Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

The DNC Hack: SVR? KGB? GRU? Lone Hacker?

with 2 comments

191

Attribution Games:

I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!

“I summon the Russian GRU!”

“I summon the LONE ACTOR!”

“I summon the KGB!”

*slaps down cards on table* TAKE THAT!

The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!

“Whoa”

So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.

So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”

Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?

Metadata and Cyrillic:

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!

YAAAAY!

Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!

It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?

DATA:

Screenshot from 2016-06-17 13:35:04

Screenshot from 2016-06-17 13:33:43

Screenshot from 2016-06-17 13:31:49

Screenshot from 2016-06-17 12:51:57

Screenshot from 2016-06-17 12:46:55

Screenshot from 2016-06-17 12:46:44

Screenshot from 2016-06-17 12:46:33

Screenshot from 2016-06-17 12:46:14

Screenshot from 2016-06-17 12:46:03

Screenshot from 2016-06-17 12:45:43

Screenshot from 2016-06-17 12:44:48

Screenshot from 2016-06-17 09:51:34

Motivation Analysis and Hypothesis

RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…

Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…

  • Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
  • Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
    • If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
  • Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
  • Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!

So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????

Why Pooty of course!

Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin?  *sorry had to use that one*  Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.

That’s my theory and I am sticking with it… For all the fucks that it is worth.

I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.

See you all in INFOSEC attribution Hell.

K.

 

Written by Krypt3ia

2016/06/17 at 18:34

The Irrational Actor and Asymmetric Propaganda Jihads

leave a comment »

sumo

 

The Irrational Actor:

EVERYONE has lost their shit over the attack on Pulse in Orlando. The media is in a feeding frenzy, Twitter is lit up with rhetoric and those flogging their points of view, and even I had a moment of “SOMEONE ON THE INTERNET IS WRONG!” which some of you probably will say is just par for the course with me. I am trying to stay out of it as much as possible after yesterday and it has even led me to look at the Twitter feed much less because it just drags you into the collective mass hysteria when you do, but I thought it appropriate to have a moment of clarity and maybe introspection here and leave the arena altogether.

Many of the reports on the news and the tweets in the feeds are verbally gesticulating about how this attacker was inspired by or a lone wolf for Da’esh and arguing about this fact or that that really have yet to be categorically proven. I would like you all to just take what is known as of today and step back a moment from the whole jihad angle and look at the actor as one might in a profiling situation that the FBI might carry out. What motivated this guy? How did he carry things out? What are his past actions?

  1. The FBI looked into him three times because he was pegged by others as being a potential terrorist from comments he made
  2. The FBI talked to him and found out that he did not know about the groups in any real in depth way and that he seemed to be attention seeking or perhaps a bit unbalanced
  3. As of late yesterday reports have surfaced that this man was a closeted individual (wife and others reporting this)

Now, if you removed all of the surface content of jihad and da’esh all you have is that this guy seemed to have some internal struggles from his upbringing and his proclivities. He was raised in a household that may have adhered to a more strict interpretations of right and wrong (in their minds about perhaps sexuality) and by indications today, may have caused a fair bit of self loathing for his own desires. Suffice to say this guy had issues and that perhaps was the stressor that lead to this incident. What I want you all to consider here is that without the jihad angle, this guy is what is termed as a “Spree Killer” what has everyone bent is the fear of terrorism on American soil but they are failing to see the forest for the trees in this case.

Now this brings me to the irrational actor part of the title to this post. Everyone and their brother is going on and on about terrorism, lone wolves, and planning while I would suggest that we consider that this guy was an irrational actor with an organized personality. What this in fact means is that he was stressed, he was unbalanced, perhaps delusional, but he was also an organized killer. He planned this attack out and carried it off, but he was not what I would consider a rational actor motivated by an ethos of Radical Islam. I would instead really like to say he was a troubled individual who used Da’esh as much as they used him after he carried out this heinous crime. Each served their purpose for rationalizing their irrational and malevolent behaviour.

So, please take a step back and consider that this spree killer did what he did and blamed it all on an ethos that he may not have wholly understood nor believed in. Had he really been a true believer then he might have gone to Syria or been a under more prevalent scrutiny by the authorities. Instead he was taken off the watch list because he wasn’t seen as a real threat in the sense of being a true jihadi. Of course perhaps he should have been considered a threat under the rubric of being an unbalanced individual who may act out.. But we really do not have that option here do we?

