Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE

Cyber Warrior is one of the biggest hacker groups in Turkey. The group was established in 1999. Their first significant cyber-attack was in 2003, when they launched a massive operation against 1,500 U.S. websites in protest against the American invasion of Iraq and a specific incident where Turkish military personnel in northern Iraq were captured and interrogated by the U.S. Army.

Turkish Hacking Group Cyber Warrior
Turkish Hacking Group Cyber Warrior

Cyber Warrior (CW) comprises teams for strategy, intelligence, logistics, R&D and a dedicated unit for waging cyber-attacks named Akincilar. In recent weeks, for examples, Akincilar has attacked official government websites of countries that discriminate against their Muslim populations, in their opinion.

Additionally, CW has been active developing cyber tools and improving others. They even write instructional manuals on cyber security and have established a Cyber Academy, where they provide online training.

In September 2014, the group published their first monthly e-Magazine. The magazine is published on their online platforms and it includes cyber news items from the IT world, new technologies, cyber security, hacking news, programming and more.

September 2014 issue of TeknoDE
September 2014 issue of TeknoDE

In their first issue, they featured a cryptography contest with the top prize of a book, mug and mouse pad.

Cryptography Contest
Cryptography Contest

In their October issue, they reviewed the recently discovered Shellshock vulnerability, shared information on how to locate a lost mobile phone and discussed ways to hack into Gmail accounts, and aircraft and satellite systems.

October 2014 issue of TeknoDE
October 2014 issue of TeknoDE

A couple of weeks ago, they produced the November 2014 issue, featuring articles about credit card frauds, new Android malware and interviews with Cyber Warrior founders.

November 2014 issue of TeknoDE

 

Currently, the magazine is in Turkish and it increases awareness of the Cyber world for users, while promoting an interest in cyber security among them.

Members of the website and readers of CWTeknoDE will not only be motivated to hack, but with this magazine they will have chance to learn more about the cyber world, and methods and vulnerabilities.

Related Posts


Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

RedHack – A Turkish Delight on February 5, 2014 by Sheila Dahan

HACKoDROID: An Increasing Tendency Toward Smartphone-Based Attacks

New Smartphone technologies have made our lives easier. At the touch of a button, you can call a cab, pay bills, connect with your friends and even reach your personal trainer. On the other hand, the world of hacking and cracking now also has a lot of useful tools to hack your system and steal your data, using a smartphone.

We have recently seen the development and publishing of hack applications for smartphones on underground forums. The wide range of such tools means that anybody can find a suitable tool for dubious purposes. The items available include a variety of DDoS tools, wireless crackers, sniffers, network spoofers and more.

HackForum Post
HackForum Post

Most tools are only available for Android smartphones, and many require root permissions. The most popular tool for cookie theft is DroidSheep. With the help of this tool, an attacker can collect all browsing data, including logins, passwords and more, merely by using the same Wi-Fi network as the victim.

Moreover, the attacker can connect to the victim’s password-protected Wi-Fi network. There are several Wi-Fi cracking tools, for example, WIBR+ uses uploaded password databases to identify passwords common to the victim’s network. The users can also upload and update these databases. Another tool – Wi-Fi Kill – is capable of shutting down any other device connected to the same network and can intercept pictures and webpages recently visited by users of this network.

More and more tools now include more than one hacking capability. The DSploit tool features such functions as password sniffers, cookie sniffers, browsing history sniffers, and webpage redirecting. Another program, Bugtroid, contains cracking and protection applications. The owner can choose the most suitable program from a list and install it in one click. The tool offers a variety of tools to suit almost every cracking purpose.

Sniffers and DDoS Tools
Sniffers and DDoS Tools

For iOS systems, there is a limited number of hacking tools, mostly in the realm of game cracking. Examples of such tools are GameGem and iGameGuardian. These tools break games for the purpose of stealing monetary units. The most common tool for iOS is Metasploit, which contains a number of useful applications for different fields.

