Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills.Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution.
Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.
What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.
It turns out a few (if not all) customers prefer to have their Collector server in their own home country.
Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:
The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.
On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.
We have highlighted some for you:
KVANT
The Russian customer KVANT. This customer is associated with the following two email addresses:
But it is also associated with this email address:
JohnD here could be related to placeholder name John Doe.
This specific customer connected from the Russian IP address 193.232.60.234
An IP address known to be a Bitcoin Seed node.
Below is a screenshot this customer send to Hacking Team for debugging purpose.
Officially, Hacking Team sold its wares to a company called “Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.
The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
devilangel1004@gmail.com
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.
This customer was using a large variety of VPS infrastructure to infect its targets:
The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.
Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:
This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address @lelantos.org is from a secure anonymous email provider only accessible through Tor.
The operational security of this customer turned out to be excellent.
This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.
We have not been able to identify this customer.
Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:
Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:
According to several documents we believe Intech Solutions is serving two customers.
The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:
To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account.
Attribution:
Helpful:
Tunnel vision:
Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us.
Author Rickey Gevers
Chief Intelligence Officer RedSocks BV
Attribution and Advanced Persistent Threats
Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups.Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.
Hacking Team
In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them.What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.
It turns out a few (if not all) customers prefer to have their Collector server in their own home country.
Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:
- 81.192.195.* – Morocco
- 81.192.195.* – Morocco
- 81.192.195.* – Morocco
- 80.18.231.* – Italy
- 202.131.234.* – Mongolia
- 190.242.96.* – Colombia
- 95.59.26.* – Kazakhstan
- 175.143.78.* – Malaysia
The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.
On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.
We have highlighted some for you:
KVANT
The Russian customer KVANT. This customer is associated with the following two email addresses:
- kachalin@advancedmonitoring.ru
- kachalin@infotecs.ru
But it is also associated with this email address:
- johnd123@yandex.ru
JohnD here could be related to placeholder name John Doe.
This specific customer connected from the Russian IP address 193.232.60.234
An IP address known to be a Bitcoin Seed node.
Below is a screenshot this customer send to Hacking Team for debugging purpose.
Officially, Hacking Team sold its wares to a company called “Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.
The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
devilangel1004@gmail.com
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.
This customer was using a large variety of VPS infrastructure to infect its targets:
- DE – 198.105.125.107
- DE – 198.105.125.108
- CZ – 198.105.122.117
- CZ – 198.105.122.118
- NL – 131.72.137.101
- NL – 131.72.137.104
- DE – 185.72.246.46
- RU – 46.38.63.194
- US – 162.216.7.167
The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.
Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:
- kevinwhite432@hotmail.com
- kevinwhite4456@mail.com
- kwhite@lelantos.org
This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address @lelantos.org is from a secure anonymous email provider only accessible through Tor.
The operational security of this customer turned out to be excellent.
This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.
We have not been able to identify this customer.
Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:
- lea-consult.de
- intech-solutions.de
Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:
- Luxembourg – 188.115.16.82
- Germany – 188.210.58.*
- Lebanon – 77.246.76.211
According to several documents we believe Intech Solutions is serving two customers.
- The Secret Service of Luxembourg, codenamed Falcon.
- The Iraqi Government, codenamed Condor.
The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:
- http://www.kurdistanpost.com
- http://www.iraqinews.com/tag/mosul/
- http://www.iraq-businessnews.com/tag/sulaymaniyah/
- http://www.breakingnews.com/topic/sulaimania-as-sulaymaniyah-iq/
- http://www.iran-daily.com/News/111959.html
- http://www.iraqinews.com/iraq-war/security-forces-liberate-hamrin-mountains/
- http://www.iraqinews.com/iraq-war/exclusive-photos-army-volunteer-fighters-heading-tikrit/
- http://www.iraqinews.com/iraq-war/salahuddin-security-committee-denies-finding-survivors-camp-speicher-massacre/
- http://www.iraqinews.com/features/barzani-asks-pope-urge-international-community-provide-assistance-kurdistans-displaced/
- http://www.iraqinews.com/iraq-war/1103-iraqis-killed-2280-injured-february-says-un/
To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account.
