In this blog, I will share the findings of my personal investigation on this incident, solely using OSINT and Cyber-HUMINT to verify some of the things mentioned about 1937CN in the news and how in the midst of trying to find out how the systems were hacked, allowed me to pivot my motivation and able to "expose" at least one of the members of 1937CN.
Sometime in July 2016, passengers waiting at the Noi Bai airport in Vietnam were greeted with an unusual announcement. The announcement was broadcasted in the Chinese language accompanied by a male voice that started with the words "Hacked by 1937cn team...". A few hours before, check-in systems at another Vietnam airport - the Tan Son Nhat International Airport stopped working. According to the Civil Aviation Administration of Vietnam, at 1.46PM on 29 July the IT-systems of VietJet were being attacked forcing the employees to switch to manual procedure which led to flight delays. A few hours after the speaker systems at Noi Bai airport were taken over, the official website of Vietnam Airlines was also hacked. Soon after, details of the airline's customers were stolen and published online, allowing anyone who knew where to find it, download it.
 |
| Link: https://vietnamnews.vn/society/300416/chinese-hackers-attack-vns-airports-and-vietnam-airlines-website.html#iKZqM07Fpb4ziLVs.97 |
 |
| Link: https://www.bbc.com/news/world-asia-36927674 |
The video of the announcement made on the compromised speakers.
“Hacked by 1937cn team. Fuck Vietnam Philippines Joint Action. OP CHINA Action is ignorance. Vietnam the Philippines Only the US, Japan, restrict China's pawn. South China Sea is China's territory. This is a warning from 1937CN team.”
So what is 1937CN?
Based on the information gathered from open source and defacement messages left on victims' websites,
- Believed to be established as early as 2012 / 2013
- Patriotic hackers (Hacktivists)
- Attack based on political and territorial issues
- Well known ‘hacks’ include collaborating with Huaxia Hacker Alliance, Panda & Aqi Dog – to bring down South Korea’s Lotte Group website.
 |
| Defacement page left on a victim's website suggesting co-operation between 1937CN and Sky-Eye |
 |
| Defacement message suggests political and territorial issues motivation |
An article on 1937CN described the group as the most famous hacker group in China hacking over 40,000 websites and ranked no.1 in the Chinese hacking underground community.
 |
| 1937CN listed as number 1 in the Chinese underground hacking community |
But here's the interesting part, when I looked at the numbers in detail, I realized the following:
 |
| AlfabetoVirtual contributed over 13,000 of the hacks in the name of 1937CN |
So who was AlfabetoVirtual?
Looking at his "TTPs", one of the things I realized is that he consistently left the following message on its victims' website: "Hacked by AlfabetoVirtual" and a mini Brazil flag can be seen on the top left hand corner of the Chrome's tab.
Social media research on this 'handle' shows that he took part in a number of Anonymous-related operations and claiming himself a member of the High Tech Brazil Hack Team.
High Tech Brazil Hack Team??? That sounds familiar!!!
In December 2012, the People’s Association of Singapore website got hacked by the HighTech Brazil HackTeam. 17 other PA-linked website were also affected by the Brazilian group.
 |
| Link: https://www.hackread.com/peoples-association-of-singapore-website-hacked-by-hightech-brazil-hackteam/ |
Who was Jack Riderr?
Now speaking on the topic involving Singapore, I also noticed the following handle on the Chinese underground - Jack Riderr.
 |
| Screenshot taken as of May 2017 |
 |
Defacement message suggests he was a Muslim hacker from the Johor Hacking Crew - giving shoutouts to other presumably Malaysian hacking groups.
 |
| The defacement left on Jack Riderr's victims' websites |
Now let's get back to AlfabetoVirtual. Out of curiosity and trying to find out more about Vietnam's airport hack, I sent a direct message (using an alternative profile) to the inbox of a 1937CN social media account in the hopes I could get a reply. I was really keen to know if AlfabetoVirtual was a member of 1937CN.
My conversation with a 1937CN member reveals that AlfabetoVirtual was nothing more than just a 1937CN fan who was hacking and submitting its defacements representing the 1937CN group. This actually made sense because upon researching more on the hacker group, I found over 30 handles being posted under the banner of 1937CN team. However, based on their defacement messages, the official team members were 9:
- Allen Reese
- BonEs
- Webr0bot
- SiLing
- Learner
- 4n0wGZ
- Any9aby
- Rascal
- Vietnam's Prime Minister (Team Leader)
This finding highlights the fact that if we were to remove the website hacking contributions made by unofficial 'team members', the numbers would drop to almost 30% - 40% which would not make 1937CN the number 1 in the Chinese underground.
