Operation Icarus - 2018: An Independent Research and Analysis

On 12 December 2018, while I was checking for some security news on Twitter, i stumbled upon a post with the hashtag #OpIcarus. The post was made by a Twitter user using the handle @LorianSynaro on 11 December calling for others to join in the cause and naturally, target financial organizations (FOs) worldwide.

A list of targets called "World Banking Cartel Master Target List" was shared in the form of a Ghostbin link. In this list, over 150 FOs were listed as targets.

The list however bears striking similarities to the list posted on Pastebin in 2016.

https://pastebin.com/dVyqyJi5 (posted 22 March 2016)

https://pastebin.com/QcqqEdKw (posted 10 October 2016)

These lists were used in the first #OpIcarus campaign back in 2016. The only addition to the 'new' list in Ghostbin is 11 FOs under the "The Biggest Banks of the Globe (from the Internet):". Everything else from the "Federal Reserve of America"  downwards are recycled from the 2016 Pastebin lists.

As of 18 December 2018 since the posting of that Tweet and the target list, the following FOs websites were claimed to have been successfully "brought down" by the campaign's participants using the hashtag #tangodown accompanied with screenshots from check-host.net as evidence.

An example of a Tweet showcasing a successful attack with the #Tangodown hashtag

The Victims

By @LorianSynaro:

• http://www.bkam.ma/
• http://www.banxico.org.mx/
• https://www.bankofalbania.org/
• http://www.centralbankbahamas.com/
• https://www.bancaditalia.it/
• https://www.rba.gov.au/
• http://www.cbiraq.org/
• https://www.bcu.gub.uy
• https://www.bis.org/

By @Pryzraky

• https://www.centralbankofindia.co.in/english/home.aspx

By @__sh1z3n

• http://www.centralbank.org.bb/ 

References:
https://twitter.com/__sh1z3n/status/1074909637395267589

https://twitter.com/Pryzraky/status/1073711856513093632

https://twitter.com/LorianSynaro/status/1074342005852004353

https://twitter.com/LorianSynaro/status/1073960930025893889

https://twitter.com/LorianSynaro/status/1073317278786162688

https://twitter.com/LorianSynaro/status/1072596945259114497

Initial Findings:

One of the things I found was that out of the 11 FOs attacked, 4 of them were not in the target list. They were:

• https://www.centralbankofindia.co.in/english/home.aspx
• http://www.centralbank.org.bb/
• https://www.bis.org/
• http://www.cbiraq.org/ 

Out of the 11 FOs, 10 of them are not deemed as critical website. This means that these 10 websites are simply banking organization information, help sites and client references rather than banking websites where customers visit to login and perform any digital monetary transaction. Also I observed no complains raised in social media on the inaccessibility of these affected websites.

DDoS or DoS?

One of the things I was interested to know is the participants' technical capabilities and the tools used to perform the attacks. To do this, I had to look at past #OpIcarus campaigns and identify what were the tools used.

One of the handful posts found to be sharing tools for #OpIcarus

Interestingly, most of the tools shared by past #OpIcarus participants were similar to the list of tools recommended above. Tools like TorsHammer, Xerxes and Slowloris are "web stressing tools" designed to test the response of web server and can be used individually. These tools are publicly available tools and are technically classified as denial of service (DoS) testing tools - NOT DDoS tools. Of course, one man's testing tool is another man's attacking tool.

TorsHammer for example is one of the most common tools used by participants to conduct DoS attacks. Even the description sounds promising.

A fave tool with 187 downloads this week!

As a matter of fact, TorsHammer has been 'recommended' to use for targeting unprotected web servers running on Apache.

TorsHammer used against Apache or IIS 

The question now is...is TorsHammer and similar DoS tools were used by this current #OpIcarus campaign's participants? To find this out, I had to use several open source databases such as IPV4info.com and Shodan to find out the IP addresses of these websites and the web services used. 

