As part of our routine threat hunting exercise, the Cyble Research Labs recently discovered an open ElasticSearch (ES) server with the alias ‘SocialNet’. The server is hosted in China and owned by ChinaNet Shaanxi.
Upon further investigation, we note that the elasticssearch server has data logs and data sets collected from a variety of sources. These include but are not limited to:
- LinkedIn profiles, Twitter and several others social media apps
- Chat apps such as Telegram, WeChat, Voxer
- Leaked passwords from various third parties
- Wiki information of various activists who have protested against Chinese government
- Data collected from various US government websites
- Contact numbers of residents of Taiwan, India, Singapore, Hong Kong, the US and Iran
- One-to-one communications or chat mesages from popular apps
- Multiple databases with the keywords of popular US politicians
We noted that over 4.4 billion data sets were available on the server, with the data belonging to the following regions:
- U.S.
- India
- Japan
- Taiwan
- Hong Kong
- Vietnam
- The Middle East
- Iran
Cyble researchers also noticed a number of databases / elasticsearch indices created for capturing data points and conversations of US politicians.
Based on our analysis of the elasticsearch server infrastructure, we suspect that it is associated with a malicious domain sxhaly[.]gnway[.]cc:8888.
Analysis of SocialNet
The total size of the ES is ~7.60TB, containing a total of 402 indices (databases). As shown in the screenshot below, the name of the ES is “SocialNet”.
We suspect that the exposed elasticsearch server is backed by a politically motivated agenda targeting the U.S and other countries. The following images showcase the data indices of the exposed elasticsearch server containing sensitive data related to U.S. legislation, along with other sensitive political data.
Our investigation led to the identification of the three private nodes that are listed below:
- 192.168.1.229:9300
- 192.168.1.230:9300
- 192.168.1.231:9300
Figure 10 showcases the data of Civil servants, as seen in the elasticsearch data indices.
We observed that the exposed elasticsearch has U.S. White House data in separate indices as shown in Figures 11 and 12.
The following figures showcase data from the 116th and 117th U.S. State Legislation as found in the SocialNet exposed server, with a total of 14,963 related records.
We also found a data index containing 455,359 records of the U.S. capital Flow Senates, as shown in figure 15.
Based on further investigation, we found 3,447,542 records of residents of Taiwan, as shown in figure 16.
Interestingly, the exposed elasticsearch also contains details of communications by U.S. politicians, as shown in figure 17.
The attacker also scrapped finance data from the website docquery.fec.gov, and the collected data is shown in figure 18.
Based on our investigation, appearing to be a Social Security surveillance operation, this ES server has also collected Twitter data belonging to U.S. Senators, as shown in figure 19.
One of the data sets also contains plain text usernames and passwords, with a total of 193,301,730 identified records contained in the index.
This surveillance operation has also harvested profiles of individuals who were involved in protest activities against China, as shown in Figure 21.
In China, the United States of America is colloquially known as meiguo. The presence of a particular data index named meiguo_congress makes us suspect that the social surveillance operation has harvested U.S. Congress data as well.
Conclusion
This incident infers a large-scale social media data collection being carried out, along with U.S. government information. While the exact source within China of these data points is still being investigated, it highlights a vested interest in monitoring the social media activities of U.S. politicians, activists who have protested against China, and other nationalities who have some level of stiffness with the Chinese authorities. Is this linked to a political influencing campaign sponsored by the Chinese state or by a privately-owned company? Time will tell us!
The Cyble Research team will continue to monitor such data leaks on the surface as well as the darkweb to shed light on such cybersecurity incidents in addition to validating their impact. We will also inform Cyble’s enterprise customers about the impact of this data leak.
Our Recommendations
Following are some of the essential cybersecurity best practices to create the first line of control against attackers. We recommend our readers to follow the best practices suggested below:
- Never share your personal information, including financial information, over the phone, email, or SMSes.
- Use tough-to-guess passwords besides implementing multi-factor authentication.
- Make it a habit to keep a watch on your financial transactions, and if you notice any suspicious activity, contact your bank immediately.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Never open untrusted links and email attachments without verifying their authenticity.
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
