woensdag 22 juli 2015

Deep dive into attribution trove of Hacking Team

Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills.Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution.

Attribution and Advanced Persistent Threats

Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups.

Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.

Hacking Team

In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them.
What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.
It turns out a few (if not all) customers prefer to have their Collector server in their own home country.
Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:

  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 80.18.231.* – Italy
  • 202.131.234.* – Mongolia
  • 190.242.96.* – Colombia
  • 95.59.26.* – Kazakhstan
  • 175.143.78.* – Malaysia

The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.

On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.
We have highlighted some for you:

The Russian customer KVANT. This customer is associated with the following two email addresses:

  • kachalin@advancedmonitoring.ru
  • kachalin@infotecs.ru

But it is also associated with this email address:

  • johnd123@yandex.ru

JohnD here could be related to placeholder name John Doe.
This specific customer connected from the Russian IP address
An IP address known to be a Bitcoin Seed node.
Below is a screenshot this customer send to Hacking Team for debugging purpose.

Officially, Hacking Team sold its wares to a company called “Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.

The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.
This customer was using a large variety of VPS infrastructure to infect its targets:

  • DE –
  • DE –
  • CZ –
  • CZ –
  • NL –
  • NL –
  • DE –
  • RU –
  • US –

The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.

Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:

  • kevinwhite432@hotmail.com
  • kevinwhite4456@mail.com
  • kwhite@lelantos.org

This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address @lelantos.org is from a secure anonymous email provider only accessible through Tor.
The operational security of this customer turned out to be excellent.
This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.

We have not been able to identify this customer.

Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:

  • lea-consult.de
  • intech-solutions.de

Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:

  • Luxembourg –
  • Germany – 188.210.58.*
  • Lebanon –

According to several documents we believe Intech Solutions is serving two customers.

  • The Secret Service of Luxembourg, codenamed Falcon.
  • The Iraqi Government, codenamed Condor.

The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:

  • http://www.kurdistanpost.com
  • http://www.iraqinews.com/tag/mosul/
  • http://www.iraq-businessnews.com/tag/sulaymaniyah/
  • http://www.breakingnews.com/topic/sulaimania-as-sulaymaniyah-iq/
  • http://www.iran-daily.com/News/111959.html
  • http://www.iraqinews.com/iraq-war/security-forces-liberate-hamrin-mountains/
  • http://www.iraqinews.com/iraq-war/exclusive-photos-army-volunteer-fighters-heading-tikrit/
  • http://www.iraqinews.com/iraq-war/salahuddin-security-committee-denies-finding-survivors-camp-speicher-massacre/
  • http://www.iraqinews.com/features/barzani-asks-pope-urge-international-community-provide-assistance-kurdistans-displaced/
  • http://www.iraqinews.com/iraq-war/1103-iraqis-killed-2280-injured-february-says-un/

To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account.


  • New malware strains, from same source code
  • Lateral movement characteristics
  • Reconnaissance characteristics
  • Persistence/Backdoor characteristics
  • Connecting IP space
  • Plurality of IP series
  • Amount of concurrent (active) backdoor connections
  • Routine of instructions
  • Batch/Script files used and purpose of those
  • Favorable tools of common open source tool sets
  • Entry point details (hacked, bought, bought in underground, hijacked, stolen)
  • Sophistication of malware (sole purpose, modular, ease of creation)


  • Possible motives
  • Compilation time stamps

Tunnel vision:

  • Specifically attributed known malware (Could be Re-used.)
  • IP ranges solely
  • Strings in malware

Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us.

