Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai

The Mirai IoT Botnet has made a lot of headlines in recent weeks. While the botnet itself was analyzed and discussed by a number of security researchers and companies, none addressed the threat actor behind the recent attacks and the leak of Mirai source code. Such an analysis can provide useful insights into Continue reading “Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai”

Did Turkish Hackers Actually Hack the Israeli “Iron Dome”?

Ayyildiz Tim (AYT) is one of the more prominent Turkish hacker groups today. The group was founded in 2002 by Turkish hackers residing outside of Turkey. AYT advocates Turkish state ideology and has declared its intention to fight against “every form of attack on the Turkish Republic”, or attempts to threaten Turkish unity and Islam. Israel, the U.S., Armenia, Syria and the Kurdistan Workers’ Party (PKK) are counted among the group’s main targets.

A number of sources and web surfers refer to AYT as “The Turkish Cyber Army”, claiming that the group directly represents the tactical arm of the Turkish government with regard to everything surrounding cyberwarfare.

AYT founder, Mehmet İshak Telli (Cedkan Bir Yafes), was interviewed by the Ihlas News Agency (IHA) – one of the leading video news agencies in the world – on August 7, 2014. In the interview, Telli claimed that Turkish hackers had hacked Israel’s “Iron Dome” air-defense system and that it would be a good answer to Israel aggression. In his statement, Telli claimed that the Arrow 3 anti-ballistic missile software had also been hacked. He further stated that a secret war has been waged between the Turkish and Israeli intelligence units and AYT had proven their cyber superiority.

Following this interview, numerous media outlets published his statements, falsely and mistakenly adding that “BBC editor” Brian Krebs had congratulated AYT and MIT (the Turkish National Intelligence Agency) on their hacking of Israel’s “Iron Dome”. However, the reports about Brian Krebs also misspelled his name “Vrian Krebs.” According to RedHack (another Turkish hacker group), AYT is merely exploiting the media to fool people.

Twit of a Member of Redhack Group
Tweet made by a RedHack member

What Krebs actually wrote on July 28 was: “According to Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), between October 10, 2011 and August 13, 2012, attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies…”.

Another investigation undertaken by security expert Reza Rafati also concluded that the information supporting the AYT claim regarding “Iron Dome” was fake.

Hackers Use Cyber Security Bloggers for PR

Written by Tanya Koyfman

As in any illegal activity, those who break the law are much more familiar with those that try to enforce it than vice versa. The Russian underground is no exception, and members of different forums know much more about security sources and researchers that the latter know about them. Links to a wide variety of sites and blogs dealing with cyber security issues are frequently posted on forum discussions – sometimes in order to get advice or find out about a new malware that was reported; sometimes to promote sales of a tool or a service; and sometimes just to express feelings of frustration or to make a joke.

Taking into account the fact that Russian hackers often have difficulties with English, we found the phenomenon of referring English sources quite unexpected. Of course references to Russian sources dealing with security are seen as well, but far less than English ones.

Indisputably, the most famous “good guy” on Russian forums is Brian Krebs, a journalist who reports about the cyber-crime world. Links to his posts regarding different types of malware are very common on the forums, and catching his attention is considered a sales promotion act among malware vendors. For example, on one of the forum discussions regarding the sale of malware called “PowerLoader“, one of the repliers advices the seller to leak the malware files to Brian Krebs, “and this will be bring him a lot of clients, after Krebs will write a post about the powerful Russian hackers.” Another less delightful mention of Krebs’ name pertains to hackers’ concerns about infiltration of foreign impostors trying to obtain information or incriminate the forum members. Thus, every post written in English and not in Russian tends to be suspicious and the writer is contemptuously called “Krebsenish“.

The blog “Malware don’t need Coffee” dealing mostly with malware undoubtedly originates in the Russian underground as the author is embedded on some forums, is also well known to Russian forum members. The author is called Caffeine, and links to his malware/vulnerability reviews are frequently posted on them. The funny part of this is that sometimes a forum member uploads a post and instead of describing details or uploading images, he just gives a link to a post in the above-mentioned blog (that quotes another Russian source in more details).

One more Western celebrity among Russian hackers is the French blogger Xylibox, whose blog is dedicated to malware technical analysis. It should be mentioned that the blog is treated with respect and seriousness among the forums members, and is often cited in professional discussions and the sale of malware.

As we can see, the Russian underground is interested in the opposite side at least as much as the opposite side is interested in it. The forum members follow security sites and blogs, try to stay updated with the latest news and trends, and refer to them in their illegal malware sale business. Perhaps their life becomes even easier when someone else does all the marketing for them?!

References to the Brian Krebs and Xylitol blogs on the Russian underground
References to the Brian Krebs and Xylibox blogs on the Russian underground