Who's Behind the Syrian Electronic Army? - An OSINT Analysis

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to continue providing actionable threat intelligence on some of the most prolific and wanted cybercriminals in the World through the distribution and dissemination of actionable intelligence regarding some of the most prolific and wanted cybercriminals.

Following a series of high-profile Web site defacement and social media attack campaigns largely relying on the utilization of good-old-fashioned social engineering attack campaigns - it appears that the individuals behind the Syrian Electronic Army are now part of FBI's Most Wanted Cyber Watch List which means that I've decided to conduct an OSINT analysis further sharing actionable intelligence behind the group operators with the idea to assist law enforcement and the U.S Intelligence Community with the necessary data which could lead to a successful tracking down and prosecution of the team behind these campaigns.

In this post I'll provide actionable intelligence on the group behind the Syrian Electronic Army including actionable intelligence on the infrastructure on some of their most prolific social engineering driven campaigns.

Sample Personal Photo of Ahmad Al Agha:

Sample Personal Photo of Firas Nur Al Din Dardar:

Sample Web Site Defacement Screenshot courtesy of "The Shadow":

Sample Screenshots of the Syrian Electronic Army Web Site Defacement Activity:

Related domains known to have participated in the campaign:
hxxp://quatar-leaks.com
hxxp://net23.net
hxxp://secureids.washpost.net23.net
hxxp://mail.hrw.net84.net
hxxp://soul.websitewelcome.com
hxxp://blog.conservatives.com/wp=content/uploads/cnn.php
hxxp://ikhwansuez.net/cnn.php
hxxp://klchr-pshr.com/bo.php
hxxp://gloryshipsghana.com/wh.php
hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php
hxxp://deliveryroutes.co.uk/ch.php
hxxp://sws-schulen.de/gn.php
hxxp://sws-schulen.de/ut.php
hxxp://kulalars.com/jwt.php
hxxp://karisdiscounts.com/nasa.php

Related IPs known to have participated in the campaign:
hxxp://91.144.20.76
hxxp://194.58.88.156
hxxp://88.212.209.102
hxxp://141.105.64.37
hxxp://213.178.227.152
hxxp://82.137.248.2
hxxp://82.137.200.5
hxxp://94.252.249.94
hxxp://5.149.101.187
hxxp://82.137.248.3
hxxp://76.73.101.180
hxxp://82.137.248.3
hxxp://81.137.248.4
hxxp://82.137.248.5
hxxp://82.137.248.6
hxxp://91.144.18.219
hxxp://178.52.134.163
hxxp://78.46.142.27/~WH
hxxp://78.46.142.27/~syrian
hxxp://46.17.103.125
hxxp://46.57.135.14
hxxp://188.139.245.9
hxxp://82.137.250.235

Social Media Accounts:
hxxp://twitter.com/Official_SEA
hxxp://twitter.com/ThePro_Sy
hxxp://instagram.com/official_sea3/
hxxp://pinterest.com/officialsea/
hxxp://www.facebook.com/sea.theshadow.716
hxxp://linkedin.com/pub/th3pr0-sea
hxxp://plus.google.com/116471187595315237633
hxxp://flickr.com/photos/th3pr0
hxxp://foursquare.com/user/29524714

Skype account IDs known to have participated in the campaign: 
syria.sec
koteba63
koteba
sea.shadow3
the.shadow21
tiger.white20
nana.saifo10
nana.saifo

Related emails known to have participated in the campaign:
th3pr0123-ap2@gmail.com
th3pr0123@gmail.com
whitehouse-online@hotmail.com
whitehouse_online@hotmail.com
sea.the.shadow@gmail.com
leakssyrianesorg@gmail.com
leaks.syrianes.org@gmail.com
syrian.es.sy@gmail.com
syrianessy@gmail.com
sea.wr4th@gmail.com
pr0@hotmail.nl
sy@hotmail.com
sy34@msn.com
killboy-1994@hotmail.com
jl0@hotmail.com
cf3@hotmail.com
zq9@msn.com
doom.ceasar@gmail.com
y8p@hotmail.com
rq1@hotmail.com
cf3@hotmail.com
wassemkortab@yahoo.com
sf0725zq0330@dressmall.com
adam.magdissi@hotmail.com
bf6@hotmail.es
b-6f@hotmail.com
bg_@hotmail.com
asdelylord@hotmail.com
i-8u@hotmail.com
b-8q@hotmail.com
tiger.tiger248@gmail.com
nagham_saifo@hotmail.com
edwinjouhansyah@gmail.com
sea.coders@hotmail.com

We'll continue monitoring the campaign and post updates as soon as new developments take place.

