Sqrrl Blog

Sep 4, 2015 1:32:00 PM

Cyber Incident Matrix: Ashley Madison

Complexity Score: 4
Severity Score: 6
How did we get these numbers?

Incident Summary

  • What was breached: User Data from Avid Life Media websites, specifically targeting the Ashley Madison infidelity website

  • Delivery: Announced July 2015,

  • The Attackers: A hacking group known as "The Impact Team"

Overview:

Ashley Madison is a famous (or perhaps infamous) website connecting married people who wish to have affairs. Over at least the last 6 months a hacker group going by the name of “Impact Team” infiltrated what was described as “weak security systems,” threatening to leak email addresses, credit card numbers, private messages, and other sensitive information of Avid Life Media users (the parent company of Ashley Madison) if ALM did not shut down Ashley Madison immediately. The Impact Team claimed in its threat statement that it had taken over and had been exfiltrating AM information “over the past few years.” How long it had access to AM’s sensitive files is unknown, but on August 18th, the group made good on its threat and released over 25GB of sensitive information.

Sqrrl_Cyber_Incident_Matrix_Ashley_Madison OPM Breach IRS Breach Anthem Breach ATM hacks Kaspersky hack Insider Trading hacks Ashley Madison Breach

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated

Zero-Days

Used

Time

Undetected

TTPs

Used

Total

1

0

1

0

2

0

4

Not much is known about the methods the Impact Team used to breach Ashley Madison. According to a release by ALM, it’s likely that the breach was perpetrated by an insider. They state: "We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.” Based on these comments, it seems likely that there was an operation that coordinated both a cyber and human insider, possibly with physical access to AM infrastructure. This brings our coordinated score to 1.

According to an interview with alleged members of Impact Team conducted by VICE News, Ashley Madison’s security was described as “Bad. Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.” Based on this description, it does not seem like the Impact Team needed to use any particularly advanced TTPs (Tactics, Techniques, and Procedures) to infiltrate the site. In that same interview, the Impact Team revealed they had been collecting data for years prior to the dump, bringing our time undetected score to 2. Given the scope of the attack, the plan time was likely less than a year but may have taken a number of months given the attack’s premeditated nature, bringing that score also to 1.

While details on the AM breach are still vague, we will be updating this post as further information on TTP’s and potential 0-days are revealed.

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact

Total

4

0

2

0

6

Ashley Madison’s business model is based on trust between the company and the user. With something as sensitive as extramarital affairs, it makes sense that one would want their information private. In the aftermath, it is not hard to see why. Already, there has been thousands of public and privately reported cases of blackmail. There are sites that are set up to send threatening letters to people whose emails match those in the leaked data. Sadly, we’ve also had to add our first points to the “Lives Lost” category (albeit in an indirect fashion), as at least one suicide has been reported to be allegedly connected to the data leaks. This is not to mention the emotional toll a revealed affair takes on a family.

It is important to note that Ashley Madison had no verification of email validity. Anyone could input any email and use it as their own account. However, several high profile people have admitted to using the site (like reality star Josh Duggar).

As for monetary losses, it seems that if the bad PR doesn’t damage Ashley Madison into closure, the lawsuits might. Already a $500 million dollar lawsuit is being leveled against the company.

Download the White Paper

Topics: Data Breach, Cyber Incident Matrix