He attacks corporate and government networks in total silence. “I don’t listen to any music,” the hacker said. “With music I can’t focus while hacking.” His room is sparse, adorned only with a bed next to an office desk and a computer. On the walls hang Microsoft certifications and posters of Anonymous and LulzSec, his favorite hacking teams. “Most of my methods are very easy to learn and not hard at all,” he said. “I became inspired by LulzSec for using the simple attacks like SQL [injection]. I still use those methods.”
Kapustkiy describes himself as a “penetration tester.” “I wanted to make money [with my skills], so I do bug bounties.” As evidence, he offered screenshots from seemingly happy clients. He also claims to hack governments as a form of protest. “I am now working on the Government of Venezuela in protest against Nicolas Maduro,” he said.
SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)
His specialty is exploiting database bugs. “If I want to hack a website, I start to look manually for the vulnerabilities. At this moment all my methods have been SQL, LFI, XSS, and Bruteforce. I use some tools for social engineering as well,” Kapustkiy explained. “If I can’t find anything, I am trying to use web scanners to find the vulnerabilities [sic].”
After an allegedly successful strike against several high-profile embassies, Kapustkiy applied to New World Hackers, the band of young hackers who infamously claimed responsibility for the Dyn botnet attack that used over 100,000 Internet of Things (IoT) devices to cripple several major internet providers. Though NWH’s involvement with the Dyn attack is difficult to prove, the politically motivated group rose in stature dramatically in 2016 after declaring culpability for similar DDoS attacks against the BBC, Twitter, and Spotify.
Kapustkiy was attracted to NWH’s talent and track record. Other groups are good, he said, “but not as skilled as [New World Hackers]. I wanted to improve my skills and they are the best.” He continues to makes money as an above-the-board security tester but also helps the group exploit zero day bugs. “I buy them from the Dark Web, but I don’t sell,” he said.
In an interview with TechRepublic Kapustkiy explained what motivates him and his hacker colleagues, how he attacks and invades systems, and how stolen data is sold. His quotes are provided below slightly edited.
Who are you?
Hi. I’m Kapustkiy. I like to describe myself as a security pentester and researcher. (Sorry English is not my first language.)
When did you start hacking and how did you learn?
How I do it? I started with ”hacking” when I was [a teenager] and I became inspired by a hackers group called LulzSec. I was at that moment very young and I didn’t knew anything about hacking, so I decided to did some research, how LulzSec managed to break into websites. I found an article about which method they used and at that moment I started to learn all those things.
Is what you do legal? And do you worry about getting caught?
At the first time when I came into the headlines for my breach on the Indian Embassies, I was a little bit afraid that I was getting caught. Because some sources wrote that they tried to track my IP. But after the accident happened I started to help them to fix the vulnerability and I also told them that it is very important to be secured when you are managing such kind of data. I did not leak all the database only a little bit to make them aware of it. If it’s legal? In my opinion, it is legal when you only leak a little bit database to make them aware of it. Also report the vulnerable always and let them know that you try to help them.
READ: Interview with a hacker: S1ege from Ghost Squad Hackers (TechRepublic)
What motivates you?
The thing that motivates me a lot is that administrators appreciate that I try to improve their security better. I got a ”thank you” of the Indian Embassy and the Italian Government and I was very proud of myself that they have fixed the vulnerable.
Why do you consider yourself a penetration tester, rather than a hacker?
A lot people are asking me these kind of questions and the reason that I describe myself as a Security Pentester instead of a hacker is, because I like to help websites to improve their security so they are secured. I have always put my focus on Web/Network Security instead of other stuff. A ”hacker” is in my opinion someone who has knowledge with everything.
Can you detail your hacking history and explain your personal goals?
I started when I was [a teenager]. The first thing what I did was to understand a SQL Injection attack and what you could do with it. So I broke into a University of England and I started to dump their database. The website went offline for around three days and I felt that what I did was wrong so I decided not to do it anymore. I managed to broke into the Indian Embassy, Italian Government, University of Wisconsin, Hungarian Human Rights Foundation, and many more. The reason that I broke into their websites was to let them to understand the danger of a data breach. I have also helped the administrators to fix the vulnerables and those kind of things are my goals. To let them see the danger and to let them improve their security better.
READ: Interview with a hacker: Gh0s7, leader of Shad0wS3c (TechRepublic)
Are you friendly with other hacker groups?
I was a ex-member of a hackers group called Powerful Greek Army. Also I know some members of [other hacking groups]. I speak sometimes with them.
How do you make money?
I’ll try to find vulnerabilities (most of the time XSS) in websites of my country and I help the administrators to fix them or I’ll report the vulnerable so they could do it on their own. PS: I only spend time on finding vulns in big websites like banks or universities.
Can you explain your penetration tactics?
It’s very simple what I’m doing and not even difficult. The first thing what I’m doing is: I make a list of websites that might be vulnerable. When that’s done. I start to use some tools (PentestBox) to look for vulnerabilities. And last but not least. I try to get access to the database and then I’m going to report the vulnerables that I managed to found.
When you break into a system what do you hope to find?
I hope to find personal information like someone his real name, address, phone number etc… This is more important than looking for usernames and password. Because you can’t reset personal information.
Are there red lines you won’t cross or things you won’t do?
I would never leak personal information of people like their address or bank information.
What can people and companies do to protect themselves from hackers?
I think the communication is one of the important thing. Most companies don’t take mails seriously or they even don’t read it. There are a lot people who also report the vulnerables but it is very hard to get a response back of them. Also you need to test your website often with a Penetration testing to see if everything is secured. Everything is able to get hacked but we can always make it more difficult for hackers.
SEE: Russian hack almost brought the U.S. military to its knees (CBS News)
TechRepublic communicated with Kapustkiy using encrypted applications that allowed the hacker to remain anonymous. We have taken steps to validate the general nature of Kapustkiy’s statements but cannot verify his claims. As always, TechRepublic does not condone illegal or unethical activity.
- Experts predict 2017’s biggest cybersecurity threats (TechRepublic)
- Poll: What new cybersecurity trends will dominate 2017? (TechRepublic)
- 2017 cybercrime trends: Expect a fresh wave of ransomware and IoT hacks (TechRepublic)
- Gallery: The 10 biggest business hacks of 2016 (TechRepublic)
- Interview with a hacker: Gh0s7, leader of Shad0wS3c (TechRepublic)
- Five essential cybersecurity audiobooks (TechRepublic)
- Five essential cybersecurity podcasts for IT professionals (TechRepublic)
- Cyberwar: The smart person’s guide (TechRepublic)
- How to safely access and navigate the Dark Web (TechRepublic)
- IT Security in the Snowden Era (ZDNet)
- Russia’s role in political hacks: What’s the debate? (CNET)