URL: https://www.lowyat.net/2019/177033/over-1-million-uitm-students-and-alumni-personal-details-leaked-online/ |
The data in question was most likely came from a Pastebin link - posted on 24 January. Titled "UiTM Student Data Leak - 11 SUPERNOVA SECURITY", the author declared that this is the "Biggest Malaysian Student Data Leak". Additional samples to another set of 10,000 rows could be downloaded from a link provided in the body of the Paste.
The now-removed Pastebin content |
The additional samples of 10k data |
Source: https://bit.ly/2HxVh7E |
The first focus of this post will be on the hacker group "11 SUPERNOVA SECURITY" and followed by a brief Data Analysis of the leaked sample (downloaded from Anonfile).
Disclaimer: In spite of media reporting of over 1 million details leaked, I have NO access, obtained nor aware if such data have been made available publicly. Hence my analysis are purely based on the sample data which was made public on 24 January.
11 Supernova Security Hacker Group Analysis
A quick search reveals that this group has a social media presence and has been active since the creations of its social media profile on September 2018.
The Hacker Group's Logo |
The First Defacement Message on September 2018 |
The Defacement Message on Victims starting from the beginning of 2019 |
Analysing the contents and the language used, the actors in this group suggests that they are:
- Highly-likely based in Malaysia
- Possibly have an interest in Malaysia current affairs or politics (based on the defacement message)
- Targeting mostly Malaysian Government (*.gov.my) and Education institutions (*.edu.my)
- Fans of the One Piece anime specifically the team 11 Supernovas (and also having a member calling him/her self Sir.Crocodile - another character from One Piece)
Eleven Supernovas from the anime One Piece |
Based on their social media posts, the group has targeted almost 40 websites since 11 September 2018.
- 11 websites ending with .gov.my domain
- 20 websites ending with uitm.edu.my domain
- 6 random websites
It seems that this group has an "intimate" interest with UiTM. Before the leak was announced publicly, on 22 January, the group actually posted saying that they have all the UiTM databases.
Claiming to have the UiTM Database Two Days before the Public Leak |
However, hours after the Lowyat's article was published, the group made a statement saying that they denied any involvement in the leak and claimed they have been sabotaged instead.
Claiming that they have been sabotaged |
The group continued to state that they are not involved in the breach reported in the news but "other groups" were using their name to distribute the leak. The group also added that the only data that they have was the config host file from the IP that was hosting the websites.
Stressing that the group's name has been misused by "other groups" |
In parallel to the claims made by the group, a Twitter account with the handler @Rob1nSecurity was identified posting two links: 1) A new Pastebin link with the exact same content as the one previously removed by Pastebin and 2) a link to the group's Facebook page. The profile was quickly deactivated and no longer to be seen.
The Twitter account created to share the link to the leaked content |
The challenge here is attribution. Was the 11 Supernovas Security hacker group responsible just because the Pastebin content said so? Or was the group really got sabotaged by other individuals/groups taking this as an opportunity to leak the data they already had for a while?
Based on the activities on the group's social media page, I could say they are quite interactive and every time they hacked/defaced a website, they would share it quickly on the page to generate attention and gather more fans. This process is pretty much shared by most hacker groups in South East Asia whereby data leaks after defacing a website is not a common procedure compared to hacker groups/hacktivists in Latin America or Europe. One has to ask why didnt 11 Supernovas Security shared the Pastebin link to its page to share to their followers (seeing how they are actively sharing their successful hacks).
With that in mind, the creation of a Twitter account @Rob1nSecurity just to share a new Pastebin link to the samples is definitely questionable (especially its relation to 11 Supernovas Security). Here, we have a social media page that are always posting links of their hacks, and then we have someone who made the effort to create a Twitter profile just to share the links? And no followers? If the intention was to spread the links to a wider audience, then shouldn't it be shared on its other social media page which has more followers and more interactive?
Data Analysis
Now it is important to verify that the data are legitimate. There have been many cases where hackers who claimed to have hacked and leaked those details eventually turned out to be either false data or reused data from old breaches.
With the samples in hand, I attempt to validate the data to check if these dataset were reused data or whether these information could be found in other databases or websites that may accidentally expose it due to misconfiguration. However, taken into consideration the limited resources I have at hand, I was unable to find this dataset available anywhere else.
Next step I took is to verify the contents of the data. This is done via selecting samples of the data and verifying manually against open source databases or any publicly available data that could be found on the internet. In this case, I selected two to three individuals and ensure that they are legitimate individuals rather than falsified, randomly generated people.
While I was able to verify that the individual I chose to fact check via OSINT/SOCMINT method,
Verifying the details in the sample leak |
Everything matches except for the Student ID and IC no. |
According to the image posted on Lowyat, the third row is the IC no. data which I presumed is the 12 digits MyKad identification number:
Image from LowYat |
Questionable values for the IC number row |