Without naming the specific FOs:

• 5 were running on Apache
• 1 was running on nginx
• 3 were running on IIS 7.5-8.5
• 2 were undetermined

There is a possibility that a DoS tool was used to bring down these systems (based on the majority of Apache based servers affected) rather than a massive distributed computers targeting these web servers. BUT I need corroboration to confirm my theory. The only way to do that is to chat with the participants themselves!

Not only did i get the confirmation that one of the participants were using DoS tools like Hammer and Goldeneye. I was also shared with a link to all the other tools used by the group -mostly DoS/web stresser tools.

Tools used by Anonymous members

While tools like TorsHammer, Xerxes and Slowloris have been reported to work well on Apache and IIS web servers, Goldeneye has been reported to successfully work on nginx.

nginx not able to withstand Goldeneye

At this point, I am pretty confident that most of the targeted websites that were successfully brought down were most likely attacked by web stresser tools rather than a full fledged DDoS attack. However, one of the participants @Pryzraky who claimed to have successfully brought down the only FO website that are relied on by customers to perform digital transactions, seemed to use a different technique than the others. 

@Pryzraky not only has a Twitter and Facebook profiles but also has a YouTube channel. One of the videos posted was a live demonstration of him targeting the website of NASA. The method used? An IRC botnet! This is the only participant so far that I've researched to actually use DDoS attack technique.

Taking down NASA using an IRC botnet

Conclusion:

Seeing how some of the FOs targeted were not listed in the 'Target List' shows that the list is there to promote fear rather than actual targets itself. At the same time, seeing the websites of those FOs affected where most of them are simply static websites conveying information of the FO rather than to perform login or digital transaction highlights the possibility that the participants are relying on low hanging fruits (indulging in stressing at everything and post those that were successful).  

Hence, it is possible to see malicious traffic/activities in some FO's networks but as long the FO introduced proper and adequate security protection technologies and processes (WAF, Firewall rules, Patching) learning from past hacktivists campaigns, I would see this campaign having little to no substantial impact to the major or mature FOs.

It is also important to note that the number of participants involved in this campaign is so much lesser than what it used to be (in the hundreds) in 2016. Most of the Twitter accounts, Facebook pages and groups dedicated to Operation Icarus have little to no activity since mid 2017. 

https://twitter.com/__sh1z3n/status/1074909637395267589

Threat Actor Hunting: Investigation Into The Vietnam Airport Hack

In 2016, after the news of airports in Vietnam got hacked, I got very interested in the incident and decided to follow closely....albeit...too closely. This was a research/investigation done back in 2016/2017 and I only presented it once in a closed forum. Today I finally have the courage to blog about my findings.

In this blog, I will share the findings of my personal investigation on this incident, solely using OSINT and Cyber-HUMINT to verify some of the things mentioned about 1937CN in the news and how in the midst of trying to find out how the systems were hacked, allowed me to pivot my motivation and able to "expose" at least one of the members of 1937CN.

Sometime in July 2016, passengers waiting at the Noi Bai airport in Vietnam were greeted with an unusual announcement. The announcement was broadcasted in the Chinese language accompanied by a male voice that started with the words "Hacked by 1937cn team...". A few hours before, check-in systems at another Vietnam airport - the Tan Son Nhat International Airport stopped working.  According to the  Civil Aviation Administration of Vietnam, at 1.46PM on 29 July the IT-systems of VietJet were being attacked forcing the employees to switch to manual procedure which led to flight delays. A few hours after the speaker systems at Noi Bai airport were taken over, the official website of Vietnam Airlines was also hacked. Soon after, details of the airline's customers were stolen and published online, allowing anyone who knew where to find it, download it.

Link: https://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-airlines-website.html#iKZqM07Fpb4ziLVs.97

Link: https://www.bbc.com/news/world-asia-36927674

The video of the announcement made on the compromised speakers.

“Hacked by 1937cn team. Fuck Vietnam Philippines Joint Action. OP CHINA Action is ignorance. Vietnam the Philippines Only the US, Japan, restrict China's pawn. South China Sea is China's territory. This is a warning from 1937CN team.”

