woensdag 22 juli 2015

Deep dive into attribution trove of Hacking Team

Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills.Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution.

Attribution and Advanced Persistent Threats

Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups.

Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.


Hacking Team

In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them.
What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.
It turns out a few (if not all) customers prefer to have their Collector server in their own home country.
Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:

  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 80.18.231.* – Italy
  • 202.131.234.* – Mongolia
  • 190.242.96.* – Colombia
  • 95.59.26.* – Kazakhstan
  • 175.143.78.* – Malaysia

The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.

On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.
We have highlighted some for you:

KVANT
The Russian customer KVANT. This customer is associated with the following two email addresses:

  • kachalin@advancedmonitoring.ru
  • kachalin@infotecs.ru

But it is also associated with this email address:

  • johnd123@yandex.ru

JohnD here could be related to placeholder name John Doe.
This specific customer connected from the Russian IP address 193.232.60.234
An IP address known to be a Bitcoin Seed node.
Below is a screenshot this customer send to Hacking Team for debugging purpose.



Officially, Hacking Team sold its wares to a company called “Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.


The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
devilangel1004@gmail.com
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.
This customer was using a large variety of VPS infrastructure to infect its targets:

  • DE – 198.105.125.107
  • DE – 198.105.125.108
  • CZ – 198.105.122.117
  • CZ – 198.105.122.118
  • NL – 131.72.137.101
  • NL – 131.72.137.104
  • DE – 185.72.246.46
  • RU – 46.38.63.194
  • US – 162.216.7.167

The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.


Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:

  • kevinwhite432@hotmail.com
  • kevinwhite4456@mail.com
  • kwhite@lelantos.org

This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address @lelantos.org is from a secure anonymous email provider only accessible through Tor.
The operational security of this customer turned out to be excellent.
This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.



We have not been able to identify this customer.


Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:

  • lea-consult.de
  • intech-solutions.de

Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:

  • Luxembourg – 188.115.16.82
  • Germany – 188.210.58.*
  • Lebanon – 77.246.76.211

According to several documents we believe Intech Solutions is serving two customers.

  • The Secret Service of Luxembourg, codenamed Falcon.
  • The Iraqi Government, codenamed Condor.

The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:

  • http://www.kurdistanpost.com
  • http://www.iraqinews.com/tag/mosul/
  • http://www.iraq-businessnews.com/tag/sulaymaniyah/
  • http://www.breakingnews.com/topic/sulaimania-as-sulaymaniyah-iq/
  • http://www.iran-daily.com/News/111959.html
  • http://www.iraqinews.com/iraq-war/security-forces-liberate-hamrin-mountains/
  • http://www.iraqinews.com/iraq-war/exclusive-photos-army-volunteer-fighters-heading-tikrit/
  • http://www.iraqinews.com/iraq-war/salahuddin-security-committee-denies-finding-survivors-camp-speicher-massacre/
  • http://www.iraqinews.com/features/barzani-asks-pope-urge-international-community-provide-assistance-kurdistans-displaced/
  • http://www.iraqinews.com/iraq-war/1103-iraqis-killed-2280-injured-february-says-un/

To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account.

Attribution:

  • New malware strains, from same source code
  • Lateral movement characteristics
  • Reconnaissance characteristics
  • Persistence/Backdoor characteristics
  • Connecting IP space
  • Plurality of IP series
  • Amount of concurrent (active) backdoor connections
  • Routine of instructions
  • Batch/Script files used and purpose of those
  • Favorable tools of common open source tool sets
  • Entry point details (hacked, bought, bought in underground, hijacked, stolen)
  • Sophistication of malware (sole purpose, modular, ease of creation)

Helpful:

  • Possible motives
  • Compilation time stamps

Tunnel vision:

  • Specifically attributed known malware (Could be Re-used.)
  • IP ranges solely
  • Strings in malware

Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us.