Attribution:
- New malware strains, from same source code
- Lateral movement characteristics
- Reconnaissance characteristics
- Persistence/Backdoor characteristics
- Connecting IP space
- Plurality of IP series
- Amount of concurrent (active) backdoor connections
- Routine of instructions
- Batch/Script files used and purpose of those
- Favorable tools of common open source tool sets
- Entry point details (hacked, bought, bought in underground, hijacked, stolen)
- Sophistication of malware (sole purpose, modular, ease of creation)
Helpful:
- Possible motives
- Compilation time stamps
Tunnel vision:
- Specifically attributed known malware (Could be Re-used.)
- IP ranges solely
- Strings in malware
Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us.
| rosreptc@carabinieri.it | ROS | rosreptc | ||
| netsec@areatec.com | CNI | netsec | 81.171.69.48 | ES |
| batujembalapatik@gmail.com | MIMY | batujem balapatik | 203.121.55.92 | MY |
| alicefelistica@gmail.com | MIMY | Alice Felistica | 172.20.20.182 | Failed |
| arenamy8@gmail.com | MIMY | Arena | 120.141.162.116 | MY |
| eaglecobra23@gmail.com | MIMY | eagle cobra | Failed | |
| errorr.007@gmail.com | MIMY | error 007 | 118.101.201.251 | MY |
| farkasgabor68@gmail.com | MKIH | Gábor Farkas | 86.59.137.94 | HU |
| intdiv@mkih.hu | MKIH | IntDiv | Failed | |
| infop@sutor.it | PCIT | INFOP | Failed | |
| srs@sutor.it | PCIT | Cesare | 192.168.1.159 | Failed |
| andrea.raffaelli@carabinieri.it | ROS | Andrea Raffaelli | Failed | |
| devilangel1004@gmail.com | SKA | devilangel | 176.10.99.202 | CH |
| josef.hrabec@bull.cz | UZC | Josef Hrabec | 172.20.20.188 | Failed |
| janus@bull.cz | UZC | UZC Bull | 89.24.101.39 | CZ |
| tomas.hlavsa@bull.cz | UZC | Tomas Hlavsa | 195.39.62.66 | CZ |
| service@intech-solutions.de | INTECH | Simon Thewes | 188.115.16.82 | LU |
| k.dobrzynski@cba.gov.pl | CBA | KD | 46.113.149.31 | PL |
| robinj.newsletter@gmail.com | CBA | KD | 46.113.149.31 | PL |
| unifi_abc@yahoo.com | PMO | Megat | 210.186.148.113 | MY |
| alessandro.scagnetti@interno.it | PP | Alessandro Scagnetti | 80.19.234.18 | IT |
| woints@yahoo.com | INSA | SW | 213.55.96.10 | ET |
| walcot.woly@gmail.com | INSA | Walcot Woly | 216.118.233.253 | PY |
| biniamtewolde@yahoo.com | INSA | Biniam Tewolde | 172.20.20.188 | Failed |
| joshua.a.hollister@usdoj.gov | KATIE | Joshua HOLLISTER | Failed | |
| jonathan.g.leonhard@usdoj.gov | KATIE | Jonathan Leonhard | Failed | |
| brett.blackham@gmail.com | KATIE | Brett Blackham | Failed | |
| jmsolano2k@yahoo.com | PHOEBE | John Solano | 63.119.193.1 | US |
| james.houck@ic.fbi.gov | PHOEBE | James Houck | 63.119.193.1 | US |
| soporteuiamx@gmail.com | GEDP | UIAPuebla | 200.57.119.167 | MX |
| g23@mod.gov.eg | GNSE | Mohammed | 41.33.151.149 | EG |
