Mission: The primary mission of HIM is independence from ...

Mission: The primary mission of HIM is independence from the Federal Government.

HIM-Cyber is executing a two phase campaign against both the State and Federal Governments. These phases are executed simultaneously.

1) Information Operations (IO) Campaign to gain the sympathy and support of the public.

2) Demonstrate that State and Federal Governments are incapable of supporting the local community during the humanitarian disaster and outbreak.

1) Information Operations (IO) Campaign to gain the sympathy and support of the public.

Desired Effects: Deface/manipulate websites

Exfiltrate PII in order to reduce the citizens’ confidence in the government

Exfiltrate data that would reflect badly on the government and release it to the media

2) Demonstrate that State and Federal Governments are incapable of supporting the local community during the humanitarian disaster and outbreak.

Desired Effects: Manipulate industry data to force them to ask for

assistance from State/Federal agencies

Desynchronize recovery efforts

Desynchronize communications

Red Team Enclave 1 Enclave 2

HI ANG CIC 4 Kumu 4

USA Reserves CIC 3 Kumu 3

Team 1 Kumu 1 HECO

Team 2 CIC 2 Kumu 2

Team 3 CIC 1 HECO

Red Team Organization

“The Federal Government of the United States continues to oppress the lifestyle, economy, and culture of our citizens and population. Recovery efforts and medical care are being withheld in order to oppress the islands and its people. Support independence, support your future, and our future generations.”

“The Federal Government of the United States continues to oppress the lifestyle, economy, and culture of our citizens and population. Recovery efforts and medical care are being withheld in order to oppress the islands and its people. Support independence, support your future, and our future generations.”

All Shelters are CLOSED

“The Federal Government of the United States continues to oppress the lifestyle, economy, and culture of our citizens and population. Recovery efforts and medical care are being withheld in order to oppress the islands and its people. Support independence, support your future, and our future generations.”

“The Federal Government of the United States continues to oppress the lifestyle, economy, and culture of our citizens and population. Recovery efforts and medical care are being withheld in order to oppress the islands and its people. Support independence, support your future, and our future generations.”

PII publicly accessible through the website:/wordpress/index.php/vicitim-list/cicnamesstcatherineschoolelementary

INSERT INTO `tblcontainer` VALUES ('KUMU2000816','outgate','motorcycle',279,140,'hazard'),('KUMU2000998','outgate','onions',467,404,'ventilated'),('KUMU2002254','in_yard','bicycles',4,344,'dry'),('KUMU2002778','in_yard','car parts',449,490,'dry'),('KUMU2003532','in_yard','car parts',146,289,'dry'),('KUMU2003920','in_yard','cows',106,350,'livestock'),('KUMU2004772','on_vessal','radar system',355,250,'flatrack'),('KUMU2007385','outgate','car',192,205,'hazard'),('KUMU2008415','on_vessal','car',45,217,'hazard'),('KUMU2008915','outgate','chippers',289,276,'flatrack'),('KUMU2010103','outgate','pigs',108,447,'livestock')

Team 1 - Target HECO & Kumu 1Day 1:8:28AM : popped the domain controller 132.160.190.226 using WordPress Asset Manager upload vulnerability, uploaded a PHP reverse meterpreter shell.9:10AM : popped the 132.160.190.228 centos box, using WordPress Asset Manager upload vulnerability, uploaded a PHP reverse meterpreter shell.9:17AM : popped the 132.160.190.229 ubuntu box, using WordPress Asset Manager upload vulnerability, uploaded a PHP reverse meterpreter shell.9:22AM : Accessed WordPress site on 132.160.190.228 using default credentials (admin, “password”)9:25AM : Installed backdoor on 132.160.190.229 @ 132.160.190.229/photos/gallery9:28AM : Installed backdoor on 132.160.190.228 @ 132.160.190.228/photos/gallery10:41AM : Effected access to 132.160.190.132 & Installed backdoor on 132.160.190.132 @ 132.160.190.132/photos/gallery10:44AM : Effected access to 132.160.190.133 & Installed backdoor on 132.160.190.133 @ 132.160.190.133/photos/gallery12:10PM : Lost shell to Kumu Admin1 account from 132.160.190.89, re-established connection at 12:14PM2:05PM : Defaced website @ 132.160.190.227, using default wordpress admin credentials.2:15PM : Changed Kumu MySQL database values for all chlorine containers, to random substances, using default MySQL credentials.3:50PM : Effected access to Windows Server 2012 on 132.160.190.226 using created credentials ChrisF, “PAssword1234##”

Team 1 - Target HECO & Kumu 1

Day 2:8:55AM : Noticed that we were kicked out of the domain controller (132.160.190.226) that we previously accessed with user 'ChrisF'9:30AM : Obtained access to 132.160.190.228 wordpress site using default admin credentials, and defaced website.10:13AM : Accessed 132.160.190.50 using netcat (ThinLinc.exe), established secondary backdoor using port 1354, and created user 'IIS7Admin'10:32AM : Created netcat session on port 1577 wincom.exe on Kumu1 (132.160.190.227)10:34AM : Created netcat session on port 12856 windll.exe on Kumu1 (132.160.190.227)11:35AM : Accessed 132.160.191.56 on user Admin1, using default credentials (Password7!)12:50AM : Created new user on 132.160.112.15 named admin1

Overall Thoughts:

Determine the objectives and desired effects of the adversary

Actively monitor public facing products

Seek to understand the root cause of any particular compromise

Restructure for least privilege

Passwords, Win/Linux users, DB accounts, vulnerability testing