Confessions of a Professional Hacker: How Hackers Obtained the Secrets of the Panama Papers that Roc

Hacking

Welcome back, my novice hackers!

A few years back (2016 precisely) a major hack took place that had significant repercussions around the world. This was a hack of the servers at Mossack Fonseca, a major law firm in Panama and became know as the Panama Papers hack. This law firm specializes in assisting the rich and powerful to hide their wealth from taxes and scrutiny by creating tax havens overseas.

The hack included over 4.8 million emails, 3 million database files, and 2.1 million PDFs. At the time, this was the largest data leak in history—over 20 times the scale of the WikiLeaks data leak of 2010. These emails and documents detailed the inner workings of a law firm that specializes in assisting wealthy individuals from around the world that were using shell corporations to hide wealth and income. Besides the very wealthy and well-connected, many political leaders were implicated in this data leak including Vladimir Putin, UK Prime Minister David Cameron, Argentina’s Prime Minister, Iceland’s Prime Minister, and many others.

Former Icelandic PM Sigmundur David Gunnlaugsson. Image by Control Arms/Flickr

Repercussions of the Panama Papers

This hack and the information leak was a political earthquake with reverberations and aftershocks rumbling around the world. Its revelations impacted and began to crack some of the status quo power structures worldwide.

First, it has led to the resignation of Iceland’s Prime Minister, who was found to be using Mossack Fonseca to hide assets and profit from his own country’s financial crisis from 2008 to 2010.

Second, it has led to an apology by the Prime Minister of the UK, David Cameron, placing pressure on him to resign. Eventually, he did resign later that year presumably over the Brexit vote although his involvement in the Panama Papers did not help.

Third, it is pressuring political leaders spanning the globe to explain why they had accounts in Panama to hide their wealth.

Lastly, and maybe most importantly, it is leading to efforts in several countries to tighten laws on these types of tax dodges that the rich and powerful use to hide their wealth and keep from paying taxes. It’s important to note that in most cases these individuals did not break any laws. Tax laws are written by each nation’s legislators who are heavily “influenced” by the rich and powerful. They purposely enable these people to avoid paying taxes that ordinary citizens can not.

In a world where nearly every nation on earth is facing a budget crisis and piling up huge amounts of debt because tax revenues are not keeping pace with spending, this is critical. Recent estimates put the quantity of unpaid taxes on the assets hidden by Mossock Fonseca at $200B per year!

Protesters in London calling for David Cameron’s resignation. Image via Dan Kitwood

How They Hacked Mossack Fonseca

No one knows for certain how the attackers gained access to Mossack Fonseca’s servers (with the exception, of course, the attackers themselves), a few key details are known. Probably most importantly, this super secretive law firm failed to take even the most basic security measures in protecting their clients’ information on their servers.

It appears that the law firm’s Outlook webmail access had not been updated since 2009, leaving it vulnerable to attacks on its insecure and obsolete SSLv2. This is likely how the attackers were able to obtain access to the emails.

In addition, the firm’s website was built on the content management system Drupal and had not been updated since 2013 (we know this from the website’s changelogs). As you can see in the screenshot below, of the known vulnerabilities listed on SecurityFocus, Drupal has had over 25 vulnerabilities discovered since that 2013 update.

Although there is no way to be certain what exploit was used to gain access to the Panama Papers, knowing that the website used Drupal, we can scan the known vulnerabilities that would give the attackers access to the firm’s database.

Notice in the screenshot above the “Drupal SQL Comment Filtering System SQL Injection Vulnerability.” This vulnerability applies to Drupal versions prior to 7.39. Drupal version 7.39 was released August 19th, 2015. Since the Drupal that the Mossack Fonseca was using had not been updated since 2013, this vulnerability was available to the attackers.

If we click on and expand that vulnerability, we can see under the discussion tab that the exploit of this vulnerability “could allow an attacker to execute arbitrary code, to gain elevated privileges and to compromise the application, access or modify data or exploit latent vulnerabilities in the underlying database.”

All of which these attackers did. This is probably how the attackers were able to access the database, the PDFs, and gain root privileges on the database server.

In addition, in the intervening years since this attack took place, the Drupal CMS has had numerous vulnerabilities and exploits discovered including the infamous “Drupalgeddon” SQL injection attack of 2018. Clearly this attack was not known to the public at the time of the attack in 2016, but it was circulating among black hat hackers on the dark web about this same.

The Most Important Skill Set of the 21st Century

Nearly everyday a new security breach takes place. Many of them are cybercrime, accounting for over $400 billion in losses worldwide every year. Some are cyber espionage and cyber warfare, changing the landscape of international relations and warfare in the 21st century. Some, like the Panama Papers hack, rock the world as we know it.

Whatever the nature of the hack, one thing is clear: hacking is the most important skill set of the 21st century and Hackers-Arise is the place to learn it!