How was Stolen Chinese Data Sold?

Cybersecurity may seem advanced in current day but this attack is proof that there is always room for improvement.

In recent days, a hacker has stolen from Shanghai National Police. Names, residences, National ID numbers, and mobile phone numbers are all included in the stolen material.

Cybersecurity professionals have confirmed that at least a portion of the data provided in a tiny sample is accurate. The 23 terabytes of data were sold for $200,000 (£166,000), believed to be the grandest data sale in history. DarkTracer, a company that tracks online criminal activity, reports that on Tuesday, a different hacker posted an advertisement for 90 million Chinese citizen records that he claimed to have stolen from Henan National Police. This hacker may have been motivated by the publicity surrounding ChinaDan's offer (HNGA).

In a blog post on the Chinese Software Developer Network, a government developer apparently unintentionally included the credentials needed to access the data, according to Binance CEO Changpeng Zhao, who claimed on Twitter that the data had been stolen. However, experts in cybersecurity say that this might not be the case. Instead, the information was made public via an unprotected web dashboard. LeakIX, a website that records online databases that have been exposed, discovered that the public-facing Kibana-powered site had been accessible since the end of 2020.

Elasticsearch clusters are viewed and managed using the open-source Kibana software all over the world. LeakIX asserted that the service responsible for the data breach was an unsecured Kibana instance running on port 5601, which is the standard Kibana port. If that's the case, someone would have ultimately discovered this Kibana deployment in China if they had searched the internet for public-facing Kibana deployments.

Owner of the infosec research company SecurityDiscovery, Bob Diachenko, acknowledged that his results corroborated those of LeakIX. In April, Diachenko's business automatically discovered the cluster on the public internet and noted the database indices, but it did not review the content. Diachenko was able to connect references to indices in free samples of the stolen data to Elasticsearch indices that his systems had earlier documented.

Diachenko claims that someone broke into the cluster in the middle of June, erased the data, and then left a ransom letter requesting 10 BTC in its stead. This was the message displayed:

One of the nations’ biggest leaks is yet to be addressed by Beijing. In the meanwhile, regulations and stronger software is bound to prevent further attacks. This is meant to serve as a lesson for other nations to continue improvement efforts.