Analysis of Aug 16th cyber attack against OBS (Olympic Broadcasting Services)
Information leakage of database associated to OBS main website:
- Uma versão deste artigo em Português também está disponível.
On August 16th, Tempest’s team identified an important hacktivism incident associated to the operation #OpOlympicHacking: Brazilian hacktivist group AnonOpsBR published on its Twitter profile (@anonopsbrazil) a supposed data dump of OBS (Olympic Broadcasting Services).
OBS is an official agency of the IOC (International Olympic Committee), which is responsible for generating images of the Olympic Games and providing them to the companies which hold broadcasting rights.
The original tweet about the leak was published by AnonOpsBR on 16:12h (Brazilian local time), corresponding to 19:12h (UTC).
A screenshot of the publication is shown next:
The tweet informed OBS had been compromised on behalf of the operation #OpOlympicHacking. It also contained a link to another message posted on Pastebin.
The text stored on Pastebin contained a short introduction to the #OpOlympicHacking (which had already been found on several other posts associated to the operation) and the following description: ‘Olympic Broadcasting Services (OBS) Database’.
In addition, this text also contained a download link to retrieve the dump associated to the supposed leaked database.
A screenshot of the first lines of the data dump is shown next:
A few hours later, other Brazilian hacktivist actors started to spread the news about the OBS data dump. The Twitter profile @YourAnonNewsBR — which has around 32,000 followers — re-tweeted the original message regarding the information leak. In addition, the AnonBRNews page on Facebook, with almost 430,000 likes, also published a message regarding the dump. This information started to draw attention on Brazilian social networks and media outlets by the evening of August 16th.
Before the dump was removed from MEGA, the file hosting service used by AnonOpsBR, Tempest's team have downloaded it and carried out an initial analysis on the information it contained.
It was possible to identify strong evidence that the dump was actually comprised of real OBS data, for instance information regarding its employees and freelancers, including (but not limited to):
- Full names;
- Mobile and landline numbers on Rio de Janeiro;
- E-mail addresses at OBS;
- Job positions.
The data dump also contained some links to potentially sensitive PDF documents supposedly stored on the company's main website (www.obs.tv).
Around 2 hours after the first Twitter message regarding the data dump was disclosed, OBS main website was taken offline — probably by the company itself and bearing no association to denial of service attacks or any other cyber offensives.
The website was online again by the end of August 16th, but it is uncertain if all of its sections and features were fully restored.
Intelligence data and unofficial information collected during August 16th and 17th point that the leak was comprised of real data, yet that it had not affected image generation and transmission of the Olympic Games, since all field operations of OBS would be segregated from its online presence on the Internet.
Given the nature of the dump, associated metadata and leaked information, it is very likely that the data was obtained as a result of a SQL Injection attack on the OBS website. However, by the time this report was published, there was no official confirmation of such hypothesis.
A likely motivation for this attack is related to the incident involving an OBS video camera that plunged off the supporting cables in the facilities of the Olympic Park in Rio de Janeiro. This incident happened in August 15th and resulted in the video camera hitting some bystanders, who needed to receive medical care.
At last, it is important to point out that the OBS compromise and associated data dump have no relation with Rio 2016’s technological infrastructure or any of its systems, which have undergone no impact on their operations and have not been affected by any means.