The Asymmetric Propaganda Jiahd:

On the other side of this issue we have much being bandied about by the media and the bevy of former CT/Security darlings who get air time about how the paradigm has changed since this attack was carried out. Has it really? How long has “Open Source Jihad” been around anyway? Oh yeah, years. Inspire was the first magazine to coin the term and since its inception there have been more than a few attacks in various places around the world that I would equate with the teachings of OSJ as being a source of inspiration. So now that someone has killed 49 people on US soil it is suddenly a paradigm change?

Come on!

The fact of the matter is this, this asymmetric propaganda war has been being waged for years first by AQ/AQAP and perfected with Da’esh’s tweaks that made it more appealing to the unbalanced amongst us. As we have seen over the last few years the government finally started to understand the problem and so too have companies like Twitter who is trying to fight it with account banishments. Of course nothing has worked so far and the message keeps getting through over a medium that is the internet as a whole. Communication at the speed of light is the medium and there is no putting that genie back in the bottle. We must come up with more thoughtful and meaningful approaches on how to fight it but so far the US government has only half heartedly attempted a counter propaganda campaign “Think again look away” that frankly seems to have been written by advertising reps from the 50’s.

The reality is this; In the last year there have been one hundred and thirty three mass shootings in the US since January first 2016. Two of these to my knowledge have been at all related to jihad. When are we going to look at the larger issue of the spree killings and the psychology of irrational actors perpetrating them instead of focusing on the jihadi aspect of only two? This is the crux of the issue and I have to tell you all here that like psychological profiling, it is an art, not a science. What I am trying to really say here is that there is no way to really stop these things from happening. In the case of Omar Mateen, he said things and was investigated but unless he was put under complete surveillance 24/7 there were no solid ways to determine his actions to come. Hell, for that matter, the stressor of being under scrutiny could have been the straw that breaks the camels back and caused an attack!

Everyone needs to understand that life is random. The universe is random, and there is no sure way to stop these attacks.

No guns… Sure, someone will get a katana and hack people to death

Surveillance of everything in drift-net unstructured data…. Still won’t help if you aren’t analysing it all and even then you miss things.

Investigations like the FBI carried out and being put on watch lists… Nope as we can see it did not work.

All of you need to understand that you could die slipping in your shower just as much as being killed by a spree killer with an AR-15. It’s just the roll of the cosmic dice. I am of course not saying that we don’t need to try, but let’s not react the way I have been seeing in the media, the net, and the everywhere after this attack. It does no one any good. Was what Omar did terrorism? Yes, it was because his goal was achieved, just look around you now.

K.

Written by Krypt3ia

2016/06/14 at 13:20

Posted in Terrorism

GREAT LEADER’S FACEBOOK LITE!

leave a comment »

Screenshot from 2016-06-03 08:56:40

This is what happens when I don’t pay attention. I TOTALLY missed this story about Andrew McKean’s logging into an ersatz DPRK facebook clone! Welp, I have gone back in time with Mr. Peabody and have found more goodies on this site that is no more. One has to wonder just who in Pyongyang thought this was a good idea. I kind of wonder if it was anyone there in Pyongyang but instead someone found a vulnerability and decided to fuck with Un. Either way, MUCH derp and schadenfreude ensued!

The site is a standard php version of a Facebook clone by phpdolphin

<div class=”footer-languages“> Copyright &copy; 2016 Our social network. All rights reserved. Powered by <a href=”/web/20160527183053/http://phpdolphin.com/” target=”_blank“>phpDolphin</a>.

I have to also wonder about the standard use of English as the primary language on the site and not Korean at all. Perhaps it was just the default for phpdolphin but I would assume it’d be easy enough to change that. Anyway, the site went up May 27th but the domain has been registered since 2009. A look with Mr. Peabody showed nothing there before for all the way back to the beginning of time

Screenshot from 2016-06-03 10:06:51

Screenshot from 2016-06-03 10:36:18

So either this was a big joke or it was a real honest to god thing that Un was allowing? Was it some hipster in Pyongyang with nothing to do at the local internet cafe? Was it someone in the hacking community laying a savage burn on Un and the DPRK? We may never really know but I for one wonder just how Un is reacting. I mean, shit, look what they allegedly did to Sony over a shitty movie right? Is there some kid in a DPRK gulag now because he decided to Punk Un?