rosreptc@carabinieri.it ROS rosreptc
netsec@areatec.com CNI netsec ES
batujembalapatik@gmail.com MIMY batujem balapatik MY
alicefelistica@gmail.com MIMY Alice Felistica Failed
arenamy8@gmail.com MIMY Arena MY
eaglecobra23@gmail.com MIMY eagle cobra Failed
errorr.007@gmail.com MIMY error 007 MY
farkasgabor68@gmail.com MKIH Gábor Farkas HU
intdiv@mkih.hu MKIH IntDiv Failed
infop@sutor.it PCIT INFOP Failed
srs@sutor.it PCIT Cesare Failed
andrea.raffaelli@carabinieri.it ROS Andrea Raffaelli Failed
devilangel1004@gmail.com SKA devilangel CH
josef.hrabec@bull.cz UZC Josef Hrabec Failed
janus@bull.cz UZC UZC Bull CZ
tomas.hlavsa@bull.cz UZC Tomas Hlavsa CZ
service@intech-solutions.de INTECH Simon Thewes LU
k.dobrzynski@cba.gov.pl CBA KD PL
robinj.newsletter@gmail.com CBA KD PL
unifi_abc@yahoo.com PMO Megat MY
alessandro.scagnetti@interno.it PP Alessandro Scagnetti IT
woints@yahoo.com INSA SW ET
walcot.woly@gmail.com INSA Walcot Woly PY
biniamtewolde@yahoo.com INSA Biniam Tewolde Failed
joshua.a.hollister@usdoj.gov KATIE Joshua HOLLISTER Failed
jonathan.g.leonhard@usdoj.gov KATIE Jonathan Leonhard Failed
brett.blackham@gmail.com KATIE Brett Blackham Failed
jmsolano2k@yahoo.com PHOEBE John Solano US
james.houck@ic.fbi.gov PHOEBE James Houck US
soporteuiamx@gmail.com GEDP UIAPuebla MX
g23@mod.gov.eg GNSE Mohammed EG
del@afmic.com GNSE Ali Hussein 2 Failed
a.almasoud@moisp.gov.sa TCC-GID Ahmed Al Masoud SA
sfrashed@tcc-ict.com TCC-GID Sultan Alrashed SA
i.eugene@itt.uz NSS i.eugene UZ
miloudifranck@yahoo.fr ALFAHAD miloudi franck MA
pristospristou@gmail.com CIS CSS CY
sgeorgakis@cis.gov.cy CIS CSS CY
pristoupristos@gmail.com CIS cis group Failed
simone.cazzanti@rcslab.it RCS Simone Cazzanti IT
antonino.bonanno@rcslab.it RCS Antonino Bonanno IT
duilio.bianchi@rcslab.it RCS Duilio Bianchi Failed
helpteam66@gmail.com CSDN HelpTeam66 MA
michael.p.casey@usdoj.gov KATIE Michael P. Casey CO
mcasey6@gmail.com KATIE Michael P. Casey CO
jasur@itt.uz NSS Jasurbek Khujaev UZ
dankovicsjanos@gmail.com MKIH Janos Dankovics Failed
ulziibadrakh@iaac.mn MOACA ulziibadrakh MN
erkhembayar@iaac.mn MOACA Erkhembayar MN
erkhemee.iooii@gmail.com MOACA Erkhembayar MN
davaa.shurik@gmail.com MOACA davaadorj MN
uzc.v3.data@pcr.cz UZC Richard Hiller CZ
yasdy.ardy@gmail.com MIMY tzm MY
amo@gcctalk.com BHR Amo BH
altherwi@moisp.gov.sa TCC-GID Walled Mohammed SA
oscarg@symservicios.com PEMEX Oscar Israel González MX
ocasitamaulipas@gmail.com SSPT Keila MX
marek.bartos@ppcr.cz UZC Marek Bartos CZ
miguelangel.corral@dtxtcorp.com PGJEM Miguel Angel Corral Failed
rcs.cia@gmail.com PGJEM Ing. Carlos Rdz MX
kraka1970@yahoo.com NISS-02 Abdullah SD
teofilo@solucionesdetecnologia.com PANP Teofilo Homsany Failed
comunicacionesmx2013@gmail.com SDUC comunicaciones mexico MX
infonetqro@gmail.com EDQ Felipe Romero Sánchez MX
soprcs@gmail.com PANP Teofilo PA
jaime@tevatec.com EDQ Jaime Calderón MX
aliaheric@gmail.com SSNS E. Failed
laurap@sutor.it PCIT Laura IT
eojust@gmail.com KNB Astana Team KZ
testwizard003@gmail.com AZNS Test Wizard 003 AZ
alan.zarza1980@gmail.com SEGOB Marco Antonio MX
dzsunk2014@gmail.com MKIH Gábor Farkas HU
johnd123@yandex.ru KVANT Peter RU
__disabled_john.amirrezvani@parsons.com PHOEBE John Amirrezvani US
__disabled__one.lal2010@gmail.com PHOEBE Pradeep Lal US
dmoreno@elitetactical.net SEPYF Dan. Moreno MX
7s39831@gmail.com IDA 7S39831 SG
