China and Russia collecting Ashley Madison data for intelligence purposes

Intelligence services in China and Russia are reportedly gathering and analysing the sensitive data released from major hacks such as Ashley Madison and the US Office of Personnel Management.

A US official has been quoted by CNN saying that foreign spy agencies are actively collating the information released by hackers into massive databases in order to analyse and cross reference the data which can then be used to "potentially compromise active operatives".

According to the official, whose identity remains anonymous, China and Russia are both using "non-government entities", such as hacking groups and private companies, to infiltrate US computer networks and comb through the stolen information.

Sean Sullivan, security advisor at F-Secure, told V3 that by cross checking the OPM and Ashley Madison data, foreign intelligence will be able to build profiles of people's personal lives.

"Around 58 million users' details have been leaked between the OPM and Ashley Madison hack. However, that is not to say it is 58 million people, as some people whose details leaked in the OPM attack could be members of the Ashley Madison site."

"By cross-checking this data, a profile can start to be built. Add in all of the other major hacks that have happened and you can see how you can start building up a picture of someone's life - perhaps things about their life which they don't want people to know about."

"Every breach on this scale adds another piece to the puzzle for those adversaries who are profiling westerners in positions of influence," he added.

Sullivan also said that, as well as espionage, the collated data may eventually be used for blackmail purposes.

"Just think how many Chinese Americans had details in those data breaches which they want to keep secret, from their affair to the their secret government post. Many of them are likely to still have links to mainland China through family - and this could now be held over them and used to blackmail them," he explained.

Recently, an escalation in tension between the US and China has occurred following the OPM cyber attack in which 21.5 million federal records were stolen.

CEO ousted

Last month Noel Biderman, the chief executive of Avid Life Media (ALM), parent company of Ashley Madison stepped down from his position with immediate effect, the latest in a long line of high-profile executives whose careers have been damaged by cyber breaches. 

"This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees. We are steadfast in our commitment to our customer base," said ALM in a statement at the time.

"We are actively adjusting to the attack on our business and members' privacy by criminals. We will continue to provide access to our unique platforms for our worldwide members.

"We are actively cooperating with international law enforcement in an effort to bring those responsible for the theft of proprietary member and business information to justice."

ALM also confirmed that the company will be led by the existing senior management team until the appointment of a new CEO.

Security researcher Brian Krebs revealed evidence last month suggesting that a Twitter user with the handle @deuszu was closely involved with the hack on Ashley Madison and Avid Life Media.

Piecing together clues from over five years of social media history, Krebs compiled a convincing timeline of events placing the Twitter user, who also goes by the title Thadeus Zu, at the scene of every major development in the hacking story.

Krebs reported that he first noticed the Twitter account after it started to publish tweets linking to the original 9.7GB data dump that, at the time, had not been picked up by any news outlet.

"Initially, that tweet startled me because I couldn't find any other sites online that were actually linking to that source code cache," Krebs recounted on his blog.

Krebs analysed the social accounts of Thadeus Zu, which is likely to be a false name, and found frequent references to hacking activity.

"Zu's early years on Twitter are a catalogue of simple hacks - commandeering unsecured routers, wireless cameras and printers - as well as many, many website defacements," Krebs reported.

However, it was only after the Toronto Police press conference that everything clicked into place.

Krebs said that on 4 August Thadeus Zu tweeted to KPN-CERT, an incident response team in the Netherlands, to inform them he had hacked their website. "Next time, it will be Thunderstruck," Zu tweeted at the time.

The song Thunderstruck by rock band AC/DC accompanied the original Impact Team message to Avid Life Media staff on their computers on 12 July.

This came alongside a screengrab archived by Krebs that shows the Thadeus Zu account holder listening to Thunderstruck on YouTube while setting up replication servers 12 hours before Krebs was first put in contact with Impact Team.

Krebs said the intelligence didn't mean that the account was definitely involved, but could well be in some way linked to the hack.

"As with the social networking profiles of others who've been tied to high-profile cyber crimes, Zu's online utterings appear to be filled with kernels of truth surrounded by complete malarkey, thus making it challenging to separate fact from fiction," said Krebs.

"One thing is clear: If Zu wasn't involved in the hack, he almost certainly knows who was."

Zu has denied any involvement and has posted repeated tweets distancing himself from the story.

I have NO contact with Impact Team and I am NOT the ' Ashley Madison ' hacker.

— Thadeus Zu (@deuszu) August 27, 2015

However, he and Krebs are also engaged in an interesting back-and-forth on Twitter.

@deuszu ah, the royal "we" again. Is that, "we, the impact team" or "we, the multiple voices inside my head?"

— briankrebs (@briankrebs) August 27, 2015

Following the second 30GB data dump by Impact Team leaked internal emails from Ashley Madison indicated that a former high-level executive hacked into the database of a rival, also reported by Brian Krebs.