The tools presented above are not new, but they represent the main capabilities in the field. We are seeing a growing tendency to use portable devices, such as smartphones and tablets, to conduct attacks in public places. Mobile devices and public Wi-Fi networks tend to be less protected and more vulnerable. With the help of collected data by mobile device, the attackers can perform more complex attacks via PC. As long as there is no protection awareness regarding mobile devices, we expected a continued increase in the number of smartphone-based attacks.

List of Hacking Tools
List of Hacking Tools

WhatsHack: WhatsApp in Cyberspace

WhatsApp Messenger is an instant messaging subscription service. In addition to text messaging, users can send each other images, video and audio media messages, as well as location data. As of September 2014, WhatsApp is the most popular global messaging app, with 600 million users. Aside from regular users, more underground communities like to use this application. WhatsApp activity is more complicated to monitor by a third party than regular phone messages and some online services. WhatsApp has proven to be a fast, reliable and inexpensive service for sharing various kinds of information.

The cyber underground is also seeking new platforms for chatting and sharing information. Lately, we have identified an increasing number of hacker-affiliated groups using WhatsApp services. These groups offer members chat services, hacking tips, cyberattack coordination and more. Members from numerous countries, including Bangladesh, Pakistan, Indonesia and others, expose their phone numbers to connect to such groups.

Facebook hacktivist post
Facebook hacktivist post

There are several manuals describing how to access other WhatsApp accounts. One post shared two different methodologies to do just that: spoofing with the help of Mac number, and using spy software. This post received over 738,000 views over a two-week period.

WhatsApp hacking guide
WhatsApp hacking guide

In addition to spy methodology, you can find various tools, such as WhatsApp Hack Spy Tool, WhatsAppSniffer, WhatsApp Xtract, WhatsApp Conversation SPY Hack Tool and more. You can also use third party spyware. These tools can be used for Android, iPhone and BlackBerry devices. Tools provide such features as tracking all voice notes, viewing all user chat logs, updating profile pictures, sending messages to contacts, changing profile status and more, depending on the tool.

WhatsApp hacking tools
WhatsApp hacking tools

The dissemination of such tools is becoming common also on social networks, such as Facebook, Twitter and LinkedIn. A Facebook page titled “WhatsApp Hack Spy Tool” has 390 members, mostly from India, Italy, France and the U.S. This page also has a related Twitter account with more than 3,500 followers. Another Facebook page titled “WhatsApp Hack Sniffer Spy Tool” has over 13,500 members, mostly from Turkey and India. Furthermore, advertisement for the tool can also be found on LinkedIn.

LinkedIn advertisement for the tool
LinkedIn advertisement for the tool

In addition to the free tools, you can purchase more unique software, such as a tool for hacking WhatsApp, only ten copies of which were released for sale on the DarkNet for 0.0305 BTC.

The tool is sold on the DarkNet
The tool is sold on the DarkNet

The use of WhatsApp by hacktivist communities, together with the development of hacking tools and methodologies, has opened up a new platform for the cyber community. These two directions provide a fast, inexpensive and more secure way for hacktivists to interact, coordinate operations, and exchange information and mobile hacking techniques and data vulnerabilities.

Gods, Monsters and Pandas – Threats Lurking in the Cyber Realm

With new viruses constantly being developed and new groups being formed all the time, hackers should use their creative minds to come up with original names to distinguish their tools/group from the rest. While some names are rather trite and corny, others are more amusing and curious. Generally speaking, the names usually fall under one of about ten categories. Here are a few examples:

The following are some elaborations on specific names:

Torshammer666: Thor’s hammer, or Mjölnir in Norse mythology, is depicted as one of the most powerful weapons, forged by the skillful hands of the dwarves. However, it seems that one Nordic god was not enough for this specific hacker, so he walked the extra mile and added the ominous number 666 to the tool name, to create an intimidating effect stemming from the thought of a Nordic-Satanic-almighty-weapon.