 

Screenshot from 2016-06-03 10:07:28

Using the wayback I was able to see all the users on there and get shots of their pages. I gotta say I really wish I had been in the know because I would have set up a ROCKIN Team America page!

Can you imagine it?

America-fuck-yeah-t-shirt

My god what piels of laughter would have been maniacally coming from my office. Oh well.. Missed my chance… For now… Anyway here are the other users I found.

 

Screenshot from 2016-06-03 10:09:36

Crotch grabber!

Screenshot from 2016-06-03 10:09:22Iran got in on that action right quick!

 

Screenshot from 2016-06-03 10:09:06LOVE that photo

 

Screenshot from 2016-06-03 10:08:45

BAAAAAAHAHAHAHAHAHAHA random marketing script guy!

Screenshot from 2016-06-03 10:08:20

WAIT.. PRIMORIS ERA IS THAT YOU? WAIT. NO. IT’S ROBIN SAGE!

 

Screenshot from 2016-06-03 10:06:24

Rando Muslim guy… wait.. Is that you Packetknife?

Screenshot from 2016-06-03 10:06:14

Dis guy..

Screenshot from 2016-06-03 10:47:11

Screenshot from 2016-06-03 10:06:04

Roberta, you vixen you. LOOK YOU GOT KIM TO SAY HI!!!!

 

Screenshot from 2016-06-03 10:05:49

jkoebler I SALUTE YOU!

You have the most epic of the profiles other than Un himself man. The flag and Star Spangled Banner!!! DUDE you planted the flag on the digital Everest here man!

Screenshot from 2016-06-03 10:05:37

Yet another rando Middle Eastern guy it seems…

Screenshot from 2016-06-03 10:53:15

Last but certainly not least is Kim Jung Un himself! Who evidently studied at the Zoolander School for Kids Who Can’t Read So Good!

 

I am going to lean toward this being an EPIC troll or a troll of opportunity. I honestly can see that maybe something was left open on the box, someone sussed it out, and decided to go all @DPRKNEWS on this. To those who did this I salute you. For all you Anon’s out there, JESUS FUCK YOU MISSED OUT! This is the kind of merciless motherfuckery you should be pulling!

Ps.. If any of you out there did this and wanna say hey feel free to drop me a line here anonymously and gimme more details.

EPIC!!!!

Your move Un.

K.

 

Written by Krypt3ia

2016/06/03 at 14:58

Posted in DPRK

The Rise of The Middle Eastern Patriot Hacker

leave a comment »

Screenshot from 2016-06-02 13:56:48

A news story posted today got my attention if for nothing else than the lulz. The post was about how a team of Saudi hackers had popped and defaced a bunch of Iranian sites and how in return the Iranian authorities had tapped INTERPOL to clap the irons on those cyber terrorists! Now, usually I am not so much interested in these types of defacements being that they are just tit for tat political posturing by derpy kids online but this reminded me of China in the 90’s so here I am.

That’s right, you read me right there, China, remember the Green Army? Remember all those posts I did back in the day about the patriot hackers there? Well, now we have the same kind of thing happening in the Kingdom of Saud and since I am a bit of an Arabist, I thought it interesting enough to pontificate on here. Hell, I might even thought lead here! Well, ugh, no, I will not thought lead, there is jut no coming back from that. Anyway, back to the matter at hand.

Screenshot from 2016-06-02 14:02:13

The “team” in question is the new-ish group calling themselves “Team Bad Dream” and ermegerd they are as derpy as they come. When you start to pull at the threads of their digital tangled skein you quickly come to some real profiles and real names. I will not post them here because I don’t want the Iranians whacking anyone and I certainly don’t want INTERPOL on them just yet. Suffice to say, guys, ummm, you may want to pay attention to your old nicks and re-use. Oh, and don’t forget to not use your SKYPE addresses and shit like that that you have not created good backstops and cutouts for!

