Close

April 8, 2016 • RBS

On April 6th, a twitter account using the name Cyber Justice Team posted a tweet suggesting a major hack of a Syrian governmental server had taken place and 10GB of data had been leaked as a result. The leak includes the password file from the breached server, along with MySQL host permissions, admin passwords, and a link to the 10GB compressed file, uploaded to the file sharing site MEGA.  

CyberJustice Tweet1

Analysis of the leaked data was a challenging task, thanks to both the amount of information and lack of organization for the database files. That said, our analysis shows the data appears to originate from nans.gov.sy, the Nation Agency for Network Services, and contains data from 55 Syrian domains, 25 of which being .gov.sy: 2 .org.sy; 1 com.sy and the remainder with the generic .sy. Most of the domains affected in the breach are either inactive or older domains that are no longer in use. Very few of the domains appear to be of some importance to the people of Syria. 

The first pass at reviewing the data sparked a sense of some more deja vu, as many of the files appeared to include domains from previous, smaller defacements and leaks. Further analysis confirmed our initial suspicions. The leak included many older shell files and database entries showing prior injection attempts. After extracting all packages, there are a total of 134 files, 57 of them being .tar.gz files. After extracting data from these 57 files, the total for the leak comes in at:

43.1GB, 274,477 files; over 38,768 folders.

The data leaked is mainly default Plesk files, Joomla! setups, and Cportal (phpnuke-cms) setups from each of the below hosts. Each host also contains the file structure of a default vhost setup. In an interesting twist to the story, the main CPortal community website is currently throwing out database errors, disclosing the full path.

CyberJustice - Cpanel Errors

One can’t help but wonder why governments around the world continue to use these types of web portals. Clearly they have become very easy targets for anyone looking to test their hacking skills. These sites are known to be vulnerable and make for fertile ground for budding hackers that want to try their luck against an easy target, particular if an organization is not staying up to date on vulnerabilities disclosed. It appears that the Nation Agency for Network Services is running Joomla!, which is no stranger to its own vulnerabilities.  While there have been no vulnerabilities discussed in 2016 yet (just third-party modules for it), in VulnDB we tracked a total of 127 vulnerabilities historically, with 20 of them in 2015. On average we see that Joomla! has vulnerabilities disclosed about every 60 days.

Joomla-vulns over time

More suspicious minds might wonder if these insecure websites that keep resurfacing are used as honeypots by the Syrian government as a method to gather intelligence on those who are attempting to breach their networks. After reaching out to cyber Justice Team we are able to confirm they are the party behind this latest hack and leak of data. Analysis of the leak is ongoing. To date, we can share the following summary of the 55 impacted domains known to be implicated in the breach:

agri-idlb.syalbasselfair.gov.sy Al Bassel Seventeenth Fair For Invention and Innovationalepelec.syaleppochamber.sy Aleppo Chamber of Commercealfalahen.org.syalmouwasat.sy Al-Mouasat University Hospital arabic-ti.sy arabunionre.sy ARAB UNION REINSURANCE.COaryan.sy Primer Establishment for Chemical and Detergent Industriesbaathparty.sy Arab Socialist Baath Party baniashosp.sybirrsociety.org.sy Ber Society and social services brc.syBanias Refinery Companycompetition.gov.sy Syria competition commissiondamasdh.sy Damascus Health Directoratedcip.gov.sy Commercial and Industrial Property Protection Directoratedeirezzor.gov.sy The official site of the General Secretariat of the province of deirezzor dz-water.gov.syGeneral Organization for Potable Water and Sanitation Dezhou City edpa.gov.syDevelopment and Export Promotion Authority egov.sySyrian eGovernment portalgcb.gov.sy gcbc.sy General Company for the construction and reconstruction geci.gov.syGeneral Establishment for Chemical Industries gppc-aleppo.sy hama.org.sy Hama City Council hamaelc.gov.syThe official site of the General Company for Electricity Hama hamagsc.gov.sy hec.gov.syHoms Electric Company ic-homs.sy Industrial and residential city in Hsia icit.syindustrialbank.gov.syIndustrial Bank itradecp-sweida.gov.sy Itradecp-Sweida jablehsy.com.sy AL SAHEL SPINNING COMPANYjpic.gov.sy SPECIAL judicial investigation latwater.syGeneral Organization for Potable Water and Sanitation in latwater Mashroue.symitcp.gov.sy Ministry of Domestic Trade and Consumer Protectiomoaar.gov.sy The Ministry of Agriculture and Agrarian Reform mofsyr.gov.sy Syrian Ministry of Higher Educationmopmr.gov.sy Ministry of Oil and Mineral Resources – Home mopw.gov.sy Ministry of Public Works mot.gov.syThe Ministry of Transportnans.gov.sy Nation Agency for Network Servicesnans1.nans.gov.sy Nation Agency for Network Servicesncbt.gov.sy General Authority for Biotechnologynerc.gov.sy National Energy Research Center nmc.syNMC • Home nnhas.syomayad.sy Omayad Paints – Paints illiteracy oti.syOrganization of Technological Industriesoumc.gov.sy Middle State Company for internal Clothing peeg.gov.sy PEEG public institution to generate electricity pministry.gov.sy  the cabinet of syria rand.syRand Service Provider

Our products
VulnDB
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
YourCISO
Risk Management
Learn more
Request Demo