Who's Behind the Syrian Electronic Army? - An OSINT Analysis

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to continue providing actionable threat intelligence on some of the most prolific and wanted cybercriminals in the World through the distribution and dissemination of actionable intelligence regarding some of the most prolific and wanted cybercriminals.

Following a series of high-profile Web site defacement and social media attack campaigns largely relying on the utilization of good-old-fashioned social engineering attack campaigns - it appears that the individuals behind the Syrian Electronic Army are now part of FBI's Most Wanted Cyber Watch List which means that I've decided to conduct an OSINT analysis further sharing actionable intelligence behind the group operators with the idea to assist law enforcement and the U.S Intelligence Community with the necessary data which could lead to a successful tracking down and prosecution of the team behind these campaigns.

In this post I'll provide actionable intelligence on the group behind the Syrian Electronic Army including actionable intelligence on the infrastructure on some of their most prolific social engineering driven campaigns.

Sample Personal Photo of Ahmad Al Agha:

Sample Personal Photo of Firas Nur Al Din Dardar:

Sample Web Site Defacement Screenshot courtesy of "The Shadow":

Sample Screenshots of the Syrian Electronic Army Web Site Defacement Activity:

Related domains known to have participated in the campaign:
hxxp://quatar-leaks.com
hxxp://net23.net
hxxp://secureids.washpost.net23.net
hxxp://mail.hrw.net84.net
hxxp://soul.websitewelcome.com
hxxp://blog.conservatives.com/wp=content/uploads/cnn.php
hxxp://ikhwansuez.net/cnn.php
hxxp://klchr-pshr.com/bo.php
hxxp://gloryshipsghana.com/wh.php
hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php
hxxp://deliveryroutes.co.uk/ch.php
hxxp://sws-schulen.de/gn.php
hxxp://sws-schulen.de/ut.php
hxxp://kulalars.com/jwt.php
hxxp://karisdiscounts.com/nasa.php

Related IPs known to have participated in the campaign:
hxxp://91.144.20.76
hxxp://194.58.88.156
hxxp://88.212.209.102
hxxp://141.105.64.37
hxxp://213.178.227.152
hxxp://82.137.248.2
hxxp://82.137.200.5
hxxp://94.252.249.94
hxxp://5.149.101.187
hxxp://82.137.248.3
hxxp://76.73.101.180
hxxp://82.137.248.3
hxxp://81.137.248.4
hxxp://82.137.248.5
hxxp://82.137.248.6
hxxp://91.144.18.219
hxxp://178.52.134.163
hxxp://78.46.142.27/~WH
hxxp://78.46.142.27/~syrian
hxxp://46.17.103.125
hxxp://46.57.135.14
hxxp://188.139.245.9
hxxp://82.137.250.235

Social Media Accounts:
hxxp://twitter.com/Official_SEA
hxxp://twitter.com/ThePro_Sy
hxxp://instagram.com/official_sea3/
hxxp://pinterest.com/officialsea/
hxxp://www.facebook.com/sea.theshadow.716
hxxp://linkedin.com/pub/th3pr0-sea
hxxp://plus.google.com/116471187595315237633
hxxp://flickr.com/photos/th3pr0
hxxp://foursquare.com/user/29524714

Skype account IDs known to have participated in the campaign: 
syria.sec
koteba63
koteba
sea.shadow3
the.shadow21
tiger.white20
nana.saifo10
nana.saifo

Related emails known to have participated in the campaign:
th3pr0123-ap2@gmail.com
th3pr0123@gmail.com
whitehouse-online@hotmail.com
whitehouse_online@hotmail.com
sea.the.shadow@gmail.com
leakssyrianesorg@gmail.com
leaks.syrianes.org@gmail.com
syrian.es.sy@gmail.com
syrianessy@gmail.com
sea.wr4th@gmail.com
pr0@hotmail.nl
sy@hotmail.com
sy34@msn.com
killboy-1994@hotmail.com
jl0@hotmail.com
cf3@hotmail.com
zq9@msn.com
doom.ceasar@gmail.com
y8p@hotmail.com
rq1@hotmail.com
cf3@hotmail.com
wassemkortab@yahoo.com
sf0725zq0330@dressmall.com
adam.magdissi@hotmail.com
bf6@hotmail.es
b-6f@hotmail.com
bg_@hotmail.com
asdelylord@hotmail.com
i-8u@hotmail.com
b-8q@hotmail.com
tiger.tiger248@gmail.com
nagham_saifo@hotmail.com
edwinjouhansyah@gmail.com
sea.coders@hotmail.com

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Exposing Bulgaria's Largest Data Leak - An OSINT Analysis

I've recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided to take a closer look. What does this leak basically constitute? Basically the attacker managed to compromise the security of the Web Site basically leading to a successful extraction of a decent-portion of data which could basically constitute a leak.

NOTE: The data in this analysis has been obtained using public sources.



In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the database and shared it within several cybercrime-friendly forum communities making it publicly accessible including an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company.




