Hackers that breached the Qatar National Bank (QNB) started their attack way back in July last year thanks to an SQL injection exploit, according to Trend Micro.
The vendor’s UK-based cybersecurity architect, Simon Edwards, revealed in a new blog post that on analyzing the 1.5GB of compressed data leaked online, it almost appears as if the hackers “dropped their horde as they made their escape.”
“The files are arranged into three high-level folders ‘Backup’; ‘Files’; and ‘Folders’. It is the first of these that shows that the attackers managed to obtain the data with an SQL injection attack, this gave them a large backup file containing the data they were after,” he explained.
“Using an open source SQL injection tool they were able to extract all of the customer data they needed. Interestingly, the log file points to the exploitation having started almost nine months previously.”
The data dumps into CSV files happened over the succeeding months, with many of these files created as late as April, and some data – mainly focused on foreign financial transactions paid to accounts in Jordan – converted into spreadsheets, he added.
Edwards speculated that as researchers work through this data they may find a link between the individuals profiled – including Al Jazeera staff and alleged spies – and the financial transactions.
“In a time where many data breaches cause as much embarrassment to those exposed as any direct financial loss, is this yet another example? With both the Ashley Maddison and Mossack Fonseca data breaches we have seen that the motivation was about exposing the ‘corrupt’ – financially and/or morally,” Edwards argued.
“Is this breach trying to expose something similar, or it is simply perpetrators trying to find something which may never have been there in the first place?”
As for the perpetrators themselves, researchers at Digital Shadows believe they might be connected to those who carried out an attack on the UAE-based Invest Bank.
In late 2015, an individual going by the handle ‘Hacker Buba’ tried and failed to extort Invest Bank with data stolen from the organization.
However, last month, a user named ‘bozkurt’ claimed in an underground forum post that Hacker Buba had told the user to release the entire Invest Bank data.
The post contained a link to a file containing 2.7GB of data.
What’s more, a Twitter account ‘Bozkurtlar,’ with the handle @ulkuocaklar1923 – meaning “Grey Wolves” in Turkish – posted a link to the same post, urging cyber-criminals to cash out money from the compromised accounts, Digital Shadows said.
Interestingly, at the end of the post came the ominous words: “Next arab bank soon.”
Grey Wolves could refer to the Turkish Nationalist group called Ülkü Ocaklari, which may explain the focus on these Middle Eastern banks, if true, Digital Shadows has speculated.