Kapustkiy: The 17 Year Old Man, The Myth, The Motivations
December 23, 2016 • RBS
A few months ago an individual using the handle Kapustkiy kicked off a spree of data breaches focused mostly on government websites from around the world. The first incident was published close to two months ago on November 6th, when Kapustkiy announced a leak of data coming from seven Indian embassies located in various different countries. Since that time, there have been an additional 13 data leaks from government services – mainly embassies and or related services – as well as leaks from various other targets including universities located around the world; in all impacting 17 different countries from 21 different breaches.
While this isn’t the first group or researcher to do something of this nature, piecing together the history and timeline of events revealed some interesting findings. As was mentioned this “hacker is on a roll”, affecting tens of thousands of users with personal information being leaked.
For the first few breaches, Kapustkiy had assistance from a hacker who uses the name Kasimierz. Kapustkiy also teamed up with the well known figure CyberZeist for one of the incidents. CyberZeist has had a presence for many years, including links to the collective UGNAzi who have had various members arrested for hacking and credit card fraud. CyberZeist recently surfaced on a backup account they reserved almost four years ago, only to start attacking and leaking data from various political based targets before teaming up with Kapustkiy to breach the Hungarian Human Rights Foundation on the November 21st. On the November 26th, Kapustkiy leaked data from the High Commission of Ghana & Fiji in India and also announced that he had joined a group called Powerful Greek Army (PGA), who has a history of DDoS attacks.
At the beginning of August, the website Security Affairs spoke with PGA. In that interview, PGA stated that they were a new team of 7 skilled hackers and that their motivations were to go after pedophiles and ISIS supporters. Shortly after joining up with PGA, on the 2nd of December, Kapustkiy leaked data from the Venezuelan Army website. In the announcement for that leaks, Kapustkiy stated that he was no longer a member of PGA. We at Risk Based Security have been in contact with Kapustkiy and asked him the reason behind leaving PGA, which he stated it was due to the fact that they lacked skills and he was the only one contributing.
I left them because they were not skilled as a I thought and they were only DDoSing all the time. I did the most work.Kapustkiy
Not long after leaving PGA, Kapustkiy started work with another group known as New World Hackers (NWH). If that name sounds familiar, its because they made some very big headlines recently after claiming responsibility for the attack on Dyn DNS. The October DDOS attack against Dyn disrupted service and resulted in a major Internet outage, impacting popular services such as Twitter, Netflix and Paypal. On December 7th, NWH was the focus of an in depth research article published by Zack Whittaker of zdnet.com. The article exposed the identities of the group’s core members, which did not include Kapustkiy. Kapustkiy explained he only became a member NWH a week ago, which is why his identity was not included in the research conducted by Zack.
So who is Kapustkiy? What are the motivations behind all of these breaches? In a recent interview with Motherboard, Kapustkiy states he is 17 years old. In our interactions with him, he has described himself a security researcher who is a 17 year old male and still at school studying IT. When inquiring about the motivations behind these breaches he gave the following statement:
“The main motivation about that I breach all those websites is to let them understand the consequence of a databreach and how dangerous it is when you have a bad security.”Kapustkiy
The method used by Kapustkiy in all but one of the breaches has been SQL Injection. The one exception was the Ministry of Industry Argentina, in which he explained he used brute force against the target. When looking further into the breaches it becomes clear that there are various common exploits being used on similar targeted systems, making it possible to pull off so many intrusions in a short amount of time. Kapustkiy disclosed to Softpedia some additional details about the breach to the Consular Department of the Embassy of the Russian Federation in the Netherlands. He explained that he was able to breach the website using a specific method. He shared that he was then able to hack the Russian National Visa Bureau website using the exact same vulnerability and hosted on the same server. This is a significant discovery as the system administrator of the Consular Department’s website had already been made aware of that particular vulnerability.
The type of data leaked in each of the breaches ranges from personal identifiable information (PII) such as first and last names, home contact numbers to login credentials and website related information. It is important to note that in each Kapustkiy breach, he has not provided the entire obtained data set, making a conscious decision not to leak certain information to the general public. Kapustkiy has been actively speaking with quite a few journalists and in an interview with Softpedia he claimed that he should by no means be considered a hacker, rather he is exposing security vulnerabilities to allow administrators to patch them.
