Team GhostShell's Project WhiteFox logo.

Team GhostShell published their "last project" Monday, "Project WhiteFox." The hacking crew again used their signature method of announcing the large-scale hack, hijacking numerous Twitter  profiles to link to their Pastebin page and notify tech blogs and writers who have covered them in the past.

On the page linking to data taken as part of Project WhiteFox, Team GhostShell explained some of their actions over the past year or so. They also revealed that "DeadMellox" was a ploy, writing that he "was a ghost to begin with."

"We used the name afterwards to trackback all mentions of that name all over the place," the hackers wrote, adding, "Well, the whole plan is a bit more complicated than that, part of a bigger story, but let's leave it at that for now."

The organizations hit by Project WhiteFox include The European Space Agency, NASA's Center For Advanced Engineering, the Credit Union National Association (CUNA), a defense contractor for the Pentagon and Aquilent, an intelligence firm that states on its website that it makes "technology work for you."

In a survey of some of the data Team GhostShell posted to various paste-up sites, Betabeat noted login information including emails and passwords as well as the texts of what appear to be internal communications.

Team GhostShell ended the long list of links to hacked data with a rundown of its ops from 2012. These included #ProjectDragonFly, which Team GhostShell termed "a real cyberwar upon China" in the name of freedom of speech and #ProjectWestWind, which famously hacked top-shelf educational institutions around the world to protest "school policies that had spiked tuition fees, outdated reforms and unprepared school faculty."

While Project WhiteFox is supposedly the team's final exploit for this year, Team GhostShell signed off with a hint they'd return, writing, "who knows, maybe we'll see each other again next year."

Hundreds of systems administrators and IT security staff around the world probably hope Team GhostShell is done for good.

In your networks, downloading your databases.

Hacking group Team GhostShell, which recently hacked records from major universities around the world, has materialized again to announce a declaration of war against Russia. It calls the operation Project BlackStar and claims it already has "access to more russian files than the FSB (Russia's answer to the CIA)."

Team GhostShell has a novel approach to promoting its ops--it uses mulitple hacked Twitter accounts, posting the same message directed at various tech blogs and writers on each one:

#ProjectBlackStar - GhostShell declares war on Russia pastebin.com/yXN7uc6r @breakthesec @stevehuff @betabeat @arstechnica @wired @johnedunn

— Susie Hargreaves (@SusieHargreaves) November 2, 2012

The user whose account was used to post the preceding blurb later tweeted, "Any GhostShell or Project Blackstar tweets are not mine. Account compromised."

In the Pastebin post linked from the hacked accounts, Team GhostShell's DeadMellox explained why it is targeting Russia:

For far too long Russia has been a state of tyranny and regret. The average citizen is forced to live an isolated life from the rest of the world imposed by it's [sic] politicians and leaders. A way of thinking outdated for well over 100 years now. The still present communism feeling has fused with todays capitalism and bred together a level of corruption and lack of decency of which we've never seen before.

Later in the post, DeadMellox writes that even while the Russian people are having a hard time, "the Russian Government has enough resources to spend on it's [sic] spies." That's why, the hacker writes, "GhostShell is declaring war on Russia's cyberspace, in "Project BlackStar."

Aimed directly at the Russian government, Project BlackStar has begun with what DeadMellox calls "a nice greeting of 2.5 million accounts/records leaked, from governmental, educational, academical, political, law enforcement, telecom, research institutes, medical facilities, large corporations (both national and international branches) in such fields as energy, petroleum, banks, dealerships and many more."

Betabeat reviewed some files with assistance from Google translations and our rusty college Russian, and Team GhostShell appears to be true to its word. Example: a large database dump from the Russian Academy of Sciences Institute of Scientific Development. It's hard to say whether this or other files contain vital information--we'll leave that to the Russians.

screengrab

Team GhostShell returned late Monday with Project WestWind: a leak of 120,000 records from 100 major universities around the world.

Team GhostShell is the hacking group behind Project Hellfire, which launched in August this year. Project Hellfire lifted 1 million accounts from 100 websites around the world, compromising data from the CIA and from Wall Street.

The hacked data leaked in Project WestWind does indeed appear to come from a who's who of major learning institutions. They include Harvard, Cambridge, Princeton, Tokyo University, Cornell and New York University.

In their Pastebin announcement, Team GhostShell said Project WestWind was a serious effort to jump-start a dialogue on the state of higher education today. Apparently this hack wasn't pranksterism for the lulz, but hacktivism for the greater good:

We wanted to bring to your attention different examples from Europe, how the laws change so often that even the teachers have a hard time adjusting to them, let alone, the students, to the US, where tuition fees have spiked up so much that by the time you finish any sort of degree, you will be in more debt than you can handle and with no certainty that you will get a job, to Asia, where strict & limited teachings still persist and never seem to catch up with the times and most of the time fail to prep you up for a world where foreign affairs are crucial in this day and age.

The hackers ask that others use the information as a conversation starter, team member DeadMellox writing:

You don't have to talk about it with us, what's important is that you bring up the subject 'today's education' in day-to-day conversations with your family, friends, people close to you and try to understand the system better, together. How it works, how a certain type of diploma can or cannot help you in your road to the career you want to pursue.

Though Team GhostShell's data dump contains user screen names and mostly hashed passwords (Betabeat examined one file in which some of the passwords were apparently cracked), they claim they've kept the leaked records to a minimum.

Team GhostShell issued a warning to the targeted institutions regarding the states of their networks: "When we got there, we found out that a lot of them have malware injected. No surprise there since some have credit card information stored."

Betabeat has reached out to a web network administrator at one of the hacked universities for comment and will update this post if we receive a response.

People need to start expecting this.

This weekend, a group of hackers claiming solidarity with Anonymous performed a huge data dump of 1 million records. Speaking for Team GhostShell, black hat hacker DeadMellox evoked a metal vibe, writing, “All aboard the Smoke & Flames Train,” before listing targets of the dump.

Wall Street, the CIA., political advisers, internet hosting services, banks and police departments appeared to be among the fallen, as well as hedge funds, estate agencies and "Robotics, etc.”

DeadMellox explained that the leak was "Team GhostShell's final form of protest this summer against the banks, politicians and for all the fallen hackers this year."

As The Register noted, some databases contain over 30,000 records.

Imperva Data Security analyzed Team GhostShell's attack and concluded the hackers used SQL injection to cull admin logins, usernames, passwords, files and documents. However, Imperva concluded "a lot of the stolen content did NOT include any sensitive information."

Team GhostShell works with MidasBank and OphiusLab. They're not done yet:

To conclude this summer's hacking spree, I will be giving away to anyone who's up for the challenge three different access points to three different groups/crews out there. It's our way of saying how great it's been raiding with you and let's hope that it isn't over just yet. The access-points are the following: 1. Six billion databases from a chinese mainframe full of chinese & japanese technology. It's very possible that it has from other countries as well, we haven't checked them all for obvious reasons. 2. Over 105 billion databases to a US stockexchange mainframe/s. It's very possible that the actual number is over 1 trillion, I wasn't prepared the first time and it gave me a memory error after 105 when it tried to add another digit. This job will require you to have at least 1TB available. 3. Access-points to 3-4 different servers belonging to the Department of Homeland Security. The sensitive information isn't that great but it may be good for street cred.

Network World points out Team GhostShell hacked a ton of Chinese sites last spring in Operation ProjectDragonFly. The hackers appeared to blow through vaunted Chinese security measures to obtain usernames, passwords, even passport information.

The fun is just beginning for government and Wall Street security experts.