Passerby A · 2015/08/11 22:34
0 x00 background
Hacking Team is a software company registered in Milan, Italy, that sells Hacking and surveillance software to governments and legal agencies. Its remote control system can monitor Internet users’ communications, decrypt their encrypted files and emails, record Skype and other VoIP communications, and remotely activate a user’s microphone and camera. Headquartered in Italy, it employs more than 40 people and has branches in Annapolis and Singapore, and its products are used in dozens of countries.
On the night of July 5, Hacking Team’s servers were hacked and its cache of 400 gigabytes of data leaked, causing an uproar in the industry, It contains Flash 0day, Windows font 0day, iOS Enterprise Backdoor app, Android Selinux exploit, WP8 Trojan and other nuclear grade vulnerabilities and tools. Its remote control system can override the system default and security protection of antivirus software to monitor users’ network communications, decrypt users’ encrypted files and emails, record Skype and other VoIP chats, and remotely activate users’ microphones and cameras.
Hacking Team leaked 400 gigabytes of data and found evidence that South Korea and Kazakhstan worked with Hacking Team to launch attacks against China using its development vulnerability tools.
0x01 Korean evidence
The Hacking Team client list file Clinet Overview_list_20150603.xlsx was exposed
You can see South Korea’s Unit 5163 is one of the customers.
Wikileaks has created a database of Hacking Team email data that can be retrieved by keywords, email recipients, attachment names, etc.
http://wikileaks.org/hackingteam/emails
There is no 5163 Army in Korea.
I searched the address of army 5163 in the email and found that it was the Korean National Intelligence Service (NIS) and the contact person in Korea was [email protected].
According to the CODE in the customer list, it can be found that the contact person corresponding to using RCS system in South Korea is [email protected]
Wikileaks.org/hackingteam…
[email protected] The Team exchanged emails about attacks on China.
Wikileaks.org/hackingteam…
The email made clear that some of the targets were in China and wanted to find a way around domestic antivirus software.
Wikileaks.org/hackingteam…
Here are some targets in China, unable to send data back via GSM, guess Chinese ISPs are blocking some IP segments.
Software on controlled Chinese system
Wikileaks.org/hackingteam…
Application List (x86): 115 Browser 1.0 (1.0) 360 Antivirus (4.2.0.4055) 360 Compression (3.0.0.2011) 360 Security Guard (9.1.0.2001) 360 Mobile Assistant (1.7.0.1715) Adobe Flash Player 11 ActiveX (11.7.700.224) Adobe Flash Player 10 Plugin (10.0.45.2) Bank of Communications E-Banking Security Control V1.0.0.5 (0.10.11.3) NET Framework 2.0 Microsoft.NET Framework 2.0 MSNLite (20120612) LinkSkype_Setup (1.0) Microsoft.net Framework 2.0 MSNLite (3.1) QvodPlayer(qVOd) V3.5 (3.5) Sogou Pinyin input method 6.5 official edition (6.5.0.9181) Sogou Wallpaper 1.5 edition (1.5.0.0922) Thousand Thousand Jing Listen 5.9.6 (5.9.6) Windows Live Software package Free Launch Bar (1.0) Windows Live Upload tool (14.0.8014.1029) Agricultural Bank of China online banking Safety control V2.3.6.0 Microsoft Office Professional Edition 2003 (11.0.8173.0) Compatibility Pack for the 2007 Office System (12.0.6514.5001) Thunder5 (5.9.25.1528) Windows Live Login Assistant (5.000.818.5) REALTEK GbE & FE Skype(TM) 5.9 (5.9.14) Intel(R) Graphics Media Accelerator Driver (6.14.10.5402) Realtek High Definition Audio Driver 2.1 Storm VIDEO V3.10.07.30Copy the codeThe leaked 400GB file exopoit_delivery_netwokr_windows.tar contains server data for Hacking Team’s remote vulnerability attacks on computer systems, Exopoit_delivery_netwokr_andorid. Tar is data from Hacking Team’s remote android exploits server.
Ht.transparencytoolkit.org/Exploit_Del…
Ht.transparencytoolkit.org/Exploit_Del…
In Exopoit_delivery_netwokr_andorid. Tar, two IP addresses in China have been attacked:
For example, in the folder “jAWxkt”, log.jsonl shows that a Beijing IP address accessed the vulnerability connection on June 26, 2015, and the model accessed was Huawei G700.
Redir.js in the “data” directory shows that the redirection address of the attack is www.myasianporn.com, which is an Asian porn website.
A check of the jAWxkt attachment in wikileaks database shows that the attack was initiated by South Korea.
Wikileaks.org/hackingteam…
In the file “vYLpBL”, log.jsonl shows that a Liaoning IP accessed the connection of the attack vulnerability on June 18, 2015, and the accessed model is Samsung 9008. The redirect address is www.5zuo2.com, which is an Asian porn site. Interestingly, Liaoning is the closest province to South Korea.
Email evidence:
Wikileaks.org/hackingteam…
Server control side evidence:
0x02 Kazakh Evidence
SIS of NSC, a division of Kazakhstan’s National Security Council, works closely with Hacking Team.