Fallaga: The famous Tunisian hacker group Fallaga is named after the anti-colonial movement that fought for the independence of Tunisia (there were also Fallaga warriors in Algeria). The character in the group’s logo resembles the original Fallaga fighters.

熊猫烧香 (Panda Burning Incense) – Everybody loves those adorable, chubby, harmless bears called Pandas! They are native to China, and serve as its national animal and mascot. As such, it is no wonder that panda-themed characters and cartoons figure extensively in China in various contexts, often symbolically representing China internationally. And now the pandas have even invaded the virus realm! In 2006-2007 the 熊猫烧香 virus infected millions of computers throughout China and led to the first-ever arrests in the country under virus-spreading charges. The ultimate goal of the virus was to install password-stealing Trojans, but it was its manifestation on the victim’s device that attracted a lot of attention: the virus replaced all infected files icons with a cute image of a panda holding three incense sticks in its hands, hence the name “Panda Burning Incense.”

Bozok (Turkish) – It may refer to one of the two branches (along with Üçok) in Turkish and Turkic legendary history from which three sons of Oghuz Khan (Günhan, Ayhan, and Yıldızhan) and their 12 clans are traced (from Wikipedia.)

推杆熊猫 (Putter Panda, putter=golf stick) – Another Panda-themed name. It is widely recognized that golf is the sport of white collar professionals, usually those on the upper end of the salary ladder. That is why, when these prominent figures travel abroad to a convention or on a business trip (and engage in semi-business/semi-pleasure golf activities), they are sometimes subjected to sophisticated hacker attacks, usually initiated by their host country, as suspected in the case of Putter Panda and its ties with the Chinese government.

As you read these lines, more tools are being written, and we can expect to continue to see more intriguing names. The Chinese idiom 卧虎藏龙 (literally: “crouching tiger, hidden dragon”), which was the inspiration for the successful namesake movie, nowadays actually means “hidden, undiscovered talents.” Maybe it is time the gifted tigers and dragons of the hacker community climbed out of their dark caves, stopped performing illegal activities, and put their pooled talents (be they computing or copywriting) to good use?

 

Ukraine Accuses Russia of Invasion – Ukrainian Hackers Set to Retaliate

Earlier today (August 28, 2014) Ukrainian President Petro Poroshenko said that Russia has sent troops to eastern Ukraine. Ukrainian hacker groups are quickly aiming to retaliate – Anonymous Ukraine plans to attack a number of Russian bank websites and the official websites of the Russian President . The first target was sberbank.ru, and the attack was planned to take place on August 28 at 16:00.

Anonymous Ukraine is threatening to carry out DDoS attacks
Anonymous Ukraine is threatening to carry out DDoS attacks

Other websites on the list include:

Threats to wage cyber attacks on sberbank.ru
Threats to wage cyber attacks on sberbank.ru

#OpSaveGaza Campaign – Insights from the Recent Anti-Israel Cyber Operation

The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.

These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.

The Use of Social Networks

Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.

The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.

OpSaveGaza - Facebook Event

Attack Vectors

When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.

Hackers targeting Israeli ISPs
Hackers targeting Israeli ISPs

Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.

Pro-Palestinian hackers defacing Israeli websites
Pro-Palestinian hackers defacing Israeli websites

Motivation and the Involvement of other Threat Actors

The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.

Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.

The Islamic Cyber Resistance (ICR) leaking an internal database
The Islamic Cyber Resistance (ICR) leaking an internal database

To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:

  • Improvement in attack tools and technical capabilities
  • Information-sharing between the groups (targets, attack tools, tutorials)
  • The involvement of hacker groups from Indonesia in the East and Morocco in the West.
  • Possible involvement of cyber terrorism groups
  • Well-managed psychological warfare and media campaign by the participating groups

The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.

#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page
Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.

To the Rescue? Muslim Hacktivists Prepare Cyber Retaliation against Operation “Protective Edge”

Following the escalation between Israel and the Hamas regime in Gaza, Muslim hacktivists have announced the launch of several cyber campaigns against Israeli targets.

