Cyble_Featured-Image_SocialNet_Social-Surveillance_US

​Dissecting “SocialNet” – A Chinese Social Surveillance Operation?

As part of our routine threat hunting exercise, the Cyble Research Labs recently discovered an open ElasticSearch (ES) server with the alias ‘SocialNet’. The server is hosted in China and owned by ChinaNet Shaanxi.  

Upon further investigation, we note that the elasticssearch server has data logs and data sets collected from a variety of sources. These include but are not limited to:

  • LinkedIn profiles, Twitter and several others social media apps
  • Chat apps such as Telegram, WeChat, Voxer
  • Leaked passwords from various third parties
  • Wiki information of various activists who have protested against Chinese government
  • Data collected from various US government websites
  • Contact numbers of residents of Taiwan, India, Singapore, Hong Kong, the US and Iran
  • One-to-one communications or chat mesages from popular apps
  • Multiple databases with the keywords of popular US politicians

We noted that over 4.4 billion data sets were available on the server, with the data belonging to the following regions: 

  • U.S. 
  • India 
  • Japan
  • Taiwan 
  • Hong Kong 
  • Vietnam
  • The Middle East    
  • Iran 

Cyble researchers also noticed a number of databases / elasticsearch indices created for capturing data points and conversations of US politicians.

Figure 1 Whois information of the ES 

Based on our analysis of the elasticsearch server infrastructure, we suspect that it is associated with a malicious domain sxhaly[.]gnway[.]cc:8888. 

Analysis of SocialNet

The total size of the ES is ~7.60TB, containing a total of 402 indices (databases). As shown in the screenshot below, the name of the ES is “SocialNet”. 

Figure 2 ES Attributes to a cluster named “SocialNet” 

We suspect that the exposed elasticsearch server is backed by a politically motivated agenda targeting the U.S and other countries. The following images showcase the data indices of the exposed elasticsearch server containing sensitive data related to U.S. legislation, along with other sensitive political data. 

Figure 3 List of indices that are a part of this exposed Elasticsearch 
Figure 4 List of indices that are a part of this exposed Elasticsearch 
Figure 5 List of indices that are a part of this exposed Elasticsearch 
Figure 6 List of indices that are a part of this exposed Elasticsearch 
Figure 7 List of indices that are a part of this exposed Elasticsearch 
Figure 8 List of indices that are a part of this exposed Elasticsearch 
Figure 9 List of indices that are a part of this exposed Elasticsearch 

Our investigation led to the identification of the three private nodes that are listed below: 

  • 192.168.1.229:9300 
  • 192.168.1.230:9300 
  • 192.168.1.231:9300 

Figure 10 showcases the data of Civil servants, as seen in the elasticsearch data indices.  

Figure 10 Elasticsearch Index containing data of civil servants 

We observed that the exposed elasticsearch has U.S. White House data in separate indices as shown in Figures 11 and 12.

Figure 11 elasticsearch index containing data from the US White House members (Total records: 25) 
Figure 12 elasticsearch index containing data from the US White House members (Total records: 25) 

The following figures showcase data from the 116th and 117th U.S. State Legislation as found in the SocialNet exposed server, with a total of 14,963 related records. 

Figure 13 Data from the 116th and 117th U.S. State Legislation
Figure 14 Data from the 116th and 117th U.S. State Legislation

We also found a data index containing 455,359 records of the U.S. capital Flow Senates, as shown in figure 15. 

Figure 15 Index containing data from the US Capital Flow Senate (Total records: 4,55,359) 

Based on further investigation, we found 3,447,542 records of residents of Taiwan, as shown in figure 16.  

Figure 16 Index containing data of Taiwan Residents (Total records: 3,447,542) 

Interestingly, the exposed elasticsearch also contains details of communications by U.S. politicians, as shown in figure 17. 

Figure 17 exposed elasticsearch contains details of communications by U.S. politicians 

The attacker also scrapped finance data from the website docquery.fec.gov, and the collected data is shown in figure 18. 

Figure 18 Test Index containing data on Campaign Finance Data (scrapping was performed on docquery.fec.gov) 

Based on our investigation, appearing to be a Social Security surveillance operation, this ES server has also collected Twitter data belonging to U.S. Senators, as shown in figure 19.

Figure 19  meiguoyiyuan_tw_all Index containing twitter data of US. Senators 

One of the data sets also contains plain text usernames and passwords, with a total of 193,301,730 identified records contained in the index.  

Figure 20 bs_mail Index containing usernames and plain-text passwords (Total records: 193,301,730) 

This surveillance operation has also harvested profiles of individuals who were involved in protest activities against China, as shown in Figure 21. 

Figure 21 Wiki links containing profiles of individuals involved in some level of protest against Chinese policies. 

In China, the United States of America is colloquially known as meiguo. The presence of a particular data index named meiguo_congress makes us suspect that the social surveillance operation has harvested U.S. Congress data as well. 

Figure 22 meiguo_congress index  

Conclusion 

This incident infers a large-scale social media data collection being carried out, along with U.S. government information. While the exact source within China of these data points is still being investigated, it highlights a vested interest in monitoring the social media activities of U.S. politicians, activists who have protested against China, and other nationalities who have some level of stiffness with the Chinese authorities. Is this linked to a political influencing campaign sponsored by the Chinese state or by a privately-owned company? Time will tell us!

The Cyble Research team will continue to monitor such data leaks on the surface as well as the darkweb to shed light on such cybersecurity incidents in addition to validating their impact. We will also inform Cyble’s enterprise customers about the impact of this data leak. 

Our Recommendations 

Following are some of the essential cybersecurity best practices to create the first line of control against attackers. We recommend our readers to follow the best practices suggested below:   

  • Never share your personal information, including financial information, over the phone, email, or SMSes.     
  • Use tough-to-guess passwords besides implementing multi-factor authentication.     
  • Make it a habit to keep a watch on your financial transactions, and if you notice any suspicious activity, contact your bank immediately.     
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Never open untrusted links and email attachments without verifying their authenticity.   

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

%d bloggers like this: