Deep dive into attribution trove of Hacking Team

Pierluigi Paganini July 22, 2015

Thi post was written by the security experts and colleagues at RedSocks, they explored the argument of the “Attribution” for the Hacking Team data Breach.

Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills.Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution.

Attribution and Advanced Persistent Threats

Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups.

Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.

Hacking Team

In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them.

What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.

It turns out a few (if not all) customers prefer to have their Collector server in their own home country.

Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:

  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 80.18.231.* – Italy
  • 202.131.234.* – Mongolia
  • 190.242.96.* – Colombia
  • 95.59.26.* – Kazakhstan
  • 175.143.78.* – Malaysia
The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.
On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.We have highlighted some for you:KVANT
The Russian customer KVANT. This customer is associated with the following two email addresses:

But it is also associated with this email address:

JohnD here could be related to placeholder name John Doe.

This specific customer connected from the Russian IP address
An IP address known to be a Bitcoin Seed node.
Below is a screenshot this customer send to Hacking Team for debugging purpose.

Officially, Hacking Team sold its wares to a company called “Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.

The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
[email protected]
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.

This customer was using a large variety of VPS infrastructure to infect its targets:

  • DE –
  • DE –
  • CZ –
  • CZ –
  • NL –
  • NL –
  • DE –
  • RU –
  • US –

The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.

Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:

This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address is from a secure anonymous email provider only accessible through Tor.

The operational security of this customer turned out to be excellent.

This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.

We have not been able to identify this customer.

Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:


Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:

  • Luxembourg –
  • Germany – 188.210.58.*
  • Lebanon –

According to several documents we believe Intech Solutions is serving two customers.

  • The Secret Service of Luxembourg, codenamed Falcon.
  • The Iraqi Government, codenamed Condor.

The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:

  • ttp://
To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account.Attribution:

  • New malware strains, from same source code
  • Lateral movement characteristics
  • Reconnaissance characteristics
  • Persistence/Backdoor characteristics
  • Connecting IP space
  • Plurality of IP series
  • Amount of concurrent (active) backdoor connections
  • Routine of instructions
  • Batch/Script files used and purpose of those
  • Favorable tools of common open source tool sets
  • Entry point details (hacked, bought, bought in underground, hijacked, stolen)
  • Sophistication of malware (sole purpose, modular, ease of creation)


  • Possible motives
  • Compilation time stamps

Tunnel vision:

  • Specifically attributed known malware (Could be Re-used.)
  • IP ranges solely
  • Strings in malware

Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us.

