Deep dive into attribution trove of Hacking Team

Pierluigi Paganini July 22, 2015

Thi post was written by the security experts and colleagues at RedSocks, they explored the argument of the “Attribution” for the Hacking Team data Breach.

Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills.Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution.

Attribution and Advanced Persistent Threats

Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups.

Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.

Hacking Team

In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them.

What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.

It turns out a few (if not all) customers prefer to have their Collector server in their own home country.

Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:

  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 80.18.231.* – Italy
  • 202.131.234.* – Mongolia
  • 190.242.96.* – Colombia
  • 95.59.26.* – Kazakhstan
  • 175.143.78.* – Malaysia
The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.
On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses. These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.We have highlighted some for you:KVANT
The Russian customer KVANT. This customer is associated with the following two email addresses:

But it is also associated with this email address:

JohnD here could be related to placeholder name John Doe.

This specific customer connected from the Russian IP address 193.232.60.234
An IP address known to be a Bitcoin Seed node.
Below is a screenshot this customer send to Hacking Team for debugging purpose.

Officially, Hacking Team sold its wares to a company called “Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.

The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
[email protected]
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.

This customer was using a large variety of VPS infrastructure to infect its targets:

  • DE – 198.105.125.107
  • DE – 198.105.125.108
  • CZ – 198.105.122.117
  • CZ – 198.105.122.118
  • NL – 131.72.137.101
  • NL – 131.72.137.104
  • DE – 185.72.246.46
  • RU – 46.38.63.194
  • US – 162.216.7.167

The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.

Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:

This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address @lelantos.org is from a secure anonymous email provider only accessible through Tor.

The operational security of this customer turned out to be excellent.

This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.

We have not been able to identify this customer.

Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:

  • lea-consult.de
  • intech-solutions.de

Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:

  • Luxembourg – 188.115.16.82
  • Germany – 188.210.58.*
  • Lebanon – 77.246.76.211

According to several documents we believe Intech Solutions is serving two customers.

  • The Secret Service of Luxembourg, codenamed Falcon.
  • The Iraqi Government, codenamed Condor.

The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:

  • http://www.kurdistanpost.com
  • http://www.iraqinews.com/tag/mosul/
  • http://www.iraq-businessnews.com/tag/sulaymaniyah/
  • http://www.breakingnews.com/topic/sulaimania-as-sulaymaniyah-iq/
  • http://www.iran-daily.com/News/111959.html
  • http://www.iraqinews.com/iraq-war/security-forces-liberate-hamrin-mountains/
  • ttp://www.iraqinews.com/iraq-war/exclusive-photos-army-volunteer-fighters-heading-tikrit/
  • http://www.iraqinews.com/iraq-war/salahuddin-security-committee-denies-finding-survivors-camp-speicher-massacre/
  • http://www.iraqinews.com/features/barzani-asks-pope-urge-international-community-provide-assistance-kurdistans-displaced/
  • http://www.iraqinews.com/iraq-war/1103-iraqis-killed-2280-injured-february-says-un/
To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account.Attribution:

  • New malware strains, from same source code
  • Lateral movement characteristics
  • Reconnaissance characteristics
  • Persistence/Backdoor characteristics
  • Connecting IP space
  • Plurality of IP series
  • Amount of concurrent (active) backdoor connections
  • Routine of instructions
  • Batch/Script files used and purpose of those
  • Favorable tools of common open source tool sets
  • Entry point details (hacked, bought, bought in underground, hijacked, stolen)
  • Sophistication of malware (sole purpose, modular, ease of creation)

Helpful:

  • Possible motives
  • Compilation time stamps

Tunnel vision:

  • Specifically attributed known malware (Could be Re-used.)
  • IP ranges solely
  • Strings in malware

Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us.