rosreptc@carabinieri.it ROS rosreptc
netsec@areatec.com CNI netsec 81.171.69.48 ES
batujembalapatik@gmail.com MIMY batujem balapatik 203.121.55.92 MY
alicefelistica@gmail.com MIMY Alice Felistica 172.20.20.182 Failed
arenamy8@gmail.com MIMY Arena 120.141.162.116 MY
eaglecobra23@gmail.com MIMY eagle cobra Failed
errorr.007@gmail.com MIMY error 007 118.101.201.251 MY
farkasgabor68@gmail.com MKIH Gábor Farkas 86.59.137.94 HU
intdiv@mkih.hu MKIH IntDiv Failed
infop@sutor.it PCIT INFOP Failed
srs@sutor.it PCIT Cesare 192.168.1.159 Failed
andrea.raffaelli@carabinieri.it ROS Andrea Raffaelli Failed
devilangel1004@gmail.com SKA devilangel 176.10.99.202 CH
josef.hrabec@bull.cz UZC Josef Hrabec 172.20.20.188 Failed
janus@bull.cz UZC UZC Bull 89.24.101.39 CZ
tomas.hlavsa@bull.cz UZC Tomas Hlavsa 195.39.62.66 CZ
service@intech-solutions.de INTECH Simon Thewes 188.115.16.82 LU
k.dobrzynski@cba.gov.pl CBA KD 46.113.149.31 PL
robinj.newsletter@gmail.com CBA KD 46.113.149.31 PL
unifi_abc@yahoo.com PMO Megat 210.186.148.113 MY
alessandro.scagnetti@interno.it PP Alessandro Scagnetti 80.19.234.18 IT
woints@yahoo.com INSA SW 213.55.96.10 ET
walcot.woly@gmail.com INSA Walcot Woly 216.118.233.253 PY
biniamtewolde@yahoo.com INSA Biniam Tewolde 172.20.20.188 Failed
joshua.a.hollister@usdoj.gov KATIE Joshua HOLLISTER Failed
jonathan.g.leonhard@usdoj.gov KATIE Jonathan Leonhard Failed
brett.blackham@gmail.com KATIE Brett Blackham Failed
jmsolano2k@yahoo.com PHOEBE John Solano 63.119.193.1 US
james.houck@ic.fbi.gov PHOEBE James Houck 63.119.193.1 US
soporteuiamx@gmail.com GEDP UIAPuebla 200.57.119.167 MX
g23@mod.gov.eg GNSE Mohammed 41.33.151.149 EG
del@afmic.com GNSE Ali Hussein 2 172.20.20.188 Failed
a.almasoud@moisp.gov.sa TCC-GID Ahmed Al Masoud 84.235.48.113 SA
sfrashed@tcc-ict.com TCC-GID Sultan Alrashed 46.240.36.82 SA
i.eugene@itt.uz NSS i.eugene 195.69.188.250 UZ
miloudifranck@yahoo.fr ALFAHAD miloudi franck 105.158.160.130 MA
pristospristou@gmail.com CIS CSS 81.4.182.50 CY
sgeorgakis@cis.gov.cy CIS CSS 81.4.182.50 CY
pristoupristos@gmail.com CIS cis group Failed
simone.cazzanti@rcslab.it RCS Simone Cazzanti 83.103.117.82 IT
antonino.bonanno@rcslab.it RCS Antonino Bonanno 83.103.117.82 IT
duilio.bianchi@rcslab.it RCS Duilio Bianchi 172.20.20.188 Failed
helpteam66@gmail.com CSDN HelpTeam66 41.248.191.71 MA
michael.p.casey@usdoj.gov KATIE Michael P. Casey 190.27.195.19 CO
mcasey6@gmail.com KATIE Michael P. Casey 190.27.195.19 CO
jasur@itt.uz NSS Jasurbek Khujaev 62.209.142.186 UZ
dankovicsjanos@gmail.com MKIH Janos Dankovics Failed
ulziibadrakh@iaac.mn MOACA ulziibadrakh 202.131.234.114 MN
erkhembayar@iaac.mn MOACA Erkhembayar 202.131.234.114 MN
erkhemee.iooii@gmail.com MOACA Erkhembayar 202.131.234.114 MN
davaa.shurik@gmail.com MOACA davaadorj 202.131.235.214 MN
uzc.v3.data@pcr.cz UZC Richard Hiller 94.113.250.3 CZ
yasdy.ardy@gmail.com MIMY tzm 175.143.78.14 MY