Exposing Bulgaria's Largest Data Leak - An OSINT Analysis

I've recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided to take a closer look. What does this leak basically constitute? Basically the attacker managed to compromise the security of the Web Site basically leading to a successful extraction of a decent-portion of data which could basically constitute a leak.

NOTE: The data in this analysis has been obtained using public sources.



In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the database and shared it within several cybercrime-friendly forum communities making it publicly accessible including an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company.




Real Name: Daniel Ganchev - Email: daniel.ganchev@abv.bg

Sample URL of the cybercriminal involved in the campaign:
hxxp://instakilla.com/ - Email: wp@instakilla.com; info@instakilla.com

Instagram Account: hxxp://www.instagram.com/instakilla_/

Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP

Sample additional domain known to have been used by the same individual: hxxp://209.250.232.143

Related URLs known to have participated in the campaign:
https://instakilla.com/5k.txt
https://instakilla.com/teaser.txt

Sample Screenshot of the Original Letter Send to Journalists:

Let's take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration testing company currently running Bulgaria's largest and most popular hacking forum community - hxxp://www.xakep.bg which was recently blamed for Bulgaria's largest database leak in particular its founders and several employees in the context of performing an OSINT analysis basically highlighting some of the key functions of the company and its involvement in the incident.

Sample Company Logo:

Sample Hacking Forum Logo:

Sample Exploits Developed courtesy of the founder of the group:

Sample Photos of TAD Group Employees:

Sample TAD Group Photos:

Related personally identifiable information of TAD members:

Real Name: Ivan Todorov

Email: todorov_i@tadgroup.com; todorov_i@subway.bg

Related social network accounts:

hxxp://github.com/chapoblan

hxxp://www.facebook.com/chapoblan/

Sample Bulgaria Leaked Database URL:

hxxp://uploadfiles.io/s1p3gzh8

Sample Email known to have been used in the campaign:

Email: minfin_leak@yandex.ru

Sample MD5 known to have been used in the campaign:

MD5: 3125f2f04d3bac84c418ceb321959aba

It's also worth pointing out that I've managed to come across to a fraudulent proposition courtesy of the hxxp://www.xakep.bg cybercrime-friendly forum community with the cybercriminal behind it currently soliciting managed hacker-for-hire type of services.

Sample screenshots courtesy of the service:

We'll be keeping an eye on the campaign and we'll post updates as soon as new developments take place.

Upcoming Offensive Warfare 2.0 Cyber Security and Hacking Community YouTube Livestream Broadcast - RSVP Today!

Dear blog readers,

I wanted to let everyone know that I'll be doing a Live YouTube Broadcast - this Friday - 05/07/2019 20:30 P.M - Eastern European Summer Time (EEST), UTC +3 in terms of my newly launched Offensive Warfare 2.0 - Cyber Security and Hacking Community. Are you interested in attending and learning more about the project? RSVP Today and consider registering to get the conversation going!

Feel free to approach me dancho.danchev@hush.com

Stay tuned!

Upcoming Security Project - Accepting Donations and Feedback!

Dear blog readers I wanted to let everyone know that I've recently added a "Donate Today!" button including a Pop-Up banner within my blog with the idea to seek you donations and feedback to raise the necessary capital for an upcoming Security Project.

How you can contribute in case you're a long-time reader of this blog - and want to possibly see more high-quality Security and Cybercrime research? Consider making a modest $500 donation - which will better help me to scale the project and eventually launch it.

Feel free to approach me at dancho.danchev@hush.com

Stay tuned!

Dancho Danchev's Blog - Audio Version Available - Listen to Every Post!

Dear blog readers,

I wanted to let everyone know that I've recently introduced an audio-listening functionality to every blog post basically allowing you to listen to every blog post on this blog. What do you think?

Basically it allows you to easily plug and play your head-set and listen on current historical and upcoming posts. Stay tuned for an updated set of features to be implemented anytime soon.

Consider going through the following high-profile Security Interviews which I managed to produce throughout 2003-2006 while working for Astalavista Security Group.

- Security Interviews 2004/2005 - Part 1
- Security Interviews 2004/2005 - Part 2
- Security Interviews 2004/2005 - Part 3

including the following commentary and Open Letter to the U.S Intelligence Community:

 - The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compromise - An Open Letter to the U.S Intelligence Community

Enjoy and stay tuned!

Dancho Danchev's Blog - Public Search Now Open!