Full Report
The prominent hacker Aubrey Cottle is accused of hacking into a third-party hosting company for the websites for the Texas Republican Party and the Texas Right to Life anti-abortion group.
Analysis Summary
# Incident Report: Alleged Hacking of Texas Republican Party via Third-Party Host Epik
## Executive Summary
Aubrey Cottle, a Canadian national and known hacker, was charged by the U.S. Justice Department for allegedly breaching the systems of Epik, a third-party hosting provider for the Texas Republican Party (TRP). The incident involved defacing the TRP website and stealing a backup of their web server, which contained personal identifying information (PII). Cottle subsequently shared the data online before being arrested in Canada following the unsealing of a September 2024 criminal complaint.
## Incident Details
- **Discovery Date:** Not explicitly stated, but related events date back to previous breaches in 2021, while the specific charges relate to a September 2024 criminal complaint.
- **Incident Date:** The alleged specific incident leading to the charges is not precisely dated but relates to actions underpinning the September 2024 complaint. (Note: Past related activity involving Epik occurred in 2021.)
- **Affected Organization:** Texas Republican Party (TRP) and Texas Right to Life (hosted by Epik).
- **Sector:** Political Organization/Hosting Services.
- **Geography:** United States (Texas) and Canada.
## Timeline of Events
### Initial Access
- **Date/Time:** Actions leading to the September 2024 charges are implied to have occurred prior to or around this time. (Previous related breach of Epik occurred in 2021.)
- **Vector:** Targeting Epik, the third-party hosting company for the TRP website.
- **Details:** Gaining unauthorized access to Epik’s systems.
### Lateral Movement
- **Details:** Once in Epik’s infrastructure, the attacker downloaded a backup of the Texas Republican Party’s web server.
### Data Exfiltration/Impact
- **Data Stolen:** Personal Identifying Information (PII) contained within the TRP web server backup.
- **Disclosure:** The attacker allegedly shared the stolen data online, making it publicly downloadable.
- **Scale:** Police searches of Cottle’s home allegedly uncovered 20 terabytes of stolen data.
### Detection & Response
- **Detection:** The attack was detected, leading to a criminal complaint unsealed in September 2024. The attacker publicly took credit on social media (Discord, TikTok), aiding detection/attribution efforts.
- **Response Actions:** The U.S. Justice Department unsealed an arrest warrant. Cottle was arrested last Wednesday in Canada. Canadian police had previously raided Cottle’s home in 2022 concerning other hacks. Authorities searched Cottle’s devices, allegedly finding stolen data.
## Attack Methodology
- **Initial Access:** Breach of a third-party hosting provider (Epik).
- **Persistence:** Not detailed, but access was maintained long enough to download server backups.
- **Privilege Escalation:** Not detailed, but access to sensitive server backups suggests elevated privileges were obtained.
- **Defense Evasion:** Not detailed, though prior attacks against Epik suggest an ability to bypass known controls.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Moving from the host provider infrastructure to the specific client data (TRP backup).
- **Collection:** Downloading a backup of the web server containing PII.
- **Exfiltration:** Sharing the stolen data publicly online, allowing anyone to download it.
- **Impact:** Defacement of the TRP website and massive data theft/leak.
## Impact Assessment
- **Financial:** Not specified, though criminal investigation and prosecution costs likely apply.
- **Data Breach:** Personal Identifying Information (PII) belonging to TRP affiliates or constituents. Approximately 20 terabytes of stolen data were reportedly found on the suspect's devices.
- **Operational:** The TRP website was defaced.
- **Reputational:** Significant negative attention due to the data leak and the publicly claimed nature of the attack by a known hacker associated with Anonymous.
## Indicators of Compromise
- **Network Indicators:** (None provided/defanged)
- **File Indicators:** (None provided)
- **Behavioral Indicators:** Public declarations of responsibility on social media platforms (Discord, TikTok) referencing the hack. Evidence recovered from devices matching the leaked data set.
## Response Actions
- **Containment:** Not detailed, but related to shutting down public access to the leaked data or neutralizing the direct threat vector post-discovery.
- **Eradication:** Not detailed, implied through the arrest and seizure of evidence.
- **Recovery Actions:** Unspecified, likely involving notifying affected parties about the PII compromise.
## Lessons Learned
- Reliance on a single, third-party hosting provider (Epik) creates a significant single point of failure for multiple organizations.
- The suspect openly boasted about the attack online, highlighting the importance of monitoring social media and forums for attacker attribution.
- Past activity and known association with extremist hacking groups (Anonymous) should inform proactive security monitoring.
## Recommendations
- Organizations relying on third-party hosts must rigorously vet the security posture of those vendors.
- Isolate sensitive data stores from web server backups or implement stricter access controls on backups.
- Enhance monitoring for public disclosures or boasts made by known threat actors regarding specific organization assets.
- Review and minimize the amount of PII stored directly on public-facing web servers or easily accessible staging/backup environments.