amo@gcctalk.com BHR Amo 82.194.55.211 BH
altherwi@moisp.gov.sa TCC-GID Walled Mohammed 84.235.48.113 SA
oscarg@symservicios.com PEMEX Oscar Israel González 189.204.10.202 MX
ocasitamaulipas@gmail.com SSPT Keila 201.144.150.206 MX
marek.bartos@ppcr.cz UZC Marek Bartos 94.113.250.0 CZ
miguelangel.corral@dtxtcorp.com PGJEM Miguel Angel Corral 187.188.106.19 Failed
rcs.cia@gmail.com PGJEM Ing. Carlos Rdz 187.208.68.151 MX
kraka1970@yahoo.com NISS-02 Abdullah 41.78.109.92 SD
teofilo@solucionesdetecnologia.com PANP Teofilo Homsany Failed
comunicacionesmx2013@gmail.com SDUC comunicaciones mexico 187.134.90.81 MX
infonetqro@gmail.com EDQ Felipe Romero Sánchez 187.144.53.252 MX
soprcs@gmail.com PANP Teofilo 190.32.195.84 PA
jaime@tevatec.com EDQ Jaime Calderón 189.178.19.160 MX
aliaheric@gmail.com SSNS E. 37.220.245.170 Failed
laurap@sutor.it PCIT Laura 2.114.21.82 IT
eojust@gmail.com KNB Astana Team 89.218.64.46 KZ
testwizard003@gmail.com AZNS Test Wizard 003 109.235.193.83 AZ
alan.zarza1980@gmail.com SEGOB Marco Antonio 187.217.80.174 MX
dzsunk2014@gmail.com MKIH Gábor Farkas 86.59.137.94 HU
johnd123@yandex.ru KVANT Peter 193.232.60.234 RU
__disabled_john.amirrezvani@parsons.com PHOEBE John Amirrezvani 63.119.193.1 US
__disabled__one.lal2010@gmail.com PHOEBE Pradeep Lal 65.211.76.176 US
dmoreno@elitetactical.net SEPYF Dan. Moreno 201.160.129.133 MX
7s39831@gmail.com IDA 7S39831 180.255.20.96 SG
kevinwhite432@hotmail.com MOI Kevin White 94.242.246.24 LU
kevinwhite4456@mail.com MOI Kevin White 94.242.246.24 LU
kwhite@lelantos.org MOI Kevin White 94.242.246.24 LU
octubre723@gmail.com SEPYF Juan 167.160.116.219 US
tulum@tutanota.de YUKI tulum@tutanota.de 189.202.92.197 MX
supporto-ht@area.it ARIEL Ariel 94.90.124.2 IT
eduvagpo74@tutanota.de DUSTIN eduvagpo74 201.148.31.115 MX
jrenato.melendez@gmail.com DUSTIN jrenato melendez 201.148.31.115 MX
kambal456@gmail.com NISS-01 Nizar 41.78.111.67 SD
dan@pymetek.net DUSTIN Dan 200.77.198.212 MX
garciarigoberto@prodigy.net.mx PGJEM Rigoberto Garcia 172.16.1.5 Failed
ldiaz@neolinx.mx PGJEM Luis Díaz 189.253.103.167 MX
luis_diazydiaz@hotmail.com PGJEM Luis Díaz 189.253.103.167 MX
esgar_1_38@hotmail.com JASMINE Support 189.211.186.199 MX
team14355@gmail.com MOD Magbool 37.242.13.10 Failed
tango2014@mail.com MOD User_Mod_01 94.99.41.221 SA
roy2014@post.com MOD User_Mod_02 185.23.124.138 SA
akhtar@mauqah.com UAEAF Akhtar Saeed Hashmi 86.96.99.238 AE
basar@palgroup.com UAEAF Syed Basar 176.205.10.181 AE
ht@mauqah.com UAEAF UAEAF_user Failed
falneyadi@eim.ae UAEAF UAEAF_user1 92.96.11.43 AE
salmuhrezi@eim.ae UAEAF UAEAF_user2 2.50.248.150 AE
fabio@hackingteam.com HackingTeam Test 192.168.100.239 Failed
user008181@gmail.com PHANTOM Jorge 151.48.150.70 IT
ccaceresh@investigaciones.cl PHANTOM CC 190.8.83.154 CL
ajmani.aa@gmail.com BSGO Anil Ajmani 41.206.1.5 NG
hanan@skylinksltd.com BSGO Hanan Dayan 41.206.1.8 NG
