There has been no shortage of media coverage on the recent TalkTalk cyber attack. The full implications of the attack are not yet known, but reports suggest it could affect a significant number of TalkTalk’s 4 million customers.
But what does this mean for organizations? It is important not to get swept up in the media storm and gain an understanding of what this means to them. This blog provides an example of how we help our clients to achieve this.
On 22nd October, TalkTalk announced that its website had been hit by a cyber attack on the 21st October. Shortly afterwards, Digital Shadows detected a post on Pastebin titled “Message from TalkTalk Hackers.” The post included a statement addressed to “Th3 W3b 0f H4r4m” and claimed responsibility for the attack, supposedly demonstrating their success through the publishing of sample TalkTalk user data.
The post contained a statement that used uses Islamic phrases, although the relevance of this was unclear. Furthermore, the actor was unknown and there was little to corroborate the claims. Despite this, the media jumped on the story, quick to paint a sensationalist picture of jihadists targeting the west. The reality was far more complex and required a more nuanced analysis.
The next few days saw a flurry of activity as the data appeared and re-appeared on Pastebin, as well as being offered up on online marketplaces. A host of previously unknown actors surfaced in relation to this growing list of incidents (see our timeline below for an idea).
Digital Shadows SearchLight™ portal demonstrating the timeline of incidents for the TalkTalk attack.
On 24 October, titled “New message from TalkTalk Hackers” that bore similarities to a previous paste made on 22 October that addressed “Th3 W3b 0f H4r4m“. This time, however, the actor listed “another English Telecom” as the next target and that they would “soon control Europe”. What is more, the post also claimed a link to a Twitter account belonging to a JM511. While it is difficult to verify this actor was responsible, it is possible to look back across history to understand more about this individual.
In many instances, it is difficult to ascertain the reliability of the claims that arise in such high-profile attacks. It is possible to look back overtime and look at the past form of these actors in order to understand their tactics, techniques and procedures (TTPs), motivations and threat level.
JM511 joined Twitter on 14 October 2010 and has since posted content related to both hacking and hacktivist activity – including operations run by affiliates of the Anonymous collective (although there is no evidence to show that they participate in cyber activity relevant to these operations).
So what do we know about this actor? In 10 August 2015, The Employment Agents Movement (TEAM) was reportedly breached by an actor using the same identifiers as JM511. In this case, the actor stated that they were a “Saudi Arabian Hacker” based in Chicago and tweeted a link to a Pastebin post of the reportedly compromised data on 08 Aug 2015 and named the targeted site. In this incident, there were indications that the likely vector of attack was SQL injection.
Bringing these snippets of information together helps to give organizations greater situational awareness and allows them to assess the threat posed by actors purported to be involved with the TalkTalk attack.
Understanding the Implications
Such large events attracts plenty of media attention, claim and counter-claims. Our job is to avoid the hype to evaluate and assess these claims in order to help our clients understand what this means for them.
The recent TalkTalk attack is just one example of this, an attack that involved many different claims. At the time of writing it is still unclear whether it is one or multiple actors involved.
The ostensible tie to JM511, who have been linked with the use of SQL injection in the past, gives us some insight into what may be happening and helps organizations gain the situational awareness they need to pick out the signal from the noise.