Full Report
Aubrey Cottle allegedly gained access to the Texas GOP’s website through a breach of its hosting provider. The post DOJ charges hacker for 2021 Texas GOP website defacement appeared first on CyberScoop.
Analysis Summary
# Incident Report: 2021 Texas GOP Website Defacement and Data Theft by "Kirtaner"
## Executive Summary
In September 2021, the Texas Republican Party's website was defaced, followed by the exfiltration of a 180GB file containing personal data stemming from a breach of their hosting provider, Epik. The alleged perpetrator, Canadian citizen Aubrey Cottle (aka "Kirtaner"), gained access via vulnerabilities in the hosting provider's infrastructure and later bragged about the actions on social media. Cottle subsequently released the stolen data via BitTorrent.
## Incident Details
- **Discovery Date:** The defacement was publicly visible in **September 2021**. (The full extent of data exfiltration and specific breach date are not detailed, but internal claims of root access were noted earlier in 2021).
- **Incident Date:** **September 2021** (for public defacement and data release).
- **Affected Organization:** Republican Party of Texas (RPT).
- **Sector:** Political Organization / Government Affiliate.
- **Geography:** Texas, USA (Target); Perpetrator based in Canada.
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to September 2021; specifically referenced emails showing **February 2021** claiming root access to Epik.
- **Vector:** Breach of the Texas GOP's hosting provider, **Epik**, likely via SQL Injection (SQLi) vulnerability exploitation.
- **Details:** Cottle allegedly acquired root access to Epik’s network, virtual machines, web domains, and customer data.
### Lateral Movement
- **Details:** The attacker leveraged their access to the hosting provider (Epik) to compromise the Texas GOP’s web assets. Attackers also allegedly downloaded contents from an **Apache backup web server** owned by the Texas GOP.
### Data Exfiltration/Impact
- **Details:** A **180-gigabyte file** of stolen personal information was downloaded and subsequently released publicly via **BitTorrent**. The RPT website was **defaced** with messages including "JET FUEL DOESN’T MELT STEEL," "BUSH LIED, PEOPLE DIED," and "Trans demon hackers are coming to get you."
### Detection & Response
- **Details:** The defacement was immediately visible on the public website. Investigations, potentially by the FBI, tracked the data exfiltration via BitTorrent to a Bell Canada customer identified as Cottle. Evidence was gathered through Cottle's public social media bragging (TikTok user "kirtaner") and subsequent seizure of data following an Ontario Provincial Police warrant.
## Attack Methodology
- **Initial Access:** Exploitation of a vulnerability (**SQLi exploit**) against the hosting provider, Epik.
- **Persistence:** Evidence suggests persistence via root access to Epik’s network and virtual machines (**February 2021** email claim).
- **Privilege Escalation:** Not explicitly detailed, but securing root access on the provider level implies successful privilege escalation against Epik's infrastructure.
- **Defense Evasion:** Claims of successful evasion were made: "when it hits you’ll never see it attributed to me." (Actual defense evasion techniques are not specified beyond this claim).
- **Credential Access:** Not explicitly detailed, but likely involved accessing credentials associated with the web server or backup server during the root access stage.
- **Discovery:** Internal reconnaissance achieved via root access to Epik's network.
- **Lateral Movement:** Movement from the hosting provider's infrastructure to the target data/web servers.
- **Collection:** Collection of personal data stored on the Texas GOP's Apache backup web server, totaling 180GB.
- **Exfiltration:** Release of the 180GB file publicly via **BitTorrent**.
- **Impact:** Website defacement and public release of stolen personal data.
## Impact Assessment
- **Financial:** Not specified, but legal defense and data remediation costs likely incurred. Cottle faces potential prison time.
- **Data Breach:** **180 Gigabytes** of **personal information** stolen from the Texas GOP via the hosting provider.
- **Operational:** Operational disruption due to website defacement and the need to address the compromised data integrity.
- **Reputational:** Negative publicity for the Republican Party of Texas due to the defacement messages and data leak.
## Indicators of Compromise
- **Network indicators:** Torrent download activity from Cottle's IP address (Bell Canada customer). (Note: Specific C2 IPs or domains other than Epik are not provided).
- **File indicators:** A seized file folder named **"EpikFailYouLostTheGame"** on a solid-state drive.
- **Behavioral indicators:** Social media bragging (TikTok posts by "kirtaner," Discord messages acknowledging the SQLi exploit).
## Response Actions
- **Containment:** Not detailed, but implied that Epik's compromised services were eventually secured.
- **Eradication:** Law enforcement actions, including a search warrant executed by the Ontario Provincial Police, resulted in the seizure of 20 terabytes of data from Cottle's residence.
- **Recovery:** Not detailed, focusing primarily on the legal pursuit of the actor.
## Lessons Learned
- Reliance on third-party hosting providers (Epik) introduces significant third-party risk, as a compromise at the provider level grants access to multiple clients.
- Over-reliance on public-facing social media for communication can inadvertently serve as crucial evidence for law enforcement investigations.
- Storing sensitive data on accessible backup servers creates a high-value target.
## Recommendations
- Conduct thorough third-party risk assessments, especially for critical infrastructure providers like web hosts.
- Implement strict access controls and comprehensive segmentation between production content and backup storage environments.
- Monitor public and dark web forums/social media channels for unauthorized claims of breach activity related to organizational assets. (Although this helps *detection*, organizations should also review proprietary IT practices that might lead to similar vulnerability exploitation).