Pierluigi Paganini July 22, 2015

Thi post was written by the security experts and colleagues at RedSocks, they explored the argument of the “Attribution” for the Hacking Team data Breach.

Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills.Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution.

Attribution and Advanced Persistent Threats

Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups.

Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.

Hacking Team

In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them.

What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.

It turns out a few (if not all) customers prefer to have their Collector server in their own home country.

Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:

• 81.192.195.* – Morocco
• 81.192.195.* – Morocco
• 81.192.195.* – Morocco
• 80.18.231.* – Italy
• 202.131.234.* – Mongolia
• 190.242.96.* – Colombia
• 95.59.26.* – Kazakhstan
• 175.143.78.* – Malaysia

The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.

On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.We have highlighted some for you:KVANT
The Russian customer KVANT. This customer is associated with the following two email addresses:

• [email protected]
• [email protected]

But it is also associated with this email address:

• [email protected]

JohnD here could be related to placeholder name John Doe.

This specific customer connected from the Russian IP address 193.232.60.234
An IP address known to be a Bitcoin Seed node.
Below is a screenshot this customer send to Hacking Team for debugging purpose.

Officially, Hacking Team sold its wares to a company called “Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.

The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
[email protected]
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.

This customer was using a large variety of VPS infrastructure to infect its targets:

• DE – 198.105.125.107
• DE – 198.105.125.108
• CZ – 198.105.122.117
• CZ – 198.105.122.118
• NL – 131.72.137.101
• NL – 131.72.137.104
• DE – 185.72.246.46
• RU – 46.38.63.194
• US – 162.216.7.167

The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.

Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:

• [email protected]
• [email protected]
• [email protected]

This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address @lelantos.org is from a secure anonymous email provider only accessible through Tor.

The operational security of this customer turned out to be excellent.

This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.

We have not been able to identify this customer.

Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:

• lea-consult.de
• intech-solutions.de

Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:

• Luxembourg – 188.115.16.82
• Germany – 188.210.58.*
• Lebanon – 77.246.76.211

According to several documents we believe Intech Solutions is serving two customers.

• The Secret Service of Luxembourg, codenamed Falcon.
• The Iraqi Government, codenamed Condor.

The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:

• http://www.kurdistanpost.com
• http://www.iraqinews.com/tag/mosul/
• http://www.iraq-businessnews.com/tag/sulaymaniyah/
• http://www.breakingnews.com/topic/sulaimania-as-sulaymaniyah-iq/
• http://www.iran-daily.com/News/111959.html
• http://www.iraqinews.com/iraq-war/security-forces-liberate-hamrin-mountains/
• ttp://www.iraqinews.com/iraq-war/exclusive-photos-army-volunteer-fighters-heading-tikrit/
• http://www.iraqinews.com/iraq-war/salahuddin-security-committee-denies-finding-survivors-camp-speicher-massacre/
• http://www.iraqinews.com/features/barzani-asks-pope-urge-international-community-provide-assistance-kurdistans-displaced/
• http://www.iraqinews.com/iraq-war/1103-iraqis-killed-2280-injured-february-says-un/

Chief Intelligence Officer RedSocks BV