What’s happening with one of the biggest telecom hacks? Our initial report on the Netia attack and associated bitcoin addresses.

On July 6th the telecommunications company Netia was attacked by hackers who gained unauthorized access to its servers and stole the personal data of more than 2 million customers, companies and individuals. This is our initial analysis of one of the largest data leaks in Polish history.

Millions of personal data details were stolen

Files have been published in seven parts with a total size of more than 18 GB — including more than 600,000 unique email addresses. The Twitter accounts which published data from the hack and demanded a ransom from the Polish Ministry of National Defence are: pravsector, opstrinity, evstoliyakalas2 and noskovfurs1994.

The schedule of events related to the attack:

30/06/2016 — explosion in a server room, identified as an automatic but improper activation of the fire protection system

01/07/2016 — data packets were prepared by the attacker — containing personal data of customers and the people who filled in a contact form

6–7/7/2016 — attack on the internal network of Netia

07/07/2016 — publication of stolen database — files with names including: logger.sql, nss_new.sql and publisher.sql

09/07/2016 — clients first receive SMS notifications from Netia, that their data has leaked

14/07/2016 — Twitter Account pravsektor publishes data — screenshots and other information (some of which is fake) indicating possession of files from the internal network or the computers of employees of the Ministry of National Defence

14–20/7/2016 — phishing attacks and attempts to pose as clients and individuals whose data was stolen in the database

Among the e-mails sent by the hackers we have identified names and trademarks of: mBank, Netia and the Internet domain *.pw.

(07/07/2016 — present) — we analyzed all the information and the bitcoin addresses which were published by the hackers

Before the hack there was an explosion in a server room

It is worth noting that on the June 30, 2016, so a few days before the attack was published, a server room belonging to Netia activated its fire alarm system, but according to official information it has no connection with the hack. However, we should assume that the attack started much earlier than the data was published.

In one of the investigations we’re participating in is in connection with a attack on a large bitcoin related company, digital currencies hackers were preparing to steal funds from more than three months. And the whole operation took them about 14 weeks.)
 
 Below is a copy of the data published by the attacker that is dated July 1, 2016, so one day after the explosion of fire extinguishing system.

Screenshot of the database published by the attackers.
Pic from Twitter account

In the photo above that was published on Twitter it is clearly visible that the hackers managed to install and use their software — webshell.

The stolen data includes sensitive information such as:

Names, second names and surnames

Social Security numbers

Series and numbers of ID Cards

Addresses of residence (correspondence addresses)

Bank account numbers

email addresses

Phone numbers

IP addresses

Screenshot of the Twitter account which published the stolen files.

The hackers also published the following data on the pravsektor Twitter account that is controlled by or linked to them:

1. Account number, bank name and SWIFT code of a bank account belonging to a person named Roman Donik, a journalist and blogger documenting the Ukrainian-Russian conflict. (What is a clear attempt of manipulation by attackers).

2. A Bitcoin address which has received a total of 193.7 Bitcoins with a total value of over 130,000 USD.

Screenshot of Twitter account with attached bitcoin address, bank account and threat.

All people whose data was included in the leaked database received the following SMS from Netia.

SMS from Netia

Clients of Netia whose data leaked may be at risk of:

- Identity Theft

- An attempt to open a bank account using their data

- An attempt to rent a car

- An attempt to extort money or information

- Burdened with a loan or a loan that they did not take

- An attempt to conclude agreements, contracts or authenticate the proposal, transaction or other type of legal acts using these data and information.
 
 We hope that with the data that we analyze after the incident — mainly related to the Bitcoin addresses — it will be possible to identify the attaker and to stop the further distribution of illegally acquired personal data from this leak. According to our information, on the second day after the attack — the hackers began phishing attacks on individuals whose data was included in the database.

We have to admit that Netia has taken strong and effective action after the attack. When the first data leaked it took the administration only a few minutes to shut down and lock all servers. This is reflects the professional approach to the situation by administrators but also a very fast and effective decision-making process after “failure”.

The results of the investigation by Coinfirm — analysis of published data, a full report and the results of monitoring of Bitcoin transactions and addresses related to the hackers and/or people associated with them will be sent to representatives of Netia and will be published only in censored form.

In our research we used Malteo by Paterva www.paterva.com/web7/buy/maltego-clients/maltego.php

Authors: Coinfirm.io Team

Sources:
 daneosobowe.netia.pl
 netia.pl
 dokumentyzastrzezone.pl
 informnapalm.org/24775-departament-mo-rf-dokumenty/ 
 www.5.ua/suspilstvo/ukrainski-khakery-zlamaly-server-departamentu-minoborony-rf-dokumenty-119985.html
 zaufanatrzeciastrona.pl
 niebezpiecznik.pl
 https://blockexplorer.com
 blockchain.info