Hackers attack Spokeo, UN Civil Aviation Org in nine-site crime spree

Adding to a list of victims that includes Comcast, NullCrew released evidence it added nine targets including Spokeo, the International Civil Aviation Organization, the University of Virginia and others to its tally of hacked victims.
Written by Violet Blue, Contributor on

Adding to a list of high profile targets that includes Comcast, NullCrew released on Sunday evidence it added a major "people finder" data broker, the UN's aviation regulation and security arm, the University of Virginia, Telco Systems and others to its growing catalog of those it has hacked and humiliated.

The hackers of NullCrew claim in its Pastebin (e-zine) called "FTS Zine 5" that it also broke into Ukraine's science center, where they claim to have discovered a database relating to individuals somehow working in "weapon code" production. 

cnet hack image

NullCrew announced on Twitter that it published the evidence of hacking into nine sites Easter Sunday. As with its previous conquests NullCrew mocked its targets while explaining the attacks -- which could have been avoided with updated security practices.

The hackers have added data dealer Spokeo, the UN's International Civil Aviation Organization, the University of Virginia, the Science and Technology Center of Ukraine, and others to its tally of victims.

The hackers provided as proof a long Pasetbin "zine" detailing the attacks, including a public URL to a compressed download of a massive data dump from the nine compromised sites.

In its 'zine NullCrew explained that its motives are "generally aimed at the government, or anything that is corrupt; and that is the reason for these attacks. Ranging from government contractors, to universities, to telecommunications compaines, to information databases, and other things."

As with previous successful attacks, NullCrew tweeted warnings at the companies it attacked. Like with almost all previous attacks, each company and organization appear to have done nothing to acknowledge the attacks or warn users.

On February 9, NullCrew hacked into Comcast's serversa break-in which became famously ignored by Comcast.

On April 3, NullCrew broke into the second largest media company in the Middle East, and rival of Al Jazeera, Al Arabiya.

The attack and public shaming of Comcast and Al Arabiya is part of NullCrew's campaign to bring pain to media megacorporations; the hackers circled in a hit on government contractor Klas Telecom, where NullCrew pulled off a successful smash and grab of accounts and passwords.

Klas Telecom openly acknowledged NullCrew's breach in a blog post and openly -- even directly, by phone -- warned its clients, interestingly earning Klas Telecom's IT guy a shout-out of mutual respect in NullCrew's Sunday announcements.

Hacked: Data brokers, alleged WMD workers, the UN's biometric passport gatekeepers

While the proof was published on April 20, Spokeo may have been hacked as early as April 5 when NullCrew tweeted its attention to the data broker giant.

Spokeo is a so-called "people search" website, which aggregates personal information about individuals without their consent, creates a database of profiles, and sells it to the public without the consent of the individuals themselves.

Spokeo is considered one of the largest and most well-known among "people finder" websites.

There are currently over 250 of these websites online; they're widely considered a privacy nightmare for unsuspecting individuals, though many allow people to "opt out" (often to be re-entered lin the database later).

Databreaches.net reports that no consumer data collected by Spokeo appears to have been exposed by NullCrew.

Thankfully, though, it appears that consumers’ personal information from Spokeo was not dumped.

NullCrew informs DataBreaches.net that they did not even attempt to access consumer personal information.

What they did dump is a WordPress blog that contains communications to and from Spokeo customers and developers, as well as approximately two dozen administrator accounts with usernames, e-mail addresses and full names and  encrypted passwords.

The UN's International Civil Aviation Organization (ICAO) is in NullCrew's list of newly knocked-over websites.

The International Civil Aviation Organization is an agency of the United Nations; its Council adopts standards and practices of air navigation, its infrastructure, prevention of unlawful interference, and security of international border-crossing procedures.

ICAO is more recently responsible for the ongoing global adoption of biometric passports (an embedded contactless chip), considered controversial among privacy and human rights activists. It is part of ICAO's "identity management regime" in its goal to implement recommendations from the 9/11 Commission Report, to track and curb the movements of suspected terrorists and criminals.

To this end, ICAO has established and maintains a Public Key Directory, which countries use to exchange keys and verify the validity of an individual traveler's identity.

It is for these reasons ICAO makes a particularly concerning victim for NullCrew, as well as raising serious questions about the security practices of the organization.

NullCrew exposed ICAO's systems data including phpMyAdmin credentials, FTP logs, SSH logs, and other system information.

The Science and Technology Center of Ukraine may not seem like anything but low-hanging fruit for NullCrew's cherry picker of security disasters, but NullCrew explained in its 'zine why cracking STCU open and pasting the spoils could be a really big problem.

NullCrew explained that the science center's stated claims of not logging users was false and wrote,

We also managed to prove that they do indeed log, and that their claims were indeed bullshit; That is included in the download, along with 40,000 Emails from their smtp.

By the way, STCU works with WMD (Weapons Of Mass Destruction workers.) Through one of the SQL Injections, we noticed a DB called PPDB2 that had tables called "WeaponCode" several of them too, didn't bother with it; but, yeah.

Enjoy reading 30k+ emails, and owning fagots who make the weapons that destroy the world.

Risk Based Security tells us that with the Science and Technology Center of Ukraine exposure,

Almost 1,000 user accounts with users emails and encrypted passwords were leaked and this represents one of the largest sections as it includes the complete inbox, spam, sent and trash mail spools of the webmaster.

Also among the nine targets is the University of Virginia (UVA), which appears to be an unfortunate regular on NullCrew's hit list.

The prestigious university is one of the oldest in the United States. UVA was founded by Thomas Jefferson; it reluctantly accepted full racial integration in 1960 and full gender integration in 1970, both at the pointy end of lawsuits. UVA is also not without more recent controversy, a bizarre coup among its pedigree leadership in 2012 ended up with major headlines and angry students painting "G-R-E-E-E-D" in large letters on the main rotunda's six columns.

This was NullCrew's second break-in on UVA's servers, and the hackers chastised the university for its failure in changing only one issue with its security practices since NullCrew's last invasion.

Let’s start with security standards taken since the last break-in:

1) Disable word-press logins assuming that hackers have ONLY taken advantage of your out of date WP versions.

2) What, no number two? Why is that, NullCrew?

Funny that you ask, the University Of Virginia, we were able to spawn a system() backdoor and skim through your files.

(...) Oh, and UVA? Secure your shit, or get owned over and over and over again; several of your subdomains are exploitable. Not to mention that where it’s all shared, every website hosted by UVA?.. Whelp, root one, get them all.

Since the publication of NullCrew's 'zine, the hackers dumped six database user tables from different subdomains, a DSA private key, public SSH-RSA keys and then dropped a second file on Twitter containing almost a million virginia.edu files. 

Databreaches.net looked at it in an update, saying "A quick skim of the 938,388 files suggests that the this listing was obtained within the past 24 hours as a referrer log for 20140419 was among the filenames."

ZDNet has reached out to Spokeo, the UN's International Civil Aviation Organization, the University of Virginia, and the Science and Technology Center of Ukraine for comment and will update this post accordingly.

Updated 1pm PT, April 21: "In mid-January," according to a Spokeo spokesperson, Spokeo’s blog was compromised by hackers and we addressed and corrected the situation immediately. We are confident that they did not infiltrate the main Spokeo site and that no customer information or people search data has been compromised. In the spirit of due diligence, we are once again reviewing all systems to ensure the proper levels of security."


Editorial standards