Qatar Bank Breach Lifts the Veil on Targeted Attack Strategies

by Simon Edwards

News emerged this week of an alleged data breach at the Qatar National Bank. On the face of it, it’s yet another large multi-national with inadequate security getting hacked and exposing the details of its customers. But on closer inspection the details revealed in the data dump tell us more – that the hacker was using the breached bank data to build up profiles on specific individuals in order to launch follow-on attacks.

It’s another fascinating insight into the shadowy world of cybercrime which should remind us all, businesses and individuals, that personal information is a valuable online commodity that should be protected at all times.

An unusual breach
The 1.4GB trove of documents at first sight appeared to consist mainly of financial documents lifted from the bank. These included customer transaction logs, personal identification numbers and credit card data. But closer inspection revealed dozens of separate folders containing detailed profiles on specific individuals. These include what appear to be files on members of the Qatari royal family; Al Jazeera employees; and others listed as working for MI6, Polish, French and Qatari intelligence agencies.

But what is most interesting is that when the news first broke, when a large zip file was seen briefly on the file sharing site, it was originally thought to be a data breach in a similar mould to those at Ashley Madison and Mossak Fonseca. However, when the file re-appeared shortly afterwards on another whistle-blower clearing house, our investigation showed something rather different.

The 1.5GB of compressed data turned out to be a ‘hacker’s cache’; showing not only what they had managed to exfiltrate, but also how they did it. It is almost as though, in the process of exfiltrating the data, the perpetrators dropped their ‘horde’ as they made their escape.

The files are arranged into three high-level folders ‘Backup’; ‘Files’; and ‘Folders’. It is the first of these that shows that the attackers managed to obtain the data with an SQL injection attack, this gave them a large backup file containing the data they were after. Using an open source SQL injection tool they were able to extract all of the customer data they needed. Interestingly, the log file points to the exploitation having started almost 9 months previously (July ‘15).

The resulting data dumps into CSV files happened over the following months, with many of the files being created as late as April ‘16. Most of the files point to bank account and transaction data pulled from the bank’s databases. But more interestingly there is also a large amount of data surrounding transactional information on the bank’s customers, detailing payments moving in and out of accounts. Most are held in their original CSV format, but others have been converted into spreadsheets with the name ‘Ahmad’ appended to them. These almost exclusively point to foreign financial transactions, in the most part paid to accounts in Jordan.

What does all this mean?
Let’s start with the motive, and that would seem not to be the obvious treasure trove of financial and personal data – although the attackers could certainly have made money selling these details. More interesting is the amount of transactional data and how certain foreign financial transactions to Jordan seem to have been of most interest to the hackers.

Then there are the profiles focusing on Al Jazeera staff and people working for the Defence, Government and Intelligence services, as well as a Muslim scholar. As the transactional data is worked through will we find a connection between those being profiled and the highlighted financial transactions?

In a time where many data breaches cause as much embarrassment to those exposed as any direct financial loss, is this yet another example? With both the Ashley Maddison and Mossak Fonseca data breaches we have seen that the motivation was about exposing the ‘corrupt’ – financially and/or morally. Is this breach trying to expose something similar, or it is simply perpetrators trying to find something which may never have been there in the first place?

Reducing risk
Targeted attacks are no longer the preserve of nation states and spy movies. The truth is that we could all theoretically be targeted. And cyber criminals often go after those individuals they expect to be easier to compromise. Vigilance is important, as is installing modern cyber security tools to your PCs and mobiles, and ensuring your machines are patched and up-to-date to reduce the risk of exploitable flaws.

For organisations, the risk of a breach is higher, especially in high-profile sectors like banking. The above advice here needs to be applied on an enterprise-wide scale. But so should the following steps:

  • Restrict the number of privileged accounts, operate policy of “least privilege access” and enforce 2FA on accounts
  • Install advanced threat detect and prevent solutions with customised sandboxing for extra effectiveness in spotting targeted attacks
  • Log inspection and integrity monitoring to detect unusual behaviour that may indicate an intrusion


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.