Emails between former chief technical officer Raja Bhatia and Biderman show that security flaws in competitor website Nerve.com were exploited.

"They did a very lousy job building their platform. I got their entire user base," Bhatia told Biderman via email in 2012, before posting a sample of the database to open source software website GitHub.

"I can turn any non-paying user into a paying user, vice versa, compose messages between users, check unread stats," he wrote.

The leaked emails also indicated that a number of months before the hack Avid Life Media was approached with an offer to partner or invest in Nerve.com.

This was declined, but roughly six months after Bhatia allegedly hacked the database Biderman was set to attend a meeting with representatives of Nerve. "Should I tell them of their security hole?" Biderman wrote to Bhatia at the time.

The emails also include conversations about the apparent security flaws in Ashley Madison's own website.

In response to the news that 100,000 users of Grindr had been exposed by hackers in 2012 Bhatia wrote: "I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.

"What separates the companies that get skinned alive from those that quickly recover is how you handle the communication publicly and, even more importantly, to your users. Silence is the worst possible answer."

V3 contacted Avid Life Media for comment on the contents of the emails, but received no reply.

Meanwhile, multiple torrent downloads surfaced online featuring a 'dox archive' of sensitive company data such as files, documents and images from Biderman's email inbox, a 100-page film script titled In Bed with Ashley Madison and sensitive information such as passport scans and bank account numbers.

Police investigation ongoing
These revelations came after Canadian police said that they were investigating reports that two people committed suicide as a result of the Ashley Madison hack and subsequent data leak.

The news was announced by Toronto Police Service acting staff superintendent Bryce Evans during a media conference on 24 August to discuss the case.

“[We] have two unconfirmed reports of suicides associated because of the leaks of Ashley Madison customer profiles,” he said.

Evans revealed that Ashley Madison is offering a $500,000 reward for information that leads to the arrests of those responsible for the data theft.

He warned that criminals have already begun using the Ashley Madison hack to launch scams against the public, and urged people to be wary. 

"The public needs to be aware that by clicking on these links you are exposing your computers to malware, spyware, adware and viruses," he said.

Evans also issued a warning to Impact Team, promising that justice would be done: "I want to make it very clear to you that your actions are illegal and we will not be tolerating them. This is your wake-up call."

He issued a plea to the hacking community to help catch the hackers, claiming that a "line had been crossed" and Impact Team had gone too far.

These updates come after two Canadian law firms issued a joint $576m (£360m) lawsuit against Avid Life Media after data on 37 million customers was posted online.

The firms, Strosberg LLP and Charney Lawyers and Sutts, filed national class proceedings against Toronto-based companies Avid Life Media and Avid Dating Life "on behalf of all Canadians" who subscribed to Ashley Madison and whose personal information was disclosed to the public.

The law firms said in a joint statement that they were approached by numerous former users of Ashley Madison to inquire about their privacy rights under Canadian law.

"They are outraged that AshleyMadison.com failed to protect its users' information. In many cases, the users paid an additional fee for the website to remove all of their data, only to discover that the information was left intact and exposed," the statement said.

"The allegations in the class action include that the privacy of many thousands of Canadians was breached in July 2015 when hackers infiltrated AshleyMadison.com and downloaded private information. The data breach includes users' personal names, emails, home addresses and message history."

This is not the first lawsuit filed by Canadian lawyers against Ashley Madison. A plaintiff sought over $20m in 2013 after alleging that she sustained injuries from typing "hundreds of fake profiles".

The joint statement reveals that Impact Team, the hacking collective responsible for the data breach, is not listed in the lawsuit.

Impact Team has released roughly 30GB of data to the dark web, and claimed that it has 300GB of employee emails and documents from the website's internal network including "tens of thousands of Ashley Madison user pictures" and "some Ashley Madison user chats and messages".

Impact Team gave insights into its tactics and the vulnerable nature of Ashley Madison's security in an interview with Motherboard.

"Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers."

Impact Team attacked the initial reaction by Noel Biderman, and denied the suggestion that the group is blackmailing Ashley Madison customers.

"They sound like politicians, cannot stop lying. They said they don't store [credit card information]. Sure, they don't store email either; they just log in every day to server and read. They have payment processors. The payment processors store most of the credit card number and billing address. Like how Gmail stores their email. They can log in and look up transactions," the group said.

"Everyone is saying 37 million! Blackmail users! We didn't blackmail users. Avid Life Media blackmailed them. But any hacking team could have. We did it to stop the next 60 million."

The hacking collective initially uploaded a 19GB file that contained source code to the website and Biderman's personal emails.