Screenshot from 2016-06-02 13:50:05 Screenshot from 2016-06-02 13:49:39 Screenshot from 2016-06-02 11:39:49 Screenshot from 2016-06-02 11:35:26

*Oh, maybe that was a little OPSEC/INTEL slip I just pulled there huh? Oops*

Anywho… Aside from the derpy defacements that really mean nothing in the scheme of things as hot “cyber” wars go, there is this notion of a shift in politics/warfare/statecraft that I just have to mention. It is claimed that the KSA government has been supporting these guys in their defacement spree and if this is the case, then it’s a bit of a different kettle of fish no? It is one thing to have a bunch of guys who just do this shit for giggles but these guys are now hitting Iran, the mortal enemy of Saudi with *gasp* DEFACEMENTS!

Ok, ok, ok, you all probably have the same opinion that I do about defacements:

Screenshot from 2016-06-02 14:22:16

That XKCD pretty much sums it up for me. However, you are now dealing with the governments of two rather shall we say touchy countries. Just look at the rhetoric between the two to see. In fact, hell, just look at the rhetoric and crazy that comes out of Iran on a regular basis and you might see where I am going here. I can imagine here an all out, full scale, cyber defacement war soon enough. However, what if that also turns into a full on “cyber” war between the two now too? What if they really start hacking the shit out of each other’s infrastructure?

What if they start stuxnet-ing all the things! My god man.. it will be 9/11 x 1000

index

Ok on a more serious note though. This may in fact be the start of something bigger and we could be seeing more hacking and net-centric warfare between these players in the near future. I eagerly await the next salvo with popcorn in hand and a nice big scotch. Everyone get comfortable because soon there will be attribution marketing and cutesy pseudo Arabic code names for all the actors!

K.

 

Written by Krypt3ia

2016/06/02 at 18:35

All Those Derpy APT Code Names Got You Confused?

with 2 comments

Screenshot from 2016-06-01 13:16:58

THANK THE FUCKING GODS someone took the time to get these all collated into a spread sheet! After all, WHO KNOWS what derpily named actor is attacking you!! YOU COULD //HAVE HELSING HURRCAINE DRAGON PANDA// and you would be unable to respond unless you have a primer!

My. God.

While this may be helpful to many of you out there it is for me just another symptom of a larger malaise that is attribution fever. Yes, attribution fever, much like a good Malarial bout gives one chills and flop sweat when you are looking at your SIEM/IDS/IPS/LOGS and you see… Well something happening. Something you really don’t understand but you know it’s OBVIOUSLY some bad actor from a foreign land trying to steal your IP!

NOW YOU TOO CAN PLAY THE NAME THAT ACTOR GAME!

With this handy sheet you can attempt to maybe sorta kinda know who may be exfil’ing your data and laughing in some obviously Mandarin tinted accent! Seriously though, ummm fuck if I care really. If you don’t have the infrastructure and the defenses in depth to handle even understanding your traffic this really means fuck all to you. Well, unless you are a marketing wanker or an upper echelon exec amiright?

On a more serious note though, if you are playing the game and you have some sense of what is going on, then perhaps this excel sheet will help you some. I am really really really * a gogolplex unimpressed with all the secret sauce attribution fuckery we see in all the marketing bullshit blasts from the vendors out there on this shit. Know what? I remember when I saw BaitLick say that basically his company would come in, do their thing, and then six months later they’d be back again because they could not keep the APT out. So what the fuck with all the super secret code names and IP fuckery that you guys pull on “actors huh?

Cut it the fuck out.

Share the intel with EVERYONE

STOP THE FUCKERY

That will be the only way that we can make a unified effort here.

I will say it again… It’s not about the who… It’s about the how.

Link to excel

K.

Written by Krypt3ia

2016/06/01 at 17:53

Posted in APT, CYBER CYBER CYBER

The QNB Hack: Cui Bono?

leave a comment »

Screenshot from 2016-05-02 11:14:51

The Dump

The recent dump of data from the Qatari National Bank was of interest to me and many others because it was purporting to have the accounts and identities of spies within it’s csv and text files. I downloaded the files from Cryptome thanks to someone pointing me in their direction and took a nice long look. As the story has unfolded it has come to light that the bank itself says the data is real and that they are now “completely secure” which is amusing given that this was an ols SQLi attack that netted this Turkish hacker group the jewels of QNB.