“I’m a Security Pentester,” he said. “People think I’m a hacker, but this is not true. I only try to help most of the time,” he continued.
When we interviewed Kapustkiy, we specifically asked him about his feelings towards the innocent people who are affected by these breaches. His reply was perhaps not what you might expect.
“I exactly feel bad for them that they can’t trust there security”
So far, the countries affected by the data breaches include Switzerland, Italy, Romania, Mali, South Africa, Libya, Malawi, India, United States, Ghana, Fiji, Argentina, Venezuela, the Netherlands, Russia, Slovakia and China.
Coordination Disclosure Attempts?
In several of the interviews that Kapustkiy has conducted, he routinely mentions that he is a security pentester or security researcher, indicating that he believes that he is one of the good guys and that his intention is to help companies improve. Many in the security industry as well as the organizations that have been breached would disagree that Kapustkiy’s approach is a positive one. As for referring to himself as a pentester – anyone that is currently employed as a professional pentester knows there are rules for such engagements that must be followed.
First and foremost among them being the target organization must grant their permission for the test to occur. From there, the scope of work should be clearly defined before testing gets underway and most importantly, always have the “get out of jail free” card to show that this work has been approved as to avoid tangling with the wrong side of the law.
Kapustkiy has not been working within these rules and structure. He also mentions that he contacts companies in order to ensure they are notified and can fix the vulnerabilities that he finds. From the interviews he has conducted thus far and the timelines of the breaches, it does appear that he is in fact contacting the impacted organizations. However, it doesn’t seem to be a long or reasonable window as it appears he waits only a few days for a response before leading data (and it is clear some of the contacts are occurring on a weekend). And just like that, the vulnerability disclosure debate is a topic that we are covering yet again.
Even with the concerns in coordination, there are some that are seemingly thankful for his work. One of the data breaches on an Indian embassy resulted in the government thanking Kapustkiy for discovering the breach – despite the fact he had to leak data to get their attention since all earlier communication attempts had failed. This type of complaint isn’t an uncommon one by any means. Security researchers and hackers alike can feel ignored and for good reason. Anyone that has tried getting an organization to respond to an unsolicited security alert knows just how unreceptive – or even hostile – companies can be. Kapustkiy has provided Risk Based Security with three screen captures that show three different countries’ governments are actually responding to his email notifications.
First, the single biggest lesson we hope will finally be learned once and for all is that security is important and every organization must take the risks seriously. Yes, security is hard and getting it “right” is complicated, but difficulty doesn’t excuse ignoring security shortcomings. Each year since Risk Based Security’s founding we have ended the year with some snippet about how “this year has been the worst year on record for breaches”. Sadly 2016 is no exception, with over 4.2B records exposed. It should be apparent that it is VERY important to clearly communicate how self identified pentesters and researchers who are trying to “help you” should communicate with your organization.
Here are some lessons for organizations wanting to avoid a similar data breach fate:
- Have a security contact clearly listed on your website
- Explain the process for responding to reports and the expected timeline for a response
- Understand that right or wrong, ethical or not in your view, researchers expect to be taken seriously and want a reply almost immediately
- If you do not engage or reply to a researcher, they will most most likely publicly disclose the issue pointing out not only the problem they have discovered but also the lack of response from the responsible organization
- Ensure your security contact method (email or other) is consistently monitored, even after hours, over weekends and holidays
- If you can’t staff it properly, get help or a engage a service provider
- Consider implementing a Bug Bounty program as part of your security program
- While not the holy grail of security, it goes a long way to engage and help to manage the disclosure process when issues are found on your systems
Here are some thoughts for aspiring pentesters, that exploit live systems without permission and leak data:
- Understand that what you are doing is illegal and can result in law enforcement taking action
- Understand the reasons motivating your actions, while they may be admiral and well-intentioned, it will not make you any less vulnerable to the legal ramification of your actions
- Consider using your skills in a more directed manner and make some money with Bug Bounties
- Watch a DEF CON video from Carsten Eiram and Jake Kouns to learn more
- Understand that there is a great career waiting for you in the security industry and you are needed! A criminal record might put an end to that career before it can truly take off.
