My blog has been hacked! Someone defaced the page and looking into the technical details didn’t provide any leads to the culprit. Maybe OSINT can help in this case.
Today’s article will look into cyber attribution and how OSINT can help identify the perpetrator of a cyberattack or other hacking exploits. Keep in mind, as long as the perpetrator does not make any mistakes it will be hard to track him down. Even if the actual person behind an attack cannot be found, hints on the hacker’s background may help narrow things down to a specific target group or origin. Let us have a closer look at the defacement shown above.
As stated, looking into technical details (IP-address, code, etc.) did not reveal anything useful. So we have to take a closer look at the tag and handle that was placed on our site. A reverse image search was conducted and did not show any results. The hacker goes by the name “drag0nw1ng١٩٨١”, this exact search-term also came up inconclusive. The Arabic numbers in the handle may be an indicator for the hacker’s cultural background. Next up, we will search for the handle in different variations, including a “standardized” one:
Not many results to look at here, so we can easily go through each and every page. Next to a Russian PlayStation profile named Dragonwing1981, we stumble upon some interesting results that might be related to our case.
Several data-breaches and leaks show an email address using the exact name. Dragonwing1981@yahoo.com was registered to a member of an internet forum called Kataib Hezbollah. This forum in Arabic language no longer exists and was used to disseminate terrorist propaganda. Since our hacker used Arabic numbers in his handle and the handle seems quite unique (based on the low amount of Google results), the email address might be linked to our guy.
The oldest mentioning of “dragonwing1981” came from another internet forum. In August 2004, the forum was hacked by someone with the email address we found before:
Research done by the forum members linked the perpetrator to Iraq:
Looks like things are coming together. There is one more approach we can try, in order to back our claims further. When using the password reset function in Yahoo, it gives you parts of the phone number (without the country code). Let us see what happens, when we try to reset Dragonwing’s password:
07 is the operator code used by Iraqi mobile networks and the length of the number also fits Iraqi mobile phone numbers. Luckily, Yahoo (unlike Google) displays the exact amount of digits of a phone number.
Let us review the evidence we have collected so far:
- Use of Arabic numbers in the handle
- Unique handle, not found often on the internet
- Username and a related email address found in an Arabic internet forum
- Email address used in a hack in 2004, identified as possibly originating from Iraq
- Phone number linked to the email address possibly an Iraqi mobile phone number
Can we be sure that all these pieces of evidence are really linked to each other? Not really, but that is why we use words of estimative probability in intelligence analysis. Cyber attribution is not always about tradecraft, infrastructure or the malware/attack itself. Digging into individual actors may help shed light upon the origins of cyber-attacks and the OSINT process shown above should always be incorporated into any research effort as soon as “personal data” (e.g. tags, names, handles) is involved.
Of course, we could just send Dragonwing1981 an email and congratulate him on his defacement. However, unlike other stories on my blog, this one is completely made up and is based on a CTF-task I created for the OSINT courses I instruct. As far as I am concerned, Dragonwing1981 is innocent…
Matthias Wilson / 02.05.2019