According to the email, the email address of the corresponding person in Kazakhstan is [email protected].
Wikileaks.org/hackingteam…
Search for evidence against China:
Wikileaks.org/hackingteam…
The emails indicate that the target computer may be installed with domestic anti-virus software and has been offline for a month.
This is the list of controlled computer software:
Device: Content: Processor: 2 x Intel(R) Core(TM)2 Duo CPU E7200 @ 2.53GHz Memory: 1548MB free / 2045MB total (24% used) Disk: 211011MB free / 229944MB total Battery: AC Connected - 0% OS Version: Microsoft Windows XP (Service Pack 3) (32bit) Registered to: user (oemxp) {76481-640-3060005-23096} Locale settings: zh_CN (UTC +08:00) Time delta: +00:00:00 User: ShiYongRen (ShiYongRen) {ADMIN} SID: S-1-5-21-1238585575-1299394864-243974745-1006 Drive List: C:\ (disk) D:\ "" (disk) E:\ (CD-ROM) Application List: 360 Antivirus (4.2.2.4092) 360 Security Guard (9.1.0.2002) Adobe Flash Player 11 ActiveX (11.9.900.117) ATI Display Driver (8.471-080225A1-059746C-ATI) Storm watch Movie (1.22.1017.1111) Smart Wubi System Supplement Driver Pack Feisen 2013 (2013) Freeime 6.1 (6.1) Windows Internet Explorer 8 (20090308.140743) Windows Genuine Advantage Validation Tool (KB892130) WPS Office 2007 Pro (6.3.0.1328) (6.3.0.1328) OrderReminder HP LaserJet 101x (1.0) Microsoft Office Professional Plus (2008.07.17.1.212 Thunder BHO Platform 2.2.0.1035 Thunder7 WinRAR 5.00 Beta 5 (32-bit) (5.00.5) Tencent QQ2013 (1.96.7979.0) HP LaserJet 1010 Series (3.00.0000) Apple Application Support (2.3.4) Apple Software Update (2.1.3.127) Bonjour (3.0.0.10) Microsoft Office File Validation Add-in (14.0.5130.5003) iTunes (11.0.4.4) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.664 (9.0.30729.664) Adobe Reader 8.1.2 - Chinese Simplified Microsoft Visual C++ 2008 Redistributable - x86 9.0.1135.473 Microsoft Visual C++ 2008 Redistributable - x86 9.0.1135.473 Application List: (9.0.21022.218) 360 Antivirus (4.2.2.4092) 360 Security Guard (9.1.0.2002) Adobe Flash Player 11 ActiveX (11.9.900.117) ATI Display Driver (8.471-080225A1-059746C-ATI) Storm watch Movie (1.22.1017.1111) Smart Wubi System Supplement Driver Pack Feisen 2013 (2013) Freeime 6.1 (6.1) Windows Internet Explorer 8 (20090308.140743) Windows Genuine Advantage Validation Tool (KB892130) WPS Office 2007 Pro (6.3.0.1328) (6.3.0.1328) OrderReminder HP LaserJet 101x (1.0) Microsoft Office Professional Plus (2008.07.17.1.212 Thunder BHO Platform 2.2.0.1035 Thunder7 WinRAR 5.00 Beta 5 (32-bit) (5.00.5) Tencent QQ2013 (1.96.7979.0) HP LaserJet 1010 Series (3.00.0000) Apple Application Support (2.3.4) Apple Software Update (2.1.3.127) Bonjour (3.0.0.10) Microsoft Office File Validation Add-in (14.0.5130.5003) iTunes (11.0.4.4) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.664 (9.0.30729.664) Adobe Reader 8.1.2 - Chinese Simplified Microsoft Visual C++ 2008 Redistributable - x86 9.0.1135.473 Microsoft Visual C++ 2008 Redistributable - x86 9.0.1135.473 (9.0.21022.218) Thunderbolt Look player (4.9.9.1734) Thunderbolt look HD player componentCopy the code0 x03 epilogue
The leaked information shows that China is the victim of international cyber attacks. The report found hard evidence that some countries in the region had hacked into China, and that some had succeeded in taking control of domestic targets’ PCS or mobile phones. Attackers will also make specific requests for newly discovered problems to ensure more covert monitoring and the return of confidential information. Remember that! These are not movie plots, but real state-level cyber security battles.
It is interesting to find that some countries that do not have the confidence to complete the whole attack process independently are more inclined to seek the help of such “cyber arms dealers”, because the attack process has a high requirement of concealment and reliability, the attack process should not be careless, and the operation must be accurate and effective. Countries with developed “cyber armies” prefer to do it themselves, to keep motives and actions hidden.
Finally, from the analysis of the emails and work orders leaked by HackingTeam, it can be seen from the uyun community that the international network espionage in China is real and well-organized. If it were not for the leak of the Internet “Arsenal”, many details and facts are still unknown to us. I believe that this event will also become a milestone in network security, so that all of us are deeply aware of the importance and urgency of national network security.