In a recent public disclosure via pastebin.com TeamGhostShell claimed to have stolen 1.6 million records off public websites such as NASA, FBI and more under a project named “Project White Fox.”
An open letter that TeamGhostShell published states that the campaign is more of an effort to encourage Hacktivism rather than focus on a target like other groups usually do.
By analyzing a partial sample of the data posted, it was clear that most of the data was captured from CMS systems, and that the extraction method was SQL Injection. The reason for that conclusion is the names of CMS systems within the database content that got extracted alongside well identifiable content characteristics, and the output format that is unique to the database attack tool SQLmap, and even though that was the majority, there was a portion of data in simple CSV format.
Some data that was disclosed was private information such as usernames, passwords and contact information. In some cases, financial data was disclosed.
Looking into the activity in depth, it seems that most of the database dumps that were taken came from closed or open source CMS based web sites with known vulnerabilities.
Naturally, it seems that the targets were chosen out of a list of vulnerable websites based on the mapping of a vulnerability to a CMS based. Then, they used an automated SQL Injection tool to pull out the data.