| del@afmic.com | GNSE | Ali Hussein 2 | 172.20.20.188 | Failed |
| a.almasoud@moisp.gov.sa | TCC-GID | Ahmed Al Masoud | 84.235.48.113 | SA |
| sfrashed@tcc-ict.com | TCC-GID | Sultan Alrashed | 46.240.36.82 | SA |
| i.eugene@itt.uz | NSS | i.eugene | 195.69.188.250 | UZ |
| miloudifranck@yahoo.fr | ALFAHAD | miloudi franck | 105.158.160.130 | MA |
| pristospristou@gmail.com | CIS | CSS | 81.4.182.50 | CY |
| sgeorgakis@cis.gov.cy | CIS | CSS | 81.4.182.50 | CY |
| pristoupristos@gmail.com | CIS | cis group | Failed | |
| simone.cazzanti@rcslab.it | RCS | Simone Cazzanti | 83.103.117.82 | IT |
| antonino.bonanno@rcslab.it | RCS | Antonino Bonanno | 83.103.117.82 | IT |
| duilio.bianchi@rcslab.it | RCS | Duilio Bianchi | 172.20.20.188 | Failed |
| helpteam66@gmail.com | CSDN | HelpTeam66 | 41.248.191.71 | MA |
| michael.p.casey@usdoj.gov | KATIE | Michael P. Casey | 190.27.195.19 | CO |
| mcasey6@gmail.com | KATIE | Michael P. Casey | 190.27.195.19 | CO |
| jasur@itt.uz | NSS | Jasurbek Khujaev | 62.209.142.186 | UZ |
| dankovicsjanos@gmail.com | MKIH | Janos Dankovics | Failed | |
| ulziibadrakh@iaac.mn | MOACA | ulziibadrakh | 202.131.234.114 | MN |
| erkhembayar@iaac.mn | MOACA | Erkhembayar | 202.131.234.114 | MN |
| erkhemee.iooii@gmail.com | MOACA | Erkhembayar | 202.131.234.114 | MN |
| davaa.shurik@gmail.com | MOACA | davaadorj | 202.131.235.214 | MN |
| uzc.v3.data@pcr.cz | UZC | Richard Hiller | 94.113.250.3 | CZ |
| yasdy.ardy@gmail.com | MIMY | tzm | 175.143.78.14 | MY |
| amo@gcctalk.com | BHR | Amo | 82.194.55.211 | BH |
| altherwi@moisp.gov.sa | TCC-GID | Walled Mohammed | 84.235.48.113 | SA |
| oscarg@symservicios.com | PEMEX | Oscar Israel González | 189.204.10.202 | MX |
| ocasitamaulipas@gmail.com | SSPT | Keila | 201.144.150.206 | MX |
| marek.bartos@ppcr.cz | UZC | Marek Bartos | 94.113.250.0 | CZ |
| miguelangel.corral@dtxtcorp.com | PGJEM | Miguel Angel Corral | 187.188.106.19 | Failed |
| rcs.cia@gmail.com | PGJEM | Ing. Carlos Rdz | 187.208.68.151 | MX |
| kraka1970@yahoo.com | NISS-02 | Abdullah | 41.78.109.92 | SD |
| teofilo@solucionesdetecnologia.com | PANP | Teofilo Homsany | Failed | |
| comunicacionesmx2013@gmail.com | SDUC | comunicaciones mexico | 187.134.90.81 | MX |
| infonetqro@gmail.com | EDQ | Felipe Romero Sánchez | 187.144.53.252 | MX |
| soprcs@gmail.com | PANP | Teofilo | 190.32.195.84 | PA |
| jaime@tevatec.com | EDQ | Jaime Calderón | 189.178.19.160 | MX |
| aliaheric@gmail.com | SSNS | E. | 37.220.245.170 | Failed |
| laurap@sutor.it | PCIT | Laura | 2.114.21.82 | IT |
| eojust@gmail.com | KNB | Astana Team | 89.218.64.46 | KZ |
| testwizard003@gmail.com | AZNS | Test Wizard 003 | 109.235.193.83 | AZ |
| alan.zarza1980@gmail.com | SEGOB | Marco Antonio | 187.217.80.174 | MX |
| dzsunk2014@gmail.com | MKIH | Gábor Farkas | 86.59.137.94 | HU |