Initially I thought that the message was broadcasted through the speaker which was controlled manually (spoken by an actual person) but upon listening to the 'announcement', these words came straight from the words used on the defaced Vietnam airlines website:

So what is 1937CN?

Based on the information gathered from open source and defacement messages left on victims' websites,

• Believed to be established as early as 2012 / 2013
• Patriotic hackers (Hacktivists)
• Attack based on political and territorial issues
• Well known ‘hacks’ include collaborating with Huaxia Hacker Alliance, Panda & Aqi Dog – to bring down South Korea’s Lotte Group website.

Defacement page left on a victim's website suggesting co-operation between 1937CN and Sky-Eye

Defacement message suggests political and territorial issues motivation

An article on 1937CN described the group as the most famous hacker group in China hacking over 40,000 websites and ranked no.1 in the Chinese hacking underground community.

1937CN listed as number 1 in the Chinese underground hacking community

But here's the interesting part, when I looked at the numbers in detail, I realized the following:

AlfabetoVirtual contributed over 13,000 of the hacks in the name of 1937CN

So who was AlfabetoVirtual?

Looking at his "TTPs", one of the things I realized is that he consistently left the following message on its victims' website: "Hacked by AlfabetoVirtual" and a mini Brazil flag can be seen on the top left hand corner of the Chrome's tab.

Social media research on this 'handle' shows that he took part in a number of Anonymous-related operations and claiming himself a member of the High Tech Brazil Hack Team.

High Tech Brazil Hack Team??? That sounds familiar!!!

In December 2012, the People’s Association of Singapore website got hacked by the HighTech Brazil HackTeam. 17 other PA-linked website were also affected by the Brazilian group.

Link: https://www.hackread.com/peoples-association-of-singapore-website-hacked-by-hightech-brazil-hackteam/

Who was Jack Riderr?

Now speaking on the topic involving Singapore, I also noticed the following handle on the Chinese underground - Jack Riderr.

Screenshot taken as of May 2017

In November 2013, 13 Singapore schools websites were hacked and defaced by a hacker using the handle Jack Riderr.

Defacement message suggests he was a Muslim hacker from the Johor Hacking Crew - giving shoutouts to other presumably Malaysian hacking groups.

The defacement left on Jack Riderr's victims' websites

The handle Jack Riderr found on the Chinese underground hacking community and listed as number 3 in May 2017 begs the question.... what is a Malaysian hacker doing in a Chinese underground forum?

Now let's get back to AlfabetoVirtual. Out of curiosity and trying to find out more about Vietnam's airport hack, I sent a direct message (using an alternative profile) to the inbox of a 1937CN social media account in the hopes I could get a reply. I was really keen to know if AlfabetoVirtual was a member of 1937CN.

My conversation with a 1937CN member reveals that AlfabetoVirtual was nothing more than just a 1937CN fan who was hacking and submitting its defacements representing the 1937CN group. This actually made sense because upon researching more on the hacker group, I found over 30 handles being posted under the banner of 1937CN team. However, based on their defacement messages, the official team members were 9:

1. Allen Reese
2. BonEs
3. Webr0bot
4. SiLing
5. Learner
6. 4n0wGZ
7. Any9aby
8. Rascal
9. Vietnam's Prime Minister (Team Leader)

This finding highlights the fact that if we were to remove the website hacking contributions made by unofficial 'team members', the numbers would drop to almost 30% - 40% which would not make 1937CN the number 1 in the Chinese underground. 

On May 2018, a California man named BILLY RIBEIRO ANDERSON was arrested for hacking websites for The Combating Terrorism Center at West Point and The New York City Comptroller. He was also convicted of hacking more than 11,000 defacements worldwide. His handle was "AlfabetoVirtual".