Real Name: Daniel Ganchev - Email: daniel.ganchev@abv.bg

Sample URL of the cybercriminal involved in the campaign:
hxxp://instakilla.com/ - Email: wp@instakilla.com; info@instakilla.com

Instagram Account: hxxp://www.instagram.com/instakilla_/

Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP

Sample additional domain known to have been used by the same individual: hxxp://209.250.232.143

Related URLs known to have participated in the campaign:
https://instakilla.com/5k.txt
https://instakilla.com/teaser.txt

Sample Screenshot of the Original Letter Send to Journalists:

Let's take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration testing company currently running Bulgaria's largest and most popular hacking forum community - hxxp://www.xakep.bg which was recently blamed for Bulgaria's largest database leak in particular its founders and several employees in the context of performing an OSINT analysis basically highlighting some of the key functions of the company and its involvement in the incident.

Sample Company Logo:

Sample Hacking Forum Logo:

Sample Exploits Developed courtesy of the founder of the group:

Sample Photos of TAD Group Employees:

Sample TAD Group Photos:

Related personally identifiable information of TAD members:

Real Name: Ivan Todorov

Email: todorov_i@tadgroup.com; todorov_i@subway.bg

Related social network accounts:

hxxp://github.com/chapoblan

hxxp://www.facebook.com/chapoblan/

Sample Bulgaria Leaked Database URL:

hxxp://uploadfiles.io/s1p3gzh8

Sample Email known to have been used in the campaign:

Email: minfin_leak@yandex.ru

Sample MD5 known to have been used in the campaign:

MD5: 3125f2f04d3bac84c418ceb321959aba

It's also worth pointing out that I've managed to come across to a fraudulent proposition courtesy of the hxxp://www.xakep.bg cybercrime-friendly forum community with the cybercriminal behind it currently soliciting managed hacker-for-hire type of services.

Sample screenshots courtesy of the service:

We'll be keeping an eye on the campaign and we'll post updates as soon as new developments take place.

Continue reading →

$960M and the FBI's Art of Branding Insecurity

In previous posts "Are cyber criminals or bureaucrats the industry's top performer?", and "Insiders - insights, trends and possible solutions" I emphasized on how bureaucracy results in major insecurities, and provided further info on various issues related to insiders and risk management solutions -- ones the FBI is obviously far from implementing given the access control issues they have in place. It seems like two years ago, a Consultant Breached FBI's Computers :

"A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused."

How he did it? With access to hashes and 90 days password expiration period, he had all the time in the world, excluding the fact that according to the article a FBI agent even game him his password.

Passwords are a hot topic, and so are the insecurities posed by them. Moreover, spending near $1B for a non-existent case system, while dealing with access control issues is rather unserious for thought to be serious institution -- have you guys considered an open source alternative? You wouldn't come across lots of developers with top-secret clearances applying for the top, but obviously a top-secret clearance cannot prevent insider behavior as well. Continue reading →

In between the lines of personal and sensitive information

In a previous post, "Give it back!" I mentioned the ongoing re-classification of declassified information and featured some publicly known sources for information on government secrecy. Today I came across to a news item relating to the topic in another way, "States Removing Personal Data from Official Web Sites", more from the article :



"At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."



That's an interesting way to fight the problem from the top of it, namely personal data security breaches that never stop growing, but I wish they came up with the practice either by default years ago, or understand today's dynamics of the threat. Even if they start implementing this on a wide scale, it doesn't mean identity theft would stop occuring, or that phishing attacks wouldn't trick them into giving the complete details. Having implemented a process for securely storing, accessing and trasfering such sensitive customers' bank data, often results in complexities, but using "redaction software" when you can actually take advantage of a risk management solution, isn't the smartest move here -- yet again that's the effect of today's dynamics and ever-changing attack vectors. What's the point of putting so much efforts into sanitizing the data before going online with it, when an outsourcer, or an employee whose responsibilities include working with it will somehow expose it?


Wait, forgot the naive customer who's still taking all the phishing emails received "personally". Don't think SSNs and bank accounts "redaction", but insiders and storage/database security.

In respect to removing sensitive information from the Web, I feel the unability of successfully classifying information and balancing the accountability in front of society to a certain extend, generates contradictive responses. If you try to take down a document that has been somehow listed on the Internet or available in digital format, what you're doing is actually inspiring people to disseminate it, that include news agencies as well, so make sure it doesn't appear there at the first place. Recent cases such as these :

"DOD removes missile defense system report from Web site"
"NORAD orders Web deletion of transcript"
"Air Force One data removed from Web Site revealed details of security measures on president's jets"
"Leaks of Military Files Resume"



bring more insights on the issue. It is well known that the entire Chinese information warfare doctrine is backed up by the NCW visions of U.S's military -- they still have Sun Tzu's legacy though -- and that Al Qaeda's manuals actually quote U.S military's documents. If you know what exactly you're looking for, you will find it one way or another, just make sure information-sharing doesn't end up as an information leakage event.



Going beyond achieving the balance between usability, accountability, and secrecy, I also feel that disinformation and deception are reasonably taking place as well, given the reader is actually identified and consequently influenced. Continue reading →