Defense. But which one? What information can we disclose about the attack through Open Source Intelligence (ie publicly available information)? A simple query on DNSdumpster.com can give us useful information about the Ministry's public websites.
According to the image above we can try and visit the mod.gov.cy website to check if we can find breach indicators (IoCs) or information that could lead to the conclusion that the site has been breached.
The image above shows that the site was created using the MODX Content Management System (CMS). This is an indication that this is a compromised site because in some of the images posted by the hacker, the exported database tables and site filenames start with modx_ (eg modx_dashboard.csv). If this is the compromised website, what other government websites are using the MODX CMS and have also been or could be compromised in the near future?
A quick Google search shows that publications.gov.cy and www.pio.gov.cy could potentially be victims of the same attack, as they may be affected by the same vulnerability.
However, to get an idea of the number of sites that may be sharing the same server with the MOD site and have probably already been compromised during the attack, we just clicked "Find hosts sharing this IP address" on DNSsumpster. com according to the image below.
A sample list of the 78 sites listed on DNSsumpster.com can be found below. Please keep in mind that the compromised data has not been released by the hacker, so the data may not have been stolen.
The full list of sites on this server is included below to inform those whose data may have been compromised and to start an investigation.
What about the site www.mod.gov.cy;
The DNSdumpster.com image indicates that it is running on a Lotus Domino webserver, but a site visit indicates that it is down / unavailable. It should be noted that the WayBackMachine website (archive.org) receives snapshots of publicly accessible Internet sites at specific intervals. WayBackMachine automatically redirects us to a snapshot of mod.gov.cy which means that both domains (mod.gov.cy and www.mod.gov.cy) lead to the same IP address and therefore webserver until very recently (i.e. it was the same website).
Thus, the last remaining isotope in the DNSdumpster.com list, newarmy.mod.gov.cy, was not accessible at the time of writing this analysis. However, WayBackMachine shows that the last snapshot of the site was taken on January 19, 2021 and had the following content.
At first glance, it looks like a very important site. However, given the fact that the personal data of the applicants who tried to register with the National Guard (SNC) may have been stolen, the Personal Data Protection Commissioner should investigate the incident further. In addition, if the personal data of professional soldiers has indeed been compromised, there is a question of national security, as they could be in the hands of a foreign state.
Let's try to calculate the likelihood of a breach of this site. Opening the snapshot of newarmy.mod.gov.cy taken on August 20, 2019, we see the following redirect message.
[More in the study here.]
But have they been violated? The images released by the hacker include a list of MS SQL Server database instance names. This can be easily deduced from the default MS SQL database names "master", "msdb" and "model" which are clearly shown in the image below.
[More in the study here.]
The list of private and public companies as well as government entities that shared the same server with newarmy.mod.gov.cy is:
There is a very high probability of violating the aforementioned sites, as they belong to the same server.
Most worrying of all is that two of the potentially compromised databases belong to the Office of the Commissioner for Electronic Communications & Postal Regulations under the control and management of the National Computer Security Response Team (CY-CSIRT) and the Digital Security Authority (DSA). According to DSA national law, it is the competent authority for the security of digital networks and information systems in Cyprus and the coordinator for the implementation of the national security strategy. In simple terms, it is responsible for the protection of the country's critical infrastructure (eg Electricity Authority, Water Bodies, Sewerage Authorities, Banks, etc.) and collects information on safety, weaknesses and defense mechanisms, while has the power to impose fines (fines and imprisonment of up to 3 years) on companies and individuals under the control of the Authority.
The following questions arise regarding the incident:
1. Has the Ministry of Defense and the Undersecretariat of Research, Innovation and Digital Policy taken the necessary measures to inform the competent authorities about the incident (eg Commissioner for Personal Data Protection)? If not, why not?
2. Why was the incident undermined in the public announcement issued by the Ministry of Defense to the Media?
3. What is the actual extent of the leak of personal information, taking into account all the customers from the above list?
4. This is not the first time a cyber security incident has occurred or been reported that has affected government systems. Why did the government not take the necessary measures for the secure development of the site (eg penetration testing, avoidance of a shared hosting environment for sensitive information, etc.)?
5. Who are the people responsible for government cyber security procedures?
6. What information on critical infrastructure in Cyprus was leaked from the OCECPR website? Why were they not detected by them and what measures have they taken to prevent the violation of such data?
We believe that covering cyber attacks is a common practice in Cyprus. This has a detrimental effect on companies, as they cannot see the real risk of attacks, so they are skeptical about the need to take precautionary measures to protect them, until of course it is too late (as we have seen from our experiences over and over again. ).
At the time of writing this whitepaper, SecNews.gr (secnews.gr/339663/hacked-larnaca-airporthermesairports-rootayyil/), published an article about an attack on the Hermes Airports website.
[More in the study here.]
We would therefore like to make the following recommendations to the government regarding systems, policies and procedures:
1. With regard to any and all government information systems, safety must be taken seriously by all stakeholders, and not to be left as a later thought.
2. The government should conducts security reviews and penetration tests to identify and correct critical security vulnerabilities. He should also constantly monitor his systems for hacking attacks and have a plan for any such possibility.
3. Define one contact person so that anyone who discovers a security vulnerability / vulnerability associated with a government system can report it responsibly.
4. Implement a program bug bounty, so that Cypriot hackers (security experts) can legally test and report vulnerabilities in government systems for which they receive a financial reward.
5. Accept openly and report security incidents affecting government systems. We recommend that representatives be appointed to communicate such incidents to the public.
[More in the study here.]
All of the above recommendations also apply to all private sector companies that need to take the necessary steps for their applications. What was mentioned above is based exclusively on information that we have managed to collect from public resources and an appropriate investigation should be carried out by the competent authorities to confirm them (based on our combined techniques and experience).
We apologize in advance to the affected companies if we have damaged their reputation, but our intention was to responsibly inform the public and those whose personal information may have been compromised, as it was obvious that no one else would do so.
Prometheus Group cybersecurity experts / analysts
"We are a group of Cypriot cyber security professionals who prefer to remain anonymous (at least for now). This is the first time we are researching and publishing our work. We created this group to raise public awareness about the cyber security situation in Cyprus.
Because of our work, we have realized several attacks on critical organizations and the government. Unfortunately, these events remain unpublished or undermined. "We have seen a shift to a more security-oriented mentality for organizations in the private sector, but the public sector is completely missing."
------------ [End of Study Citation] -----------
[SECNEWS UPDATE 13.04.2021]
Note that the stakeholders were informed about the existence of the relevant research on Github. We have not been given an official response to the publication and at their request their names have been removed.