The release, roughly double the size of the original 9.7GB file, was in response to an interview Avid Life Media conducted with security researcher Brian Krebs in which former Ashley Madison chief technical officer Raja Bhatia claimed that the initial data dump was fake.

The release was signed by Impact Team: 'Hey Noel, you can admit it's real now.'

One researcher analysing the release said that the leak contained website source code, 73 GIT repositories and a 13GB compressed file marked as Biderman's emails.

Dave Kennedy, chief executive of security firm TrustedSec, analysed the files and said they appear to be real.

"The dump appears to contain all of the CEO's business/corporate emails, source code for all of their websites, mobile applications, and more. Note that we do not plan on performing analysis on the actual files due to the sensitivity of the dump. However, it does appear to be legitimate like the other dump," he wrote in a blog post.

"If this turns out to be legitimate, which it in all aspects appears to be, having full source code to these websites means that other hacker groups now have the ability to find new flaws in Avid Life's websites, and compromise them more."

This came after sensitive data on millions of users of Ashley Madison was leaked online in a 9.7GB data dump by Impact Team.

The data contained millions of names, home addresses, email addresses and transaction records of users that were posted online via the untraceable Tor network and to peer-to-peer torrent websites. However, the file did not appear to include full credit card numbers.

The hackers said in July that they would release the customer data into the wild if the Ashley Madison and Established Men websites were not taken down. Avid Life Media doubled down and said that it had bulked up security following the hack.

Avid Life Media said it is conducting a full investigation of the hack to find those responsible.

"This event is not an act of hacktivism, it is an act of criminality," it said. "It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.

"The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society."

Impact Team, who took issue with a pay-to-delete function offered by Ashley Madison, refuted the claim that it is at fault.

"Ashley Madison has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit and stupidity of ALM and their members. Now everyone gets to see their data," it said in a bulletin issued alongside the data leak.

"Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it."

A financial consequence

Following the hack in July, Ashley Madison found that it could face fines of up to £500,000 if it failed to delete user data as agreed with customers.

Mahisha Rupan, senior associate at technology and digital media law firm Kemp Little, warned that keeping customer data longer than advertised can result in fines by the Information Commissioners Office (ICO).

The ICO can enforce fines of up to £500,000 on businesses found to have breached privacy law.

"Legally, Ashley Madison has to ensure that its users' information is protected using security measures that are in proportion to the sensitivity of the personal information being protected," said Rupan.

"Given that the hackers accessed information about users who have stopped using the service and requested the 'paid delete' functionality, Ashley Madison will need to have a strong and justifiable reason as to why it still held these users' information.

"A key cornerstone of data protection laws is that companies should not be keeping data that it no longer requires."

An ICO spokesperson told V3 it is "liaising with their international counterparts" to learn more about what is being done in response to the Ashley Madison data breach.

"If personal data is hacked from websites and posted online, there can be a risk of identity theft," said the ICO at the time.

Complete Ashley Madison file dump from Impact Team

Avid Life Media initially played down reports that it had wrongly retained user data.

"Contrary to current media reports, and based on accusations posted online by a cyber criminal, the paid-delete option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity," the firm said in a statement posted online.

"The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes."

ALM also said it managed to close the holes in its website that the hackers used: "At this time, we have been able to secure our sites and close the unauthorised access points."

ALM now offers users of its services free profile deletion as it reacts to a hack of its site that was claimed to have affected 37 million users and said that the profile deletion service, which usually costs £15, will be now be offered for free, as it hit back at the hackers' claims that the feature does not work.

The July hack

Despite claiming that Ashley Madison had “stringent security measures” in place before the data breach, the Impact Team hackers said they stole customer records, maps of internal company servers, employee network account information and company bank account details.

“We apologise for this unprovoked and criminal intrusion into our customers’ information. We have always had the confidentiality of our customers’ information foremost in our minds,” said ALM at the time.

Impact Team quickly claimed credit for the breach and initially released 40MB of data, including user account details and financial information.

"Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed," warned Impact Team in a 'manifesto'.

"We will release all customer records, profiles with all the customers' secret sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses, and employee documents and emails."

"The current business world has proven to be one in which no company's online assets are safe from cyber vandalism, with ALM being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies," the firm said.

"As other companies have experienced, these security measures have unfortunately not prevented this attack to our system."

Following the hack ALM told V3 that it used the Digital Millennium Copyright Act (DMCA) to remove all posts relating to the incident as well as "all personally identifiable information about our users published online".

"We have always had the confidentiality of our customers' information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter," the firm said.

Former ALM chief executive Noel Biderman said at the time that he believed he knew the identity of the culprit, claiming it was someone who had inside access to its networks, according to Brian Krebs.

"I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services," Biderman explained.

 

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Privacy
• Law
• Hacking
• Information Commissioner's Office
• China