[email protected] ROS rosreptc
[email protected] CNI netsec 81.171.69.48 ES
[email protected] MIMY batujem balapatik 203.121.55.92 MY
[email protected] MIMY Alice Felistica 172.20.20.182 Failed
[email protected] MIMY Arena 120.141.162.116 MY
[email protected] MIMY eagle cobra Failed
[email protected] MIMY error 007 118.101.201.251 MY
[email protected] MKIH Gábor Farkas 86.59.137.94 HU
[email protected] MKIH IntDiv Failed
[email protected] PCIT INFOP Failed
[email protected] PCIT Cesare 192.168.1.159 Failed
[email protected] ROS Andrea Raffaelli Failed
[email protected] SKA devilangel 176.10.99.202 CH
[email protected] UZC Josef Hrabec 172.20.20.188 Failed
[email protected] UZC UZC Bull 89.24.101.39 CZ
[email protected] UZC Tomas Hlavsa 195.39.62.66 CZ
[email protected] INTECH Simon Thewes 188.115.16.82 LU
[email protected] CBA KD 46.113.149.31 PL
[email protected] CBA KD 46.113.149.31 PL
[email protected] PMO Megat 210.186.148.113 MY
[email protected] PP Alessandro Scagnetti 80.19.234.18 IT
[email protected] INSA SW 213.55.96.10 ET
[email protected] INSA Walcot Woly 216.118.233.253 PY
[email protected] INSA Biniam Tewolde 172.20.20.188 Failed
[email protected] KATIE Joshua HOLLISTER Failed
[email protected] KATIE Jonathan Leonhard Failed
[email protected] KATIE Brett Blackham Failed
[email protected] PHOEBE John Solano 63.119.193.1 US
[email protected] PHOEBE James Houck 63.119.193.1 US
[email protected] GEDP UIAPuebla 200.57.119.167 MX
[email protected] GNSE Mohammed 41.33.151.149 EG
[email protected] GNSE Ali Hussein 2 172.20.20.188 Failed
[email protected] TCC-GID Ahmed Al Masoud 84.235.48.113 SA
[email protected] TCC-GID Sultan Alrashed 46.240.36.82 SA
[email protected] NSS i.eugene 195.69.188.250 UZ
[email protected] ALFAHAD miloudi franck 105.158.160.130 MA
[email protected] CIS CSS 81.4.182.50 CY
[email protected] CIS CSS 81.4.182.50 CY
[email protected] CIS cis group Failed
[email protected] RCS Simone Cazzanti 83.103.117.82 IT
[email protected] RCS Antonino Bonanno 83.103.117.82 IT
[email protected] RCS Duilio Bianchi 172.20.20.188 Failed
[email protected] CSDN HelpTeam66 41.248.191.71 MA
[email protected] KATIE Michael P. Casey 190.27.195.19 CO
[email protected] KATIE Michael P. Casey 190.27.195.19 CO
[email protected] NSS Jasurbek Khujaev 62.209.142.186 UZ
[email protected] MKIH Janos Dankovics Failed
[email protected] MOACA ulziibadrakh 202.131.234.114 MN
[email protected] MOACA Erkhembayar 202.131.234.114 MN
[email protected] MOACA Erkhembayar 202.131.234.114 MN
[email protected] MOACA davaadorj 202.131.235.214 MN
[email protected] UZC Richard Hiller 94.113.250.3 CZ
[email protected] MIMY tzm 175.143.78.14 MY
[email protected] BHR Amo 82.194.55.211 BH
[email protected] TCC-GID Walled Mohammed 84.235.48.113 SA
[email protected] PEMEX Oscar Israel González 189.204.10.202 MX
[email protected] SSPT Keila 201.144.150.206 MX
[email protected] UZC Marek Bartos 94.113.250.0 CZ
[email protected] PGJEM Miguel Angel Corral 187.188.106.19 Failed
[email protected] PGJEM Ing. Carlos Rdz 187.208.68.151 MX
[email protected] NISS-02 Abdullah 41.78.109.92 SD
[email protected] PANP Teofilo Homsany Failed
[email protected] SDUC comunicaciones mexico 187.134.90.81 MX
[email protected] EDQ Felipe Romero Sánchez 187.144.53.252 MX
[email protected] PANP Teofilo 190.32.195.84 PA
[email protected] EDQ Jaime Calderón 189.178.19.160 MX
[email protected] SSNS E. 37.220.245.170 Failed
[email protected] PCIT Laura 2.114.21.82 IT
[email protected] KNB Astana Team 89.218.64.46 KZ
[email protected] AZNS Test Wizard 003 109.235.193.83 AZ
[email protected] SEGOB Marco Antonio 187.217.80.174 MX
[email protected] MKIH Gábor Farkas 86.59.137.94 HU
[email protected] KVANT Peter 193.232.60.234 RU
[email protected] PHOEBE John Amirrezvani 63.119.193.1 US
[email protected] PHOEBE Pradeep Lal 65.211.76.176 US
[email protected] SEPYF Dan. Moreno 201.160.129.133 MX
[email protected] IDA 7S39831 180.255.20.96 SG
[email protected] MOI Kevin White 94.242.246.24 LU
