The Qatar National Bank (QNB) has been breached and the attackers have leaked 1.4 GB of sensitive data online. The data includes transaction logs and the personal information of a wide range of customers from normal customers all the way to the Qatari royal family, Al Jazeera journalists and western intelligence agencies.
The leak was first posted at Global Files.net earlier this week before being taken down and reposted on another website, Cryptome. Appar
Some of the more sensitive files purportedly contain information on MI6, the UK Ministry of Defence as well as Polish and French intelligence agencies. Within those files are contained lists of social media accounts, phone numbers, names of associates, financial data as well as pictures of the owners of that data.
Similar files were found on a folder marked Al Jazeera, the name of a Qatari global news outlet, numbering over 1,000 and organised in a similar fashion.
Trent Telford, CEO of Covata told SCMagazineUK.com that while the size of the leak is relatively small, the signifiance of the names involved is large: “The leaked documents contain hundreds of thousands of customer transaction logs, information about the Qatar Royal Family and, alarmingly, records regarding British, Polish and French Intelligence agents.” The leak, “raises two serious questions; why such sensitive information wasn't encrypted and why didn't the bank have the relevant access controls in place?”
International Business Times, which initially reported the leak has yet to confirm the contemporaneity of the files, which have apparently been available since July last year, but claims that multiple sources have confirmed the veracity of the data.
In the meantime the QNB has released a response. The bank states that it is policy not “to comment on reports circulated via social media.” The bank further adds that “there is no financial impact on our client or the bank” while reassuring customers “QNB Group places the highest priority on data security and deploying the strongest measures possible to ensure the integrity of our customers' information.” The statement concludes, “QNB is further investigating this matter in coordination with all concerned parties.”
Headquartered in Doha, the QNB is the second largest bank in the Middle East and Africa. Operating in 27 countries and employing 15,300 employees, the bank is large enough to attract its share of avaricious cyber-criminals; hacktivists looking to attack the authoritarian government of Qatar, or embittered insiders.
No one seems to know for sure who exactly was behind this leak, one social media account claimed responsibility for the leak just days after.
Cyber-security company, Digital Shadows believes it might have an idea. In Late 2015, a hacker by the name of Buba attempted to extort an Emirati bank into paying for a tranche of customer information that Buba had supposedly stolen from it.
In March of this year, a forum popular with cyber-criminals featured a post by a user calling itself ‘bozkurt'. The post detailed how Buba had instructed Bozkurt to release the data stolen the previous year. A short while later, a Twitter account named ‘Bozkurtlar 'posted a link to this account encouraging those so inclined to cash out money. The handle of that Twitter account was @ulkuocaklar1923, translated as Grey Wolves, a Turkish nationalist paramilitary outfit. 1923 is the year of the foundation of the Republic of Turkey and Bozkurtlar is the informal name for the group.
Coming back to present day, a twitter account named @bozkurthackers posted a video which claimed responsibility for the QNB breach. The profile picture of this account was a picture of the hand signal which is the signature gesture of the Grey Wolves; the same hand sign that was depicted by @ulkuocaklar1923.
The Grey Wolves, often described as a Turkish fascist party, essentially performed the role of a death squad during the political turmoil of the 1970s. The organisation is known to be behind numerous massacres, terrorist attacks and attempts at political subversion, often aimed at Turkey's ethnic minorities. Perhaps the group's most famous act was the attempted assassination of Pope John Paul II in 1981.
Digital Shadows has speculated that the publication of this leak may have something to do with an assertion of Turkish Nationalism over Arab nationalism, but the exact reasons remain unclear. SC learnt from a Digital Shadows spokesperson that a group calling itself Bozkurt hackers has been active since at least 2012.
The group has “typically focused on the defacement of websites – often placing the Turkish flag or an image of Ataturk on a target website. As of yet, however, there is insufficient evidence to confirm a connection between earlier uses of this name and the claimed Qatar National Bank breach.”
SC spoke to Ewan Lawson, a cyber-warfare expert at the Royal United Services Institute. Lawson told SC that the choice of a Qatari bank was an odd target for a group with strong ties to Turkey. A Russian target would have been more likely. However, the notion “that the Grey Wolves had developed a hacking capability it is not surprising and is more likely to be the result of a relationship with an existing hacker/hacktivist group.”