| johnd123@yandex.ru | KVANT | Peter | 193.232.60.234 | RU |
| __disabled_john.amirrezvani@parsons.com | PHOEBE | John Amirrezvani | 63.119.193.1 | US |
| __disabled__one.lal2010@gmail.com | PHOEBE | Pradeep Lal | 65.211.76.176 | US |
| dmoreno@elitetactical.net | SEPYF | Dan. Moreno | 201.160.129.133 | MX |
| 7s39831@gmail.com | IDA | 7S39831 | 180.255.20.96 | SG |
| kevinwhite432@hotmail.com | MOI | Kevin White | 94.242.246.24 | LU |
| kevinwhite4456@mail.com | MOI | Kevin White | 94.242.246.24 | LU |
| kwhite@lelantos.org | MOI | Kevin White | 94.242.246.24 | LU |
| octubre723@gmail.com | SEPYF | Juan | 167.160.116.219 | US |
| tulum@tutanota.de | YUKI | tulum@tutanota.de | 189.202.92.197 | MX |
| supporto-ht@area.it | ARIEL | Ariel | 94.90.124.2 | IT |
| eduvagpo74@tutanota.de | DUSTIN | eduvagpo74 | 201.148.31.115 | MX |
| jrenato.melendez@gmail.com | DUSTIN | jrenato melendez | 201.148.31.115 | MX |
| kambal456@gmail.com | NISS-01 | Nizar | 41.78.111.67 | SD |
| dan@pymetek.net | DUSTIN | Dan | 200.77.198.212 | MX |
| garciarigoberto@prodigy.net.mx | PGJEM | Rigoberto Garcia | 172.16.1.5 | Failed |
| ldiaz@neolinx.mx | PGJEM | Luis Díaz | 189.253.103.167 | MX |
| luis_diazydiaz@hotmail.com | PGJEM | Luis Díaz | 189.253.103.167 | MX |
| esgar_1_38@hotmail.com | JASMINE | Support | 189.211.186.199 | MX |
| team14355@gmail.com | MOD | Magbool | 37.242.13.10 | Failed |
| tango2014@mail.com | MOD | User_Mod_01 | 94.99.41.221 | SA |
| roy2014@post.com | MOD | User_Mod_02 | 185.23.124.138 | SA |
| akhtar@mauqah.com | UAEAF | Akhtar Saeed Hashmi | 86.96.99.238 | AE |
| basar@palgroup.com | UAEAF | Syed Basar | 176.205.10.181 | AE |
| ht@mauqah.com | UAEAF | UAEAF_user | Failed | |
| falneyadi@eim.ae | UAEAF | UAEAF_user1 | 92.96.11.43 | AE |
| salmuhrezi@eim.ae | UAEAF | UAEAF_user2 | 2.50.248.150 | AE |
| fabio@hackingteam.com | HackingTeam | Test | 192.168.100.239 | Failed |
| user008181@gmail.com | PHANTOM | Jorge | 151.48.150.70 | IT |
| ccaceresh@investigaciones.cl | PHANTOM | CC | 190.8.83.154 | CL |
| ajmani.aa@gmail.com | BSGO | Anil Ajmani | 41.206.1.5 | NG |
| hanan@skylinksltd.com | BSGO | Hanan Dayan | 41.206.1.8 | NG |
| haim@skylinksltd.com | BSGO | Haim Lewy | 172.20.20.178 | Failed |
| thorbruegge@yahoo.com | BSGO | Bruegge Thor | 192.168.1.155 | Failed |
| elmarcopoloh@yahoo.com | SENAIN | TRUST | 181.198.76.18 | Failed |
| luis.solis@sin.gob.ec | SENAIN | TRUST | 181.198.76.18 | Failed |
| mauro.sorrento@gmail.com | PCIT | Mauro Sorrento | 2.114.21.82 | IT |
| francesco.sperandeo@interno.it | PP | Francesco Sperandeo | 80.19.234.18 | IT |
| sioht@siospa.it | SIO | Gruppo SIO x HT | 2.228.15.130 | IT |
| jacopo.cialli@carabinieri.it | ROS | Jacopo Cialli | 93.40.111.230 | IT |
| crijajo@gmail.com | ROS | Jacopo Cialli | 93.40.111.230 | IT |