haim@skylinksltd.com BSGO Haim Lewy 172.20.20.178 Failed
thorbruegge@yahoo.com BSGO Bruegge Thor 192.168.1.155 Failed
elmarcopoloh@yahoo.com SENAIN TRUST 181.198.76.18 Failed
luis.solis@sin.gob.ec SENAIN TRUST 181.198.76.18 Failed
mauro.sorrento@gmail.com PCIT Mauro Sorrento 2.114.21.82 IT
francesco.sperandeo@interno.it PP Francesco Sperandeo 80.19.234.18 IT
sioht@siospa.it SIO Gruppo SIO x HT 2.228.15.130 IT
jacopo.cialli@carabinieri.it ROS Jacopo Cialli 93.40.111.230 IT
crijajo@gmail.com ROS Jacopo Cialli 93.40.111.230 IT
gabrieliraf@gmail.com ROS Raffaele Gabrieli 2.195.134.126 IT
raffaele.gabrieli@carabinieri.it ROS Raffaele Gabrieli 2.195.134.126 IT
cshmps@hotmail.it CSH Salvatore Macchiarella 77.71.162.131 MT
sortiz@cargatechnology.com YUKI sortiz@cargatechnology.com 189.202.88.249 MX
satthubongdem123456789@gmail.com VIKIS satthubongdem123456789@gmail.com 183.91.15.102 VN
ricardo.perinan@correo.policia.gov.co MDNP Ricardo Periñan 190.255.40.77 CO
tnpticket@gmail.com TNP TNP User 84.51.32.10 TR
noc@samtel.samartcorp.com THDOC NOC 203.149.47.18 TH
tnpnotcenter2@gmail.com TNP-old tnp notcenter 95.9.71.180 TR
milan.daniele@gmail.com TNP-old Daniele 192.168.1.200 Failed
wirbelwind79@outlook.com ZUEGG wirbelwind79@outlook.com 195.162.166.11 CH
edilberto.tangarife@correo.policia.gov.co MDNP Ricardo Periñan 190.255.40.77 CO
j972584@gdf.it SCICO Pasquale D’Ambrosio 2.228.110.165 IT
w105553@gdf.it SCICO Salvatore Galati 88.50.246.138 IT
h973958@gdf.it SCICO Federico Speranza 88.50.246.138 IT
l085038@gdf.it SCICO Giuseppe Della Cioppa 88.50.246.138 IT
v095168@gdf.it SCICO Marco Bartiromo 88.50.246.138 IT
rappazzo.diego@gdf.it SCICO Diego Rappazzo 88.50.246.138 IT
support@dhag.com.vn VIKIS Support Team 171.224.130.48 VN
cimarron1@tutanota.de SEPYF SaidO 189.202.77.133 MX
dungi1@tutanota.de DUSTIN SAIDO 189.202.71.133 MX
cateringlllc@gmail.com ORF cateringlllc 82.178.83.157 OM
user008282@gmail.com PHANTOM Manuel 151.48.150.70 IT
user008383@gmail.com PHANTOM Sergio 190.8.83.154 CL
nasser.asiri@gmail.com GIP Nasser Asiri 37.104.60.96 Failed
soporteht.2015@gmail.com HON SoporteHT.2015 190.109.192.194 HN
test@hackingteam.com HackingTeam Test 192.168.100.239 Failed
kamarulzamani@miliserv.com.my MACC Kamarul Zamani Failed
zuriana@miliserv.com.my MACC Zuriana 110.159.6.122 MY
ariff@miliserv.com.my MACC Zuriana 110.159.6.122 MY
suporte@yasnitech.com.br BRENDA Suporte 189.68.89.175 BR
gilberto.gbcj@dpf.gov.br BRENDA gilberto 177.7.84.199 BR
macsal@me.com CSH Salvatore Macchiarella 77.71.162.131 MT
takayama.tko@gmail.com TIKIT Takayama 110.78.165.114 TH
josef.hrabec@atos.net UZC Hrabec Josef Failed
skylock224@gmail.com VIRNA Virna 203.162.252.158 VN
erdtec@mcit.gov.eg TREVOR ERDTECH 41.237.238.52 EG
maremu2015@tutanota.com DUSTIN Miguel Angel Renteria Failed

Author Rickey Gevers

Chief Intelligence Officer RedSocks BV