The dump consists of the oracle database files, the passwords, and the banking information of all the users therein. I have to say that most of it is really quite pedestrian but then the hackers, or the bank management,  created file folders (as seen above) that marked people as spies, Mukhabarat, Security, Gov, and other tantalizing names. I first had thought that the file folders and their speculative names had been created by the hackers to sex up their dump but it has come to light that if you look within the database dump itself you see the directories and names have headings like intelligence and defence. So it seems that the bank itself may in point of fact created these tags in the belief or inside knowledge that the people in the data were in fact what they claimed, or at least thought they were.

The Spies

I looked at all the interesting folders and the data all the while wondering about the validity of the idea that these names were in fact corresponding to real assets, NOC’s or just functionaries in Qatari space that had just been quite well blown by this hack and subsequent data dump. On the whole I would call into question all of the names being linked directly to espionage organs. I really have to wonder if the bank would in fact be that “in the know” about spooks in their country and really have to be circumspect about their putting that in the users bank records. I mean even the Mukhabarat would at least demand that it be obfuscated one would hope by a code of some sort and not just in the headers/directories themselves.

It really kind of feels like the natural tendencies of the Arab nature had gotten the best of the database admin and the managers of the bank and they believed that these people were spies without there being any real proof. In any case, if these people, especially those who are FORN and in country, now may have some trouble with people thinking that they are really spies and subject to attacks. Imagine if you will any jihadi types who might take this data as gospel and go after these people for da’esh or AQ. This could be bad. I have yet to hear of anyone leaving their positions or the country. If I were one of them I would at least be looking over my shoulder henceforth.

Screenshot from 2016-05-02 13:58:40

Screenshot from 2016-05-02 13:58:58

Screenshot from 2016-05-02 13:59:40

Screenshot from 2016-05-02 15:33:48

Screenshot from 2016-05-02 15:34:40

Screenshot from 2016-05-02 15:35:19

Screenshot from 2016-05-02 15:38:52

 

Screenshot from 2016-05-02 15:43:58

The other data I can see perhaps the military accounts and names being totally on the money because they are their own Ministry of Defence and really, that is not top secret stuff. Likely the bank see’s where these people get their pay from (Qatari funds from the gov) but even these people could now be targets because this hack was motivated by political means it seems after all.

Cui Bono?

Screenshot from 2016-05-02 16:10:09

It seems that the Bozkurtlar (Grey Wolves) a Turkish political group and their hackers were the perpetrators of this hack. There is a long history between Turkey and Qatar and most of it seems kind of benign but when you scratch the surface a bit you can see that there are some issues between them as well as some synergies in their support of certain terrorist groups like da’esh. (click linked image below)

Screenshot from 2016-05-02 16:13:47

Screenshot from 2016-05-02 16:12:09So, “Cui Bono?” Well, certainly the Grey Wolves, to what end I am not completely sure. They did post their video before the hack hit the pastebins out on the net so it was pretty much their gig but I still don’t quite understand why. Perhaps these hackers are quasi wolves and or it is some other entity using the wolves as a cover for their activities. Given that there has been no real perceived fire coming out of Qatar over this nor in other areas of the world that we are aware of, I kind of doubt all these people were in fact assets of foreign powers.

At the end of the day, this just turns out to be yet another derpy easy hack using SQLi on an entity that wasn’t performing any due diligence but it had the sexy sexy for the masses with the idea that some great hack exposing spies had occurred. In my opinion not so much really. So hey Grey Wolves, gimme some more context would you than some poos British shmucks MySpace page in the future would you?

K.

Written by Krypt3ia

2016/05/03 at 00:08

Two More Da’eshbag Darknet Sites Popped Up

leave a comment »

Screenshot from 2016-04-29 08:48:34The Cyber Kahilafah

 A couple more daring Da’eshbags have decided that the darknet is the place for them to spread their propaganda. The sites just popped up and aren’t quite finished. The Cyber “Khahilafah” خِلافة “Caliphate” has a total of 5 main pages with links off of those to other internal and external pages.The main page has the following text:

Screenshot from 2016-04-29 10:54:27

Fight in the cause of God those who fight you not transgress Allah loveth not aggressors} Al-Baqarah: 190}

————————————————– ———-

The books you dislike it, and it may be that you dislike a thing which is good for you, and that ye love a thing which is bad for you. Allah knows and you do not know the cow} 216}

————————————————– ———-

Very soon will be open all sections

We hope to collect the largest number of individual wolves

Cyber kahilafah

!Beware no joking here!