| gabrieliraf@gmail.com | ROS | Raffaele Gabrieli | 2.195.134.126 | IT |
| raffaele.gabrieli@carabinieri.it | ROS | Raffaele Gabrieli | 2.195.134.126 | IT |
| cshmps@hotmail.it | CSH | Salvatore Macchiarella | 77.71.162.131 | MT |
| sortiz@cargatechnology.com | YUKI | sortiz@cargatechnology.com | 189.202.88.249 | MX |
| satthubongdem123456789@gmail.com | VIKIS | satthubongdem123456789@gmail.com | 183.91.15.102 | VN |
| ricardo.perinan@correo.policia.gov.co | MDNP | Ricardo Periñan | 190.255.40.77 | CO |
| tnpticket@gmail.com | TNP | TNP User | 84.51.32.10 | TR |
| noc@samtel.samartcorp.com | THDOC | NOC | 203.149.47.18 | TH |
| tnpnotcenter2@gmail.com | TNP-old | tnp notcenter | 95.9.71.180 | TR |
| milan.daniele@gmail.com | TNP-old | Daniele | 192.168.1.200 | Failed |
| wirbelwind79@outlook.com | ZUEGG | wirbelwind79@outlook.com | 195.162.166.11 | CH |
| edilberto.tangarife@correo.policia.gov.co | MDNP | Ricardo Periñan | 190.255.40.77 | CO |
| j972584@gdf.it | SCICO | Pasquale D’Ambrosio | 2.228.110.165 | IT |
| w105553@gdf.it | SCICO | Salvatore Galati | 88.50.246.138 | IT |
| h973958@gdf.it | SCICO | Federico Speranza | 88.50.246.138 | IT |
| l085038@gdf.it | SCICO | Giuseppe Della Cioppa | 88.50.246.138 | IT |
| v095168@gdf.it | SCICO | Marco Bartiromo | 88.50.246.138 | IT |
| rappazzo.diego@gdf.it | SCICO | Diego Rappazzo | 88.50.246.138 | IT |
| support@dhag.com.vn | VIKIS | Support Team | 171.224.130.48 | VN |
| cimarron1@tutanota.de | SEPYF | SaidO | 189.202.77.133 | MX |
| dungi1@tutanota.de | DUSTIN | SAIDO | 189.202.71.133 | MX |
| cateringlllc@gmail.com | ORF | cateringlllc | 82.178.83.157 | OM |
| user008282@gmail.com | PHANTOM | Manuel | 151.48.150.70 | IT |
| user008383@gmail.com | PHANTOM | Sergio | 190.8.83.154 | CL |
| nasser.asiri@gmail.com | GIP | Nasser Asiri | 37.104.60.96 | Failed |
| soporteht.2015@gmail.com | HON | SoporteHT.2015 | 190.109.192.194 | HN |
| test@hackingteam.com | HackingTeam | Test | 192.168.100.239 | Failed |
| kamarulzamani@miliserv.com.my | MACC | Kamarul Zamani | Failed | |
| zuriana@miliserv.com.my | MACC | Zuriana | 110.159.6.122 | MY |
| ariff@miliserv.com.my | MACC | Zuriana | 110.159.6.122 | MY |
| suporte@yasnitech.com.br | BRENDA | Suporte | 189.68.89.175 | BR |
| gilberto.gbcj@dpf.gov.br | BRENDA | gilberto | 177.7.84.199 | BR |
| macsal@me.com | CSH | Salvatore Macchiarella | 77.71.162.131 | MT |
| takayama.tko@gmail.com | TIKIT | Takayama | 110.78.165.114 | TH |
| josef.hrabec@atos.net | UZC | Hrabec Josef | Failed | |
| skylock224@gmail.com | VIRNA | Virna | 203.162.252.158 | VN |
| erdtec@mcit.gov.eg | TREVOR | ERDTECH | 41.237.238.52 | EG |
| maremu2015@tutanota.com | DUSTIN | Miguel Angel Renteria | Failed | |
Author Rickey Gevers
Chief Intelligence Officer RedSocks BV
