The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.
This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?
… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?
Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.
Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.
Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.
Teams and Members:
In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3″ The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.
Team Inj3ct0r: http://126.96.36.199/team
Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (email@example.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337″ quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…
r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: firstname.lastname@example.org
- The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
- The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
- The domain inject0r.com was hosted in China 188.8.131.52 – 184.108.40.206 on China net
- Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
- Another alias seems to be the screen name str0ke
- Also owned www.0xr00t.com
http://www.inj3ct0r.com domain details:
Registrant: Inj3ct0r LTD r0073r (email@example.com) Burdenko, 43 Moskow Moskovskaya oblast,119501 RU Tel. +7.4959494151 Creation Date: 13-Dec-2008 Expiration Date: 13-Dec-2013 Domain servers in listed order: ns1.suspended-domain.com ns2.suspended-domain.com Administrative Contact: Inj3ct0r LTD r0073r (firstname.lastname@example.org) Burdenko, 43 Moskow Moskovskaya oblast,119501 RU Tel. +7.4959494151
- Alleged to be Turkish and located in Istanbul
- Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011
DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of email@example.com also a domain registered and physically in China.
A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 ) vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of firstname.lastname@example.org and listed it out of Hunan Province.
The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”
: Team Exploit :
h4x0er.org aka DIS9 Team
Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.
Other Teams within the DIS9 umbrella:
In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.
More when I have it…