[email protected] MOI Kevin White 94.242.246.24 LU
[email protected] MOI Kevin White 94.242.246.24 LU
[email protected] SEPYF Juan 167.160.116.219 US
[email protected] YUKI [email protected] 189.202.92.197 MX
[email protected] ARIEL Ariel 94.90.124.2 IT
[email protected] DUSTIN eduvagpo74 201.148.31.115 MX
[email protected] DUSTIN jrenato melendez 201.148.31.115 MX
[email protected] NISS-01 Nizar 41.78.111.67 SD
[email protected] DUSTIN Dan 200.77.198.212 MX
[email protected] PGJEM Rigoberto Garcia 172.16.1.5 Failed
[email protected] PGJEM Luis Díaz 189.253.103.167 MX
[email protected] PGJEM Luis Díaz 189.253.103.167 MX
[email protected] JASMINE Support 189.211.186.199 MX
[email protected] MOD Magbool 37.242.13.10 Failed
[email protected] MOD User_Mod_01 94.99.41.221 SA
[email protected] MOD User_Mod_02 185.23.124.138 SA
[email protected] UAEAF Akhtar Saeed Hashmi 86.96.99.238 AE
[email protected] UAEAF Syed Basar 176.205.10.181 AE
[email protected] UAEAF UAEAF_user Failed
[email protected] UAEAF UAEAF_user1 92.96.11.43 AE
[email protected] UAEAF UAEAF_user2 2.50.248.150 AE
[email protected] HackingTeam Test 192.168.100.239 Failed
[email protected] PHANTOM Jorge 151.48.150.70 IT
[email protected] PHANTOM CC 190.8.83.154 CL
[email protected] BSGO Anil Ajmani 41.206.1.5 NG
[email protected] BSGO Hanan Dayan 41.206.1.8 NG
[email protected] BSGO Haim Lewy 172.20.20.178 Failed
[email protected] BSGO Bruegge Thor 192.168.1.155 Failed
[email protected] SENAIN TRUST 181.198.76.18 Failed
[email protected] SENAIN TRUST 181.198.76.18 Failed
[email protected] PCIT Mauro Sorrento 2.114.21.82 IT
[email protected] PP Francesco Sperandeo 80.19.234.18 IT
[email protected] SIO Gruppo SIO x HT 2.228.15.130 IT
[email protected] ROS Jacopo Cialli 93.40.111.230 IT
[email protected] ROS Jacopo Cialli 93.40.111.230 IT
[email protected] ROS Raffaele Gabrieli 2.195.134.126 IT
[email protected] ROS Raffaele Gabrieli 2.195.134.126 IT
[email protected] CSH Salvatore Macchiarella 77.71.162.131 MT
[email protected] YUKI [email protected] 189.202.88.249 MX
[email protected] VIKIS [email protected] 183.91.15.102 VN
[email protected] MDNP Ricardo Periñan 190.255.40.77 CO
[email protected] TNP TNP User 84.51.32.10 TR
[email protected] THDOC NOC 203.149.47.18 TH
[email protected] TNP-old tnp notcenter 95.9.71.180 TR
[email protected] TNP-old Daniele 192.168.1.200 Failed
[email protected] ZUEGG [email protected] 195.162.166.11 CH
[email protected] MDNP Ricardo Periñan 190.255.40.77 CO
[email protected] SCICO Pasquale D’Ambrosio 2.228.110.165 IT
[email protected] SCICO Salvatore Galati 88.50.246.138 IT
[email protected] SCICO Federico Speranza 88.50.246.138 IT
[email protected] SCICO Giuseppe Della Cioppa 88.50.246.138 IT
[email protected] SCICO Marco Bartiromo 88.50.246.138 IT
[email protected] SCICO Diego Rappazzo 88.50.246.138 IT
[email protected] VIKIS Support Team 171.224.130.48 VN
[email protected] SEPYF SaidO 189.202.77.133 MX
[email protected] DUSTIN SAIDO 189.202.71.133 MX
[email protected] ORF cateringlllc 82.178.83.157 OM
[email protected] PHANTOM Manuel 151.48.150.70 IT
[email protected] PHANTOM Sergio 190.8.83.154 CL
[email protected] GIP Nasser Asiri 37.104.60.96 Failed
[email protected] HON SoporteHT.2015 190.109.192.194 HN
[email protected] HackingTeam Test 192.168.100.239 Failed
[email protected] MACC Kamarul Zamani Failed
[email protected] MACC Zuriana 110.159.6.122 MY
[email protected] MACC Zuriana 110.159.6.122 MY
[email protected] BRENDA Suporte 189.68.89.175 BR
[email protected] BRENDA gilberto 177.7.84.199 BR
[email protected] CSH Salvatore Macchiarella 77.71.162.131 MT
[email protected] TIKIT Takayama 110.78.165.114 TH
[email protected] UZC Hrabec Josef Failed
[email protected] VIRNA Virna 203.162.252.158 VN
[email protected] TREVOR ERDTECH 41.237.238.52 EG
[email protected] DUSTIN Miguel Angel Renteria Failed

Author Rickey Gevers

 

Chief Intelligence Officer RedSocks BV

Pierluigi Paganini

(Security Affairs – Facebook, RedSocks)



you might also like

leave a comment