Unlike the real Middle-East, where Muslims from different factions fight each other, when it comes to assaulting Israel they are happy to join forces. While several groups have launched campaigns to show their solidarity with the Palestinians, the most prominent are AnonGhost with #OpSaveGaza and Anonymous Arabe that launched #Intifada_3, alongside Moroccan Tigers Team.

#OpSaveGaza is scheduled to peak on July 11, but attacks have already commenced against government, financial and Telcos, and is combining hackers from Malaysia in the East to Tunisia in the West.

#OpSaveGaza
#OpSaveGaza

#intifada_3 is lead by Anonymous Arabe and Moroccan Tigers Team, and is promising to launch daily attacks against an assortment of sites with defacement and DDoS attacks.

#intifiada_3
#intifiada_3

We expect the attack attempts to intensify in line with the progress of the armed conflict.

#OpIsrael Birthday Campaign – Summary

Written by Hila Marudi, Yotam Gutman and Gilad Zahavi

The #OpIsrael Birthday campaign took place as scheduled on April 7 and involved thousands of participants from all over the Muslim world, from Indonesia in the East to Morocco in the West.

#OpIsrael Birthday logo
#OpIsrael Birthday logo

It seems that the bulk of the activity focused on leaking data obtained from various breached databases. Some of the data published was simply a recycling of older data dumps, but some was new and included email addresses, passwords and personal details.

Hundreds of government email addresses were leaked and posted on Pastebin. In addition, private password-protected website databases were also leaked. The Islamic Cyber Resistance Group (ICRG), affiliated with Hezbollah and Iran, leaked hundreds of Bar-Ilan University email addresses and defaced a sub-domain of the University’s website.

Data leaked from Bar-Ilan University
Data leaked from Bar-Ilan University

Summary of the groups participating in the campaign:

Group name Group Details Activity
AnonGhost Tunisian, the campaign instigator Defaced hundreds of sites, developed and distributed an attack tool named “AnonGhost DDoSer”, leaked email addresses
AnonSec Pro-Palestinian Muslim group Leaked government email addresses, defaced websites and launched DDoS attacks
Fallaga Tunisian Built web-based attack tools and shells, launched DDoS attacks against government sites
Security_511 Saudi group Launched DDoS attacks against government sites and leaked government email addresses
Izzah Hackers Pro-Palestinian Muslim group Launched DDoS attacks against websites and leaked email addresses
Hacker Anonymous Military Pro-Palestinian Muslim group Launched DDoS attacks against government sites, leaked government email addresses and defaced websites
Moroccan Agent Secret Moroccan Group Defaced websites and leaked email addresses

According to the campaign’s official website, approximately 500 Israeli websites were defaced by AnonGhost, most of which were SMBs and private websites.

Conclusion

According to our analysis, we have not witnessed a dramatic change since the previous OpIsrael campaign that took place on April 7, 2013. We can think of at least two reasons for that:

  • The level of awareness and readiness in large organizations (but also in small ones) has improved and is improving each day.
  • During this campaign we have not seen attacks waged by nation-state actors such as the Syrian Electronic Army, the Izz ad-Din al-Qassam Cyber Fighters and others.

It appears that the attackers focused on attacking government sites and leaking databases. In addition, the number of authentic dumps containing email addresses, passwords and personal details was much bigger than the last campaign.

However, under the surface we have been noticing in recent weeks an emerging and concerning trend. We know that hacktivist groups and terrorist organizations try to develop their own capabilities. Those groups are also share information between themselves (guide books, scripts, tutorials). Lately we even have identified exchange of capabilities between Russian cyber criminals and anti-Israeli hackers and hacktivists.

The next phase, and we are not there yet, might be the purchase of advanced cyber weapons by terrorist organizations. It can be only a matter of time until terrorist groups (al-Qaeda for example) use sophisticated tools to attack critical infrastructure systems. If this happens, the results of the next OpIsrael campaign would be completely different.