kevinwhite432@hotmail.com MOI Kevin White LU
kevinwhite4456@mail.com MOI Kevin White LU
kwhite@lelantos.org MOI Kevin White LU
octubre723@gmail.com SEPYF Juan US
tulum@tutanota.de YUKI tulum@tutanota.de MX
supporto-ht@area.it ARIEL Ariel IT
eduvagpo74@tutanota.de DUSTIN eduvagpo74 MX
jrenato.melendez@gmail.com DUSTIN jrenato melendez MX
kambal456@gmail.com NISS-01 Nizar SD
dan@pymetek.net DUSTIN Dan MX
garciarigoberto@prodigy.net.mx PGJEM Rigoberto Garcia Failed
ldiaz@neolinx.mx PGJEM Luis Díaz MX
luis_diazydiaz@hotmail.com PGJEM Luis Díaz MX
esgar_1_38@hotmail.com JASMINE Support MX
team14355@gmail.com MOD Magbool Failed
tango2014@mail.com MOD User_Mod_01 SA
roy2014@post.com MOD User_Mod_02 SA
akhtar@mauqah.com UAEAF Akhtar Saeed Hashmi AE
basar@palgroup.com UAEAF Syed Basar AE
ht@mauqah.com UAEAF UAEAF_user Failed
falneyadi@eim.ae UAEAF UAEAF_user1 AE
salmuhrezi@eim.ae UAEAF UAEAF_user2 AE
fabio@hackingteam.com HackingTeam Test Failed
user008181@gmail.com PHANTOM Jorge IT
ccaceresh@investigaciones.cl PHANTOM CC CL
ajmani.aa@gmail.com BSGO Anil Ajmani NG
hanan@skylinksltd.com BSGO Hanan Dayan NG
haim@skylinksltd.com BSGO Haim Lewy Failed
thorbruegge@yahoo.com BSGO Bruegge Thor Failed
elmarcopoloh@yahoo.com SENAIN TRUST Failed
luis.solis@sin.gob.ec SENAIN TRUST Failed
mauro.sorrento@gmail.com PCIT Mauro Sorrento IT
francesco.sperandeo@interno.it PP Francesco Sperandeo IT
sioht@siospa.it SIO Gruppo SIO x HT IT
jacopo.cialli@carabinieri.it ROS Jacopo Cialli IT
crijajo@gmail.com ROS Jacopo Cialli IT
gabrieliraf@gmail.com ROS Raffaele Gabrieli IT
raffaele.gabrieli@carabinieri.it ROS Raffaele Gabrieli IT
cshmps@hotmail.it CSH Salvatore Macchiarella MT
sortiz@cargatechnology.com YUKI sortiz@cargatechnology.com MX
satthubongdem123456789@gmail.com VIKIS satthubongdem123456789@gmail.com VN
ricardo.perinan@correo.policia.gov.co MDNP Ricardo Periñan CO
tnpticket@gmail.com TNP TNP User TR
noc@samtel.samartcorp.com THDOC NOC TH
tnpnotcenter2@gmail.com TNP-old tnp notcenter TR
milan.daniele@gmail.com TNP-old Daniele Failed
wirbelwind79@outlook.com ZUEGG wirbelwind79@outlook.com CH
edilberto.tangarife@correo.policia.gov.co MDNP Ricardo Periñan CO
j972584@gdf.it SCICO Pasquale D’Ambrosio IT
w105553@gdf.it SCICO Salvatore Galati IT
h973958@gdf.it SCICO Federico Speranza IT
l085038@gdf.it SCICO Giuseppe Della Cioppa IT
v095168@gdf.it SCICO Marco Bartiromo IT
rappazzo.diego@gdf.it SCICO Diego Rappazzo IT
support@dhag.com.vn VIKIS Support Team VN
cimarron1@tutanota.de SEPYF SaidO MX
dungi1@tutanota.de DUSTIN SAIDO MX
cateringlllc@gmail.com ORF cateringlllc OM
user008282@gmail.com PHANTOM Manuel IT
user008383@gmail.com PHANTOM Sergio CL
nasser.asiri@gmail.com GIP Nasser Asiri Failed
soporteht.2015@gmail.com HON SoporteHT.2015 HN
test@hackingteam.com HackingTeam Test Failed
kamarulzamani@miliserv.com.my MACC Kamarul Zamani Failed
zuriana@miliserv.com.my MACC Zuriana MY
ariff@miliserv.com.my MACC Zuriana MY
suporte@yasnitech.com.br BRENDA Suporte BR
gilberto.gbcj@dpf.gov.br BRENDA gilberto BR
macsal@me.com CSH Salvatore Macchiarella MT
takayama.tko@gmail.com TIKIT Takayama TH
josef.hrabec@atos.net UZC Hrabec Josef Failed
skylock224@gmail.com VIRNA Virna VN
erdtec@mcit.gov.eg TREVOR ERDTECH EG
maremu2015@tutanota.com DUSTIN Miguel Angel Renteria Failed

Author Rickey Gevers

Chief Intelligence Officer RedSocks BV