[email protected] ROS rosreptc
[email protected] CNI netsec ES
[email protected] MIMY batujem balapatik MY
[email protected] MIMY Alice Felistica Failed
[email protected] MIMY Arena MY
[email protected] MIMY eagle cobra Failed
[email protected] MIMY error 007 MY
[email protected] MKIH Gábor Farkas HU
[email protected] MKIH IntDiv Failed
[email protected] PCIT INFOP Failed
[email protected] PCIT Cesare Failed
[email protected] ROS Andrea Raffaelli Failed
[email protected] SKA devilangel CH
[email protected] UZC Josef Hrabec Failed
[email protected] UZC UZC Bull CZ
[email protected] UZC Tomas Hlavsa CZ
[email protected] INTECH Simon Thewes LU
[email protected] CBA KD PL
[email protected] CBA KD PL
[email protected] PMO Megat MY
[email protected] PP Alessandro Scagnetti IT
[email protected] INSA SW ET
[email protected] INSA Walcot Woly PY
[email protected] INSA Biniam Tewolde Failed
[email protected] KATIE Joshua HOLLISTER Failed
[email protected] KATIE Jonathan Leonhard Failed
[email protected] KATIE Brett Blackham Failed
[email protected] PHOEBE John Solano US
[email protected] PHOEBE James Houck US
[email protected] GEDP UIAPuebla MX
[email protected] GNSE Mohammed EG
[email protected] GNSE Ali Hussein 2 Failed
[email protected] TCC-GID Ahmed Al Masoud SA
[email protected] TCC-GID Sultan Alrashed SA
[email protected] NSS i.eugene UZ
[email protected] ALFAHAD miloudi franck MA
[email protected] CIS CSS CY
[email protected] CIS CSS CY
[email protected] CIS cis group Failed
[email protected] RCS Simone Cazzanti IT
[email protected] RCS Antonino Bonanno IT
[email protected] RCS Duilio Bianchi Failed
[email protected] CSDN HelpTeam66 MA
[email protected] KATIE Michael P. Casey CO
[email protected] KATIE Michael P. Casey CO
[email protected] NSS Jasurbek Khujaev UZ
[email protected] MKIH Janos Dankovics Failed
[email protected] MOACA ulziibadrakh MN
[email protected] MOACA Erkhembayar MN
[email protected] MOACA Erkhembayar MN
[email protected] MOACA davaadorj MN
[email protected] UZC Richard Hiller CZ
[email protected] MIMY tzm MY
[email protected] BHR Amo BH
[email protected] TCC-GID Walled Mohammed SA
[email protected] PEMEX Oscar Israel González MX
[email protected] SSPT Keila MX
[email protected] UZC Marek Bartos CZ
[email protected] PGJEM Miguel Angel Corral Failed
[email protected] PGJEM Ing. Carlos Rdz MX
[email protected] NISS-02 Abdullah SD
[email protected] PANP Teofilo Homsany Failed
[email protected] SDUC comunicaciones mexico MX
[email protected] EDQ Felipe Romero Sánchez MX
[email protected] PANP Teofilo PA
[email protected] EDQ Jaime Calderón MX
[email protected] SSNS E. Failed
[email protected] PCIT Laura IT
[email protected] KNB Astana Team KZ
[email protected] AZNS Test Wizard 003 AZ
[email protected] SEGOB Marco Antonio MX
[email protected] MKIH Gábor Farkas HU
[email protected] KVANT Peter RU
[email protected] PHOEBE John Amirrezvani US
[email protected] PHOEBE Pradeep Lal US
[email protected] SEPYF Dan. Moreno MX
[email protected] IDA 7S39831 SG
[email protected] MOI Kevin White LU
[email protected] MOI Kevin White LU
[email protected] MOI Kevin White LU
[email protected] SEPYF Juan US
[email protected] YUKI [email protected] MX
[email protected] ARIEL Ariel IT
[email protected] DUSTIN eduvagpo74 MX
[email protected] DUSTIN jrenato melendez MX
[email protected] NISS-01 Nizar SD
[email protected] DUSTIN Dan MX
[email protected] PGJEM Rigoberto Garcia Failed
[email protected] PGJEM Luis Díaz MX
[email protected] PGJEM Luis Díaz MX
[email protected] JASMINE Support MX
[email protected] MOD Magbool Failed
[email protected] MOD User_Mod_01 SA
[email protected] MOD User_Mod_02 SA
[email protected] UAEAF Akhtar Saeed Hashmi AE
[email protected] UAEAF Syed Basar AE
[email protected] UAEAF UAEAF_user Failed
[email protected] UAEAF UAEAF_user1 AE
[email protected] UAEAF UAEAF_user2 AE
[email protected] HackingTeam Test Failed
[email protected] PHANTOM Jorge IT
[email protected] PHANTOM CC CL
[email protected] BSGO Anil Ajmani NG
[email protected] BSGO Hanan Dayan NG
[email protected] BSGO Haim Lewy Failed
[email protected] BSGO Bruegge Thor Failed
[email protected] SENAIN TRUST Failed
[email protected] SENAIN TRUST Failed
[email protected] PCIT Mauro Sorrento IT
[email protected] PP Francesco Sperandeo IT
[email protected] SIO Gruppo SIO x HT IT
[email protected] ROS Jacopo Cialli IT
[email protected] ROS Jacopo Cialli IT
[email protected] ROS Raffaele Gabrieli IT
[email protected] ROS Raffaele Gabrieli IT
[email protected] CSH Salvatore Macchiarella MT
[email protected] YUKI [email protected] MX
[email protected] VIKIS [email protected] VN
[email protected] MDNP Ricardo Periñan CO
[email protected] TNP TNP User TR
[email protected] THDOC NOC TH
[email protected] TNP-old tnp notcenter TR
[email protected] TNP-old Daniele Failed
[email protected] ZUEGG [email protected] CH
[email protected] MDNP Ricardo Periñan CO
[email protected] SCICO Pasquale D’Ambrosio IT
[email protected] SCICO Salvatore Galati IT
[email protected] SCICO Federico Speranza IT
[email protected] SCICO Giuseppe Della Cioppa IT
[email protected] SCICO Marco Bartiromo IT
[email protected] SCICO Diego Rappazzo IT
[email protected] VIKIS Support Team VN
[email protected] SEPYF SaidO MX
[email protected] DUSTIN SAIDO MX
[email protected] ORF cateringlllc OM
[email protected] PHANTOM Manuel IT
[email protected] PHANTOM Sergio CL
[email protected] GIP Nasser Asiri Failed
[email protected] HON SoporteHT.2015 HN
[email protected] HackingTeam Test Failed
[email protected] MACC Kamarul Zamani Failed
[email protected] MACC Zuriana MY
[email protected] MACC Zuriana MY
[email protected] BRENDA Suporte BR
[email protected] BRENDA gilberto BR
[email protected] CSH Salvatore Macchiarella MT
[email protected] TIKIT Takayama TH
[email protected] UZC Hrabec Josef Failed
[email protected] VIRNA Virna VN
[email protected] TREVOR ERDTECH EG
[email protected] DUSTIN Miguel Angel Renteria Failed

Author Rickey Gevers


Chief Intelligence Officer RedSocks BV

Pierluigi Paganini

(Security Affairs – Facebook, RedSocks)

you might also like

leave a comment