We did not ask Kapustkiy whether he was participating in Bug Bounty programs or would consider this option. It does seem to be a good outlet given his skills and the fact that most 17 year olds in school could use the money these programs provide. In doing a quick search, we have found that Kapustkiy just might have had the same idea recently. We found that as of December 10, 2016 he setup an account on the HackerOne platform.
While he doesn’t have any badges or results to show yet through the platform, we plan on following his work here as well. HackerOne is either going to make him a lot of money at the rate he is going, or get him busted if he provided any personal details that can be tracked. At the time of interviewing Kapustkiy, he posted on Twitter another breach, this time to the Costa Rica Embassy in China and provided a screen capture showing that the website was offline. Following breach activity from actors such as Kapustkiy can be extremely tricky.
Many times leaks that are published are quickly removed or the content is made private shortly after the original announcements. But we at Risk Based Security continue to keep our eyes open and our ears to the ground, tracking everything that we can to better understand how breaches are occurring, predict their likelihood and ensure they can be avoided!Based on a recent Tweet, we might not have to wait to long before we have more breaches to analyze from Kapustkiy.
|Date||Description||Data Impacted||Countries Affected||Motivation||Method|
|November 06, 2016||Indian embassy websites in seven different countries||Data includes full name, residential address, email address, passport number and phone number, of Indian citizens living abroad||Affected countries: Switzerland, Italy, Romania, Mali, South Africa, Libya, and Malawi||“We did it because their security was poor, and several domains related to the Indian Embassy had the same vulnerability. This proves that a lot of people can not trust the “Embassy.” We hope that this problem will be fixed in the future.”||SQLi|
|November 11, 2016||Paraguay Embassy of Taiwan (www.embapartwroc.com.tw)||Real names, phone, numbers, and emails of the users, emails of employees||?||Poor Security||SQLi|
|November 11, 2016||Indian Embassy in New York||Over 7,000 (but not all published due to personal identifiable information) individuals first name, last name, email-id, and mobile number||USA||“I’m tired to report all the errors that I find in a there website that I decided to breach them, NOW FIX YOUR SECURITY F***** ADMINS!”||SQLi|
|November 12, 2016||Virginia and Wisconsin University’s ECE Engineering department (www.ece.virginia.edu) MEMS laboratory (www.mems.ece.vt.edu)Wisconsin University’s e-library||First name, last name, phone number, city, and zip code, unique identification number of the students, their login number, password, email-id, access, and name||USA||“For ignoring me they don’t reply to my emails”||SQLi|
|November 18, 2016||Italian government||45,000 total with 9,000 leaked login credentials||Italy||“I did not get any response from them. I hope that they will look in the database now after this breach and make their security better,”||SQLi|
|November 20, 2016||Eastern Indian Regional Council||17,000 total but only 2,000 leakedmembership numbers, names, passwords, and email addresses||India||?||SQLi|
|November 21, 2016||Hungarian Human Rights Foundation||personal information, including phone numbers and home addresses.count: 20,000||Hungary||?||SQLi|
|November 26, 2016||High Commission of GhanaHigh Commission of Fiji||200 credentials||India, Fiji, Ghana||“after local authorities failed to boost security and address the vulnerabilities that he previously discovered and which he used to access credentials of thousands of users.”||SQLi|
|December 2, 2016||Venezuelan army CATROPAEJ||3,000 full names, email addresses, and telephone numbers.||Venezuela||“to help authorities find out about their security issues and address them.”||SQLi|
|December 5, 2016||National Assembly of Ecuador||930 credentials||Ecuador||?||SQLI|
|December 7, 2016||Argentinian Ministry of Industry (produccion.gob.ar,)||18,000 credentials and private documents||Argentinian||?||SQLi|
|December 12, 2016||Consular Department of the Embassy of the Russian Federation in the Netherlands (ambru.nl)||30,000 email address, phone number, passport number and IP address||Netherlands, Russian||?||SQLi|
|December 15, 2016||Russian National Visa Bureau in the Netherlands||13,000 email address, phone number, passport number and IP address||Netherlands, Russian||?||SQLi|
|December 19, 2016||Slovak Chamber of Commerce and Industry (scci.sk)||8,000 total but only 4,000, leaked names, phone numbers, hashed passwords, and emails, user logins.||Slovak||?||SQLi|
|December 22, 2016||Costa Rica Embassy in China||?||China||?||SQLi|