What we can learn from the APT34 leak
The Iranian hacking group known as APT34/Oilrig/HelixKitten have had a breach of their own: a dump of the breach has now been made available on the web. The leak includes sets of tools, including Glimpse, PoisonFrog, Hypershell, HighShell, FoxPanel and WebMask and also included a bunch of breached passwords gained via these tools and others.
We speak at hundreds of events, c-suite workshops and general awareness sessions for clients and one of the most common questions that we've been asked over the last couple of years is "how can we stop Nation State attackers?".
We always tell people that whilst Nation State groups generally have incredible skills, people and resources as well as the drive to perform, they will always start with the easiest vulnerabilities. Why waste an expensive zero-day exploit when someone has a terrible password?
This post is not about the APT34/Oilrig/HelixKitten tools, where they came from or what they could potentially be used to access. This post is purely looking at what the passwords gathered tell us about the security culture of the organisations and government departments that were breached.
Within the breach data is roughly 12,500 passwords, which range from domain accounts through to webmail passwords.
Some of the passwords contain information which would identify the organisation from which they were taken. This highlights a common security issue with passwords: people sometimes use the company name as part of the password they use within that company, which obviously makes that password much easier to crack. To prevent revealing the organisations involved in the breach in this blog post, we will not print the top ten used passwords as eight of them contain identifying information. The top two do not and they are:
eysb@123 123456 Almost 1000 accounts use either one of the above passwords and only 5,715 passwords out of the 12,500 are unique. It is clear that password reuse is still a major problem in all of the organisations breached.
We can also analyse the length of passwords, with most passwords not exceeding 11 characters, implying a lack of awareness regarding the fact that short passwords are incredibly easy to crack. A shocking 5% of passwords were 6 or less characters! It would be easy at this point to blame individuals for poor password choice and management, but that would not be fair. Most people now have to manage a mind-boggling number of passwords and they are just not able to remember a large number of complicated, unique passwords. This breach, like so many, shows why we need to provide people with access to, and training in, password managers.
Some other interesting statistics can be drawn from the passwords, such as 5,189 passwords started with a capital letter and ended with a number, almost 4,000 ended with 3 numbers, with obviously the most popular ending being 123 (as in password123).
Whilst nearly 5,000 passwords were mixed case and included a special character and number, which shows that people are using complex password structures, we can see from other stats that they are not creating complicated passwords. Thus proving that complexity of characters can be usurped by poor length and easy to guess words/structure.
So let this stand as proof to those that are worried about Nation State attackers: whether you are being targeted by a script kiddie, an organised criminal gang or a Nation State, they all start by attacking the easiest route in. Start with the security foundations, because that's where they will start, too.
Many thanks to DigiNinja for his excellent tool Pipal (a password analysis tool by DigiNinja https://digi.ninja/projects/pipal.php )