Security Experts:

Connect with us

Hi, what are you looking for?



Project Hellfire: Millions of Records Taken from Hundreds of Sites

Hacking group “Team GhostShell” has claimed credit for a massive leak of data, alleged to top more than a million records. However, the breach, while exposing some sensitive information, isn’t as bad as it seems, and it was entirely preventable.

Hacking group “Team GhostShell” has claimed credit for a massive leak of data, alleged to top more than a million records. However, the breach, while exposing some sensitive information, isn’t as bad as it seems, and it was entirely preventable.

Team GhostShell, along with two other associate groups, compromised hundreds of websites in what is being called Project Hellfire. The victims of Project Hellfire cover a wide range of verticals, from financial and law enforcement, to political and family owned businesses. The records taken from the victims however, range from sensitive to useless.

SQL Injection Attacks

Project Hellfire’s data dump contains thousands of email addresses, some of which can be paired with usernames and passwords. Moreover, there are phone numbers, home or business addresses, immigration status, and political affiliation records. However, while the headlines focus on the scope of the data leak, the reality is that a majority of the leaked data is useless to a novice criminal.

In fact, when SecurityWeek examined some of the leaked database dumps, many of them were exports of the entire website, meaning Team GhostShell leaked data that was already in the public eye. Overhyped blob of data aside, the fact remains that some sensitive information needlessly ended up in the wrong hands, and it was entirely preventable.

For example, a community association management firm, C.I.A. Services, is a consulting agency for business leaders. Clearly they wouldn’t be a target for GhostShell under any sort of activism stance, but they were targeted because a simple Google search would have pointed vulnerability seekers to their domain.

C.I.A. Services’ domain was discovered with a simple Google Dork, or – to keep things simple – a specialized search used in scouting for website vulnerabilities. In this case, the search term was obviously “index.php?id=” or a variant such as “*.php?id=” – both would enable a potential attacker to discover sites that could be vulnerable to SQL Injection or other website flaw.

Other victims of Project Hellfire showed up under the same search used to discover C.I.A. Services, including The Garret Group (financing firm for semiconductor sales), Commercial Bank of Wyomig, the GUE/NGL Group in the European Parliament (Confederal Group of the European United Left/Nordic Green Left), and Eman Travel and Tours (a family owned travel business).

There were others discovered by using similar searches, but the point is that the compromises were avoidable. When SecurityWeek examined the list of websites targeted by Project Hellfire, some of them were running homegrown Content Management Systems (CMS) applications, while others used outdated CMS software.

In both cases, the lack of security allowed an attacker with a simple attack tool complete control over their domain. For a many of the businesses targeted, there is no reason this simplistic attack should have worked, as they should have protected their digital assets.

Based on the data leaked, many of the attacks used SQLMap, an open source SQL Injection tool used by penetration testers and criminals alike. If a site is vulnerable, as determined by the previously mentioned Google Dork, this tool will allow an attacker to target the domain and exploit it with a few keystrokes.

The lesson here is that websites are a portal into the organization, and it should be protected. While none of the sites hit during Project Hellfire are what most would consider high-profile, many of them are in the SMB segment, so there is no reason for such basic attacks to have succeeded.

A basic overview of two of the most common SQL Injection tools for testing and attacking can be seen here

Related: Botnets Powering Cyber Reconnaissance at Scale for Hackers

Related: Enhancing Security by Studying Common Attack Techniques

Related ReadingThe Most Prevalent Attack Techniques Used By Today’s Hackers

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.