February 17, 2020
One month after the release of our forensics report “Fishing phishers in Azerbaijan“, that linked targeted phishing attacks against regime critical journalists to infrastructure under the control of the Ministry of Interior, Azerbaijan, we are releasing updates on the person and the network behind the attacks.
Learn about “man’s” attempt to erase online evidence, his requests for help in hacker forums, and his GitHub account linking him to the very same tools used in the phishing attacks.
Erasing evidence – deleting postings in hacker Forum
On the morning of the 16th of January 2020, the attacker had learned about our forensics report and started to delete all his posts in the Antichat hacking forum. This is a typical reaction for a hacker or attacker that just got caught. That’s why crawling suspects’ social media and forum accounts is so important to gather evidence that later might be deleted.
Man474019 had almost 300 postings in the forum, a few of them mentioning his victims and the techniques that he was using. Most of the postings advertised tools and methods or asked for help when he could not succeed in his attempts to attack websites.
Written in Russian and or poor English, man474019 asked to the community for help. Many messages included the questions “What is wrong? Can u advice?“
“Man” spent several hours on January 16th deleting his postings. Unfortunately for him, the forum did not allow him to delete the 4 message threads that he created so he had to edit the messages instead.
For example, in the thread below, he asked how to exploit “nginx < 1.4.7 SPDY Heap Buffer Overflow”.
Some of his postings included the URLs he was attacking: contact.az. aztelekom.net, moderator.az etc
man474019 is also active in other forums
In May 2016, Nulled, a forum used by cyber criminals to trade and purchase leaked or hacked information, was compromised and 599K user accounts were leaked. The compromised data included email and IP addresses, weak salted MD5 password hashes and hundreds of thousands of private messages between members. Thanks to the leaked data, we could see that “man” was also active on Nulled. On this forum he used the nick “mehran1234“, with e-mail recovery man474019[@]gmail.com, connecting from IP address 126.96.36.199. Remember that IP address, we will take a closer look on it soon.
In a posting on Nulled, mehran1234 asks for help using “sqlmap” and uploads the error to the website pastebin.com.
The error uploaded to pastebin the 13th of December 2018
The error reported by mehran1234 (man474019) was also reported as a “Issue” in GitHub a few days after.
sandman4812av was found
The relationship between our attacker and the GitHub account became even more obvious when we found out that “sandman” was asking the developer of the project Technowlogy-Pushpender for support. This GitHub project was used to build the phishing attacks against Azeri journalists and human rights defenders that were launched on January 6th, 2020.
Hobby or professional work?
By analyzing more than 200 events in GitHub from sandman4812av, shows that he works from 7 AM to 17 PM (Baku time) and never works on Sundays. For most people, that is the description of a fix employment, not a side-hobby.
What is sandman4812av interested in?
For the past two years, sandman4812 has been collecting (forking) almost 200 repositories related to pen-testing, hacking tools and denial of service.
A full list of what he is interested is available here
Customs Committee recruits pentesters
In May 2019, an announcement for a job position for the Information Security Department of the Customs Committee (customs.gov.az) was made public. The announcement that was posted in several recruitment websites, was also posted in Facebook.
The job announcement is interesting as it specifies which tools the candidate should master, such as metasploit framework, pentestbox, burp, sqlmap, dirbuster, acunetix and netsparker. The job description is rather unusual as it provides a full list of tools that are commonly used in “offensive security”.
The 188.8.131.52x network
Recall the IP address that “man” was using to connect to the hacker forum Nulled? The IP address he used was 184.108.40.206, belonging to the subnet 220.127.116.11X. Let’s take a closer look on what malicious activities we can find from that network.
Since 2016, Qurium has been collecting malicious events targeting out infrastructure coming from the network 18.104.22.168-78. Thanks to our logs and leaked information from hacker forums and Wikileaks, we can link the IP network to the Department of Ministry of Internal Affairs in Azerbaijan, carrying out DDoS attacks against regime critical media, and targeted phishing attacks against dissidents. Furthermore, this IP range has been blocked by Wikipedia for breaking the rule of reporting from a “neutral point of view” regarding Azerbaijani history and politics.
Below follows a summary of the malicious activity traced to the network.
- July 2014: Orkhan SHABANOV from the Main Information Department of Ministry of Internal Affairs asks the Hacking Team for information about their products from 22.214.171.124. Source: Wikileaks-hacking team leaked mails.
- May 2016: man474019 connects to nulled.to forum from 126.96.36.199
- November 2016: Denial of services from 188.8.131.52 and 184.108.40.206 report
- January 2017: Pentesting from 220.127.116.11 (Acunetix, netsparker)
- February 2017: AutoIT spyware links 18.104.22.168 with 22.214.171.124, reported here and here The IP 78.164 later on hosted www.pilot.e-xidmet.mia.gov.az
- May-November 2019: Multiple edits in AZ wikipedia about the Police and the Nagorno-Karabakh War. Currently 126.96.36.199/17 is banned in wikipedia from posting articles from 188.8.131.52.