Hacker and activist Noam Rotem has come across quite a few hacked or leaked databases in his life. A security breach that revealed the flight destinations of the prime minister and senior defense officials, a leak that revealed the personal information of passengers on Israel’s Road 6, a serious breach in dozens of financial institutions that was not repaired despite warnings, Rotem has seen it all. Or, at least, this is what he thought until he came across an open database that contained hundreds of millions of login details for various services - email, social networks, banks, internal systems, and more - of millions of users from around the world, among them many Israelis, including civil servants and defense industry workers. And here comes the real twist: this database belongs to cybercriminals that have gathered login information that they stole from users all over the world.
"It takes an infrastructure to take care of it, it was not a small operation at all, there were quite a few costs, and there was evidence that they used the information," Rotem told Calcalist. “This is not some kid sitting at home, it does not look like something a bored young man would do in his spare time."
Rotem located the malicious database using a scanner that he and his colleague Ran Locar operate regularly to identify databases that are exposed. "I identified a server that collected all the stolen information, and performed information verification processes," Rotem explained. “The criminals took the passwords they stole and checked if it was possible to connect with them. There was a mark stating if the login details were correct or not."
The malicious database was revealed on both Calcalist and the "Cybercyber
podcast (Hebrew) hosted by Rotem and Ido Kenan.
Along with the passwords, “session cookies” were also stored in the database. When a user connects to a website, it creates a small file in the browser that is a reference to the fact that the identification process has been completed successfully and there is no need to enter login information again. By default, such cookies expire shortly after, unless the user clicks a Remember Me-style box when logging in. Then, it can stay active for a long time, and its theft allows hackers to connect to sites without even knowing the name and password, and bypass advanced protections such as two-step verification. The criminals also stole a list of installed and active software from victims’ computers, information that Rotem said could help characterize the user (for example, identify whether it was a gamer, a certain company employee, etc.), and deepen the hack.
It is impossible to know for sure how the information was stolen, but Rotem has some well-founded estimates. "Based on various signs we saw in the information, it was apparently stolen by malware installed on the victims' computers by impersonating a browser plugin or video call app. Users installed it themselves. They thought they were installing something legitimate, but there was malware inside. Once installed, the malware collected all the passwords users saved on their browser (i.e., the passwords saved each time the browser offers you to remember a password for the next time, etc.), took all the information, and sent it to the server."
Only managed to download 10% of the database
When Rotem identified the database at the end of May, he began downloading it to analyze its contents, however, after downloading only about 10%, his computer ran out of space. Even so, Rotem managed to download 2.5 million passwords, which provided insights into the identities of the victims. "There are victims from all over the world - Far East, North America, South America, Europe, Africa - there was no geographic targeting against Israel, and whatever the users kept as passwords, was available to me: banking, medical services, security services, porn websites, email services, and organizations’ inner systems. You can see the user and what accounts he or she has in different places. Every online service you can think of was there, even crypto exchange passwords which can help you steal cryptocurrency easily.”
Among other things, the database contained login details for 137,000 Gmail accounts, 134,000 Facebook accounts, 109,000 Microsoft accounts, 68,000 government websites in various countries, 25,000 Amazon accounts, 23,000 Twitter accounts, and 20,000 Netflix accounts.
According to Rotem, the criminals also identified their victims by country of origin, based on their IP addresses. The largest rate of victims, 11.35%, came from the U.S., followed by Brazil (10.9%), India (9.4%), Germany (6.64%), and the UK (4.89%).
Regarding Israel, Rotem identified thousands of local victims, many of which had information and passwords for governmental and defense industry networks ("it was easy to identify them because their email was with the gov.il extension or included their company name"). Rotem also identified Pentagon staff and government employees from around the world in the database.
One of Rotem's most disturbing discoveries in this database was a password for the "safe" of a well-known company in the defense industry. "This is a system in which very sensitive files are stored, and with the stolen login information it was possible, allegedly, to access them," Rotem explained. "The employee at the company kept the password on a computer to which he apparently downloaded the malware."
The database disappeared from the net in early June, not long after Rotem found it. "It is difficult to say whether it was dropped from the network or access to it was blocked," he said. "Now there is nothing on the IP address where it was available, so they may have replaced a server or blocked it well. But as far as we know, the hackers still have access to the information and we do not know who they are."
Rotem notified Israeli authorities of the database in June. "They took care of it and took it seriously. They contacted the people, tried to check if the information was used, and reset passwords. We also contacted the credit companies, banks, health providers and everyone handled it and reset the stolen passwords."
Working with Israel’s National Cyber Directorate and Facebook
Israel’s National Cyber Directorate confirmed the details stating: "The issue has been reported and addressed with the institutions that were identified by their usernames, and guidelines were provided." The directorate’s response also stated that "From our examination, the information was collected in 2019 from private sites visited by private users. We recommend that browser-users be careful and download extensions only from official sources."
Tom Alexandrovich of the Israel National Cyber Directorate added that "we have recently set up a new team whose goal is to be one step ahead of attackers - to identify vulnerabilities before malicious agents reach them. As part of this plan, we created a reporting mechanism from various sources to treat them as efficiently and quickly as possible. We apply, at the state level, early detection methods and technologies that will help deal with leaked password databases and may be used for attacks."
Rotem also worked with Facebook's global security team to assist with the stolen information. "They took the list, checked that it had real users, and verified their identity with the users’ cooperation, and asked them to change their password," he said. "One person whose information was leaked is a Facebook employee, and as soon as they received that information they reached out to him, took his computer, and dismantled it in an attempt to understand where he got the malware, and whether it was maliciously used. They did not share everything with me but did say they think they found the malware and they took care of it."