Overall this page is really quite simple and reminds me of just about every other page on the darknet (some remnant from Geocities got loose in the darknet and multiplied!) it’s kinda ugly and simple. As the site is not finished there isn’t much to look at right now but I thought I would archive it and pass it along before the kids hear about it and DD0S the crap out of it or hack the node and take it down. Of course if someone hacks it and somehow get’s a raw IP that would be interesting huh? *hint hint NSA*

Anywho, this site is different from the last one because it is not really pulling a whole lot from the clearnet and it is certainly not at this time like any of the other jihadi boards out there but it seems to me that is what they may be aiming at later on down the line. I am sure it won’t be around that long anyway but it’s amusing to see them try.. Ok on to the data and further below the second site!

DATA

The sub pages consist of the following headings:

/bomb/

Screenshot from 2016-04-29 10:27:03with sub categories of /bomb/ for redundancy?

/kafia/

which seems to be a version of Keffeyah which is a scarf, head dress common to the region.

Screenshot from 2016-04-29 10:29:21

Both of the downloads fail and the domain they point to are:

Now the 00-up domain is interesting because it has a long stories WHOIS history and the present owner is a Mohammed Ezz out of Egypt according to the data.

Screenshot from 2016-04-29 10:32:08

Screenshot from 2016-04-29 10:33:00/army/

Screenshot from 2016-04-29 10:44:15/army/ only has “coming soon” in Arabi on it at the moment

/armyb/

has the following single page with a link (Infantry Mechanisms In Desert Operations)

Screenshot from 2016-04-29 10:45:15

Screenshot from 2016-04-29 10:45:54

The desert operations piece is pretty much a re-hash of the desert war tactics from WWII. It’s an interesting read if you are in to desert warfare but I am not sure why they have put this up there because it is specific to the Sahara.

/isdarat/

Isdarat we saw the last time and refers to isdarat.tv so maybe these are the same guys?

Screenshot from 2016-04-29 10:44:15Another “coming soon” image

/gun/

Screenshot from 2016-04-29 10:51:59

“Kalashnikov Weapon” which links to some videos that don’t work

Screenshot from 2016-04-29 10:53:11

That’s all she wrote for this site. The next one though is a stand alone with the same name as this one but really is just a shingle for the Da’esh Cyber Kahilafah Al Bayan (popular news paper in the region) radio link. This link is not working but there were some interesting links that were offshoots to this.

 Screenshot from 2016-04-29 09:52:20Cyber Khaliafa Radio (non functional)

Now Al Bayan is the radio station that the da’eshbags started when they took over a station in the region. It is on FM and cannot be heard here unless you get it online. Thus this page and links. As they are not working it may be that they only post things or make the link live at certain times. In any case, the links on this page led to the clearnet and some interesting people and places (see below)

Screenshot from 2016-04-29 11:25:43

Screenshot from 2016-04-29 10:10:54

 

Screenshot from 2016-04-29 10:11:18

 

Screenshot from 2016-04-29 10:19:22

Screenshot from 2016-04-29 10:21:29

I have yet to try and give a listen but when I get a working link I will. Until then, you kids have fun with these guys in the darknets! Once again they show that they have some sophistication in being able to set up a tor site but then they completely lack the ability to really program it or keep it online. These are not the cyber warriors the media would like you to think they are.

Dr. K.

EDIT: There is a THIRD site evidently. I have found the “creator” of the site and located yet another page he/she/they are looking to link from. This one will eventually have the bomb making tutorials for making phone bombs.

Screenshot from 2016-04-29 13:12:15

 

Written by Krypt3ia

2016/04/29 at 15:28

Posted in Da'esh, DARKNET

Follow

Get every new post delivered to your Inbox.

Join 231 other followers