Anonymous has released the email addresses and encrypted passwords of around 90,000 military personnel following a series of online attacks against government consultancy Booz Allen Hamilton.
In a statement on The Pirate Bay, Anonymous said that it was turning its attention to Booz Allen Hamilton, whose core business is contractual work completed on behalf of the US federal government, primarily on defence and homeland security matters and limited engagements of foreign governments specific to US military assistance programs.
Anonymous said: “So in this line of work you'd expect them to sail the seven proxseas with a state- of-the-art battleship, right? Well you may be as surprised as we were when we found their vessel being a puny wooden barge.
“We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!). We also added the complete sqldump, compressed 50MB, for a good measure.”
It also claimed that that it was able to access the subversion (SVN) to take 4GB of source code and found related data on different servers that it got access to, as well as ‘maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady white hat companies'.
Booz Allen Hamilton initally refused to comment, saying on Twitter that ‘as part of Booz Allen security policy, we generally do not comment on specific threats or actions taken against our systems'.
It later confirmed the attack, saying that 'the posting of certain data files on the internet yesterday was the result of an illegal attack'. It said that it is conducting a full review of the nature and extent of the attack but did not believe that the attack extended beyond data pertaining to a learning management system for a government agency.
"Our policy and security practice is generally not to comment on such matters; however, given the publicity about this event, we believe it is important to set out our preliminary understanding of the facts. We are communicating with our clients and analysing the nature of this attack and the data files affected. We maintain our commitment to protect our clients and our firm from illegal thefts of information," it said.
Chester Wisniewski, senior security advisor at Sophos Canada, said: “The bigger problem for Booz Allen Hamilton is that they stored passwords with these email addresses using only a SHA hash. The passwords are not salted, which will likely lead to the majority of the passwords being exposed.
“While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military. These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed.”