On April 26, the site Cryptome.org published an archive of 500 MB of data from the Bank of Qatar (Qatar National Bank, QNB). In total, 1.4 GB of files containing more than 15,000 documents was published, including IDs and banking transactions.
Among the documents is indeed a database containing over one million debit cards, including the owners’ names, expiration dates and the withdrawal limits.
In another file from the data leak is a list of unique clients, such as members of the Al Thani royal family of Qatar, employees of the Al Jazeera television channel, the U.S. Department of Defense, and also spies from MI6 and the DGSE.
These particular files contain banking information but also photographs, links to social media networks and passwords that seem to give access to their customer interface at QNB. But these intriguing files, well – (too?) highlighted in the archive unveiled by the hacker, could be just a manipulation that does not correspond to any real situations.
However, security researchers have already begun testing the banking information and say it is correct, although in its statement, the QNB denies this and ensures “that there is no financial impact to report” for its customers.
A nearly anonymous data leak
While computer hackers do not generally shy away from publicity, the Bank of Qatar data leak has not yet been claimed.
The experts at CybelAngel, however, have found some clues that suggest that the attackers were Russian-speaking, as evidenced by a screenshot that shows access to files on the Bank of Qatar’s website via a browser whose interface is in Russian:
The IP address does indeed correspond to that of the QNB’s website:
According to the screenshots, the site was accessed over several days during the month of January 2016, here for example on the 15th:
Moreover, in the files there is a SQLmap report, dated July 23, 2015. SQLmap is an open source tool designed to test the security of databases. In this case, the report establishes the list of all the database tables of the QNB as well as passwords. In the screenshot below, one can see the vulnerable setting in the URL (“partnercategory”) and the type of SQL vulnerability (“UNION”).
CybelAngel has also identified traces of SQL*Plus, a command line utility that enables SQL queries to be made via the presence of the afiedt.buf file, an automatic backup of the last request made.
This data demonstrates that the hacker or hackers have undoubtedly used SQL injections to steal the data and that the attack potentially took place over several months.
Although the identity and motivation of the hackers remain unknown, it is clear that this exposure is not the result of an internal data leak – on the contrary, the attack appears to be targeted.