On May 2018, a California man named BILLY RIBEIRO ANDERSON was arrested for hacking websites for The Combating Terrorism Center at West Point and The New York City Comptroller. He was also convicted of hacking more than 11,000 defacements worldwide. His handle was "AlfabetoVirtual".
 |
| Link: https://www.justice.gov/usao-sdny/pr/california-man-arrested-hacking-websites-combating-terrorism-center-west-point-and-new |
Too Curious to Ignore
Now back to the hunt... when I first read about this hack, my first question was how did the hack happened? There were quite a number of vendors out there offering their thoughts and analysis based on malware engineering, TTPs, etc but none of the reports/articles explained how the speaker was taken over and used to announce the hacker group's message.
So after days and weeks trying to figure out I decided to just go straight and ask them directly.
 |
| Asking them hoping they would be willing to share how the speaker system was hacked |
 |
| But nothing comes for free |
Initially i was planning to pay with the intention to really learn and understand how the speaker system was compromised especially when there were no reports out there that explains it. That all changed when I was provided with an email address that the actor used for PayPal.
 |
| SCORE! |
At the same time, I was doubtful to pay especially when i came across an article of the group providing a statement that they neither admitted nor accepted the reports the media made attributing the attacks to them.
An Email Address That Changes Everything
Now with an email address, my motivation has changed from trying to find out how the hack happened to attempting to find out who was behind the email address - in other words, who is the member of 1937CN that I have been communicating with. In order to ensure that the email i received was legitimate, I sent an email hoping that it will be replied.
 |
| And he replied! |
I then did a quick check to see if the email address was used to register a Facebook account. Trying my luck if there was a picture used or if any name came up. And yes! There was a name but with no face or picture to the account.
 |
| Facebook account associated to the email address |
Another interesting finding is that the email address was found in a buyer/seller forum as early as 2014! This was accompanied with several other juicy information including contact number, address and even bank accounts.
 |
| Juicy information tied to the email address |
Next thing i tried was to see if i could find any picture associated to the email address. In order to do this I had to use the 'Forgot Password' option and instead of a picture, I was told to key in the full contact number in order to verify the email account. The result of this? Getting the last two digits of the contact number. I was confident that the number found in the forum was most likely the same number used on Gmail for his account verification process.
 |
| Last 2 digits - same to the last 2 digits found in the forum |
Additionally, I also found that the email address was used to register a domain and the whois details were interesting! Note that the contact number here also ends with 22 further confirming that this number belongs to the person that uses this email address.
 |
| Same number used here and the one found in the forum. |
So what have i gathered so far..
Both addresses are valid addresses which can be located on Google Maps but the challenge i faced was to determine which one was the right one and which name was the right one. Using several combination of name, address and the contact number, I found an address directory that managed to piece all three together:
 |
| The name, the address and contact number |
And when i searched for the address on Google maps.
 |
| Possible residence of a 1937CN member |
The reason I circled the Chinese lantern decoration is because Malaysia is predominantly Malays followed by Chinese. If the result of the location search was found to be a Malay residence, then most likely, its a false positive. However, since the residence seemed to have Chinese-related decoration, it is most likely the person living there is a Chinese. The real question is, could this really be the residence of one of the members of the China hacking group 1937CN?
From Hacking Group to Security Companies
Weeks after the Vietnam Airports' hacking, I came across an article where the hacking group's leader mentioned that the group has ventured into security technology with some of the members working in cyber security companies.
 |
| Link: http://www.globaltimes.cn/content/997588.shtml |
 |
| List of domains registered with the email address |
Accessing the domain led me to a website that sells electronic technology and security systems. Recall that the 1937CN leader stating they are now in security technology? Could this be one of the companies?
 |
| Malaysia-based company selling security products and technologies |
Conclusion
While threat intelligence vendors have associated 1937CN as a China-based group, my findings indicate that it might not be the case. Yes, perhaps the group is a hacktivist group with capabilities similar to APT groups and hacking in the name of China but is it possible that not all of its members are from China? The use of 1937CN by unofficial members to represent themselves and hacking in the name of the group without the group's members acknowledgement could have given the public impression that they are a notorious group with thousands of hacks under their belt but only a handful were possibly their own.
Nevertheless, the intention of this post is not to name or shame (hence the covering of PIIs in this post) but to showcase the possibility of conducting an investigation and finding out personal details of at least one member using OSINT and Cyber-HUMINT.
No comments:
Post a Comment