Link: https://www.justice.gov/usao-sdny/pr/california-man-arrested-hacking-websites-combating-terrorism-center-west-point-and-new

Too Curious to Ignore

Now back to the hunt... when I first read about this hack, my first question was how did the hack happened? There were quite a number of vendors out there offering their thoughts and analysis based on malware engineering, TTPs, etc but none of the reports/articles explained how the speaker was taken over and used to announce the hacker group's message.

So after days and weeks trying to figure out I decided to just go straight and ask them directly. 

Asking them hoping they would be willing to share how the speaker system was hacked

But nothing comes for free

Initially i was planning to pay with the intention to really learn and understand how the speaker system was compromised especially when there were no reports out there that explains it. That all changed when I was provided with an email address that the actor used for PayPal.

SCORE!

At the same time, I was doubtful to pay especially when i came across an article of the group providing a statement that they neither admitted nor accepted the reports the media made attributing the attacks to them.

An Email Address That Changes Everything

Now with an email address, my motivation has changed from trying to find out how the hack happened to attempting to find out who was behind the email address - in other words, who is the member of 1937CN that I have been communicating with. In order to ensure that the email i received was legitimate, I sent an email hoping that it will be replied. 

And he replied!

I then did a quick check to see if the email address was used to register a Facebook account. Trying my luck if there was a picture used or if any name came up. And yes! There was a name but with no face or picture to the account.

Facebook account associated to the email address

Another interesting finding is that the email address was found in a buyer/seller forum as early as 2014! This was accompanied with several other juicy information including contact number, address and even bank accounts.

Juicy information tied to the email address

Next thing i tried was to see if i could find any picture associated to the email address. In order to do this I had to use the 'Forgot Password' option and instead of a picture, I was told to key in the full contact number in order to verify the email account. The result of this? Getting the last two digits of the contact number. I was confident that the number found in the forum was most likely the same number used on Gmail for his account verification process.

Last 2 digits - same to the last 2 digits found in the forum

Additionally, I also found that the email address was used to register a domain and the whois details were interesting! Note that the contact number here also ends with 22 further confirming that this number belongs to the person that uses this email address.

Same number used here and the one found in the forum. 

So what have i gathered so far..

Both addresses are valid addresses which can be located on Google Maps but the challenge i faced was to determine which one was the right one and which name was the right one. Using several combination of name, address and the contact number, I found an address directory that managed to piece all three together:

The name, the address and contact number

And when i searched for the address on Google maps. 

Possible residence of a 1937CN member

The reason I circled the Chinese lantern decoration is because Malaysia is predominantly Malays followed by Chinese. If the result of the location search was found to be a Malay residence, then most likely, its a false positive. However, since the residence seemed to have Chinese-related decoration, it is most likely the person living there is a Chinese. The real question is, could this really be the residence of one of the members of the China hacking group 1937CN?

From Hacking Group to Security Companies

Weeks after the Vietnam Airports' hacking, I came across an article where the hacking group's leader mentioned that the group has ventured into security technology with some of the members working in cyber security companies.

Link: http://www.globaltimes.cn/content/997588.shtml

Using a 'community edition' tool, I found five domains that were actually registered using the email address since 2015. One of the domains was reported by Google Chrome as a phishing domain while another ending with the .org.my led me to an interesting website!

List of domains registered with the email address

Accessing the domain led me to a website that sells electronic technology and security systems. Recall that the 1937CN leader stating they are now in security technology? Could this be one of the companies?

Malaysia-based company selling security products and technologies

Conclusion

While threat intelligence vendors have associated 1937CN as a China-based group, my findings indicate that it might not be the case. Yes, perhaps the group is a hacktivist group with capabilities similar to APT groups and hacking in the name of China but is it possible that not all of its members are from China? The use of 1937CN by unofficial members to represent themselves and hacking in the name of the group without the group's members acknowledgement could have given the public impression that they are a notorious group with thousands of hacks under their belt but only a handful were possibly their own.

Nevertheless, the intention of this post is not to name or shame (hence the covering of PIIs in this post) but to showcase the possibility of conducting an investigation and finding out personal details of at least one member using OSINT and Cyber-HUMINT.