Tracking a Hacker with OSINT

My blog has been hacked! Someone defaced the page and looking into the technical details didn’t provide any leads to the culprit. Maybe OSINT can help in this case.

1

Today’s article will look into cyber attribution and how OSINT can help identify the perpetrator of a cyberattack or other hacking exploits. Keep in mind, as long as the perpetrator does not make any mistakes it will be hard to track him down. Even if the actual person behind an attack cannot be found, hints on the hacker’s background may help narrow things down to a specific target group or origin. Let us have a closer look at the defacement shown above.

As stated, looking into technical details (IP-address, code, etc.) did not reveal anything useful. So we have to take a closer look at the tag and handle that was placed on our site. A reverse image search was conducted and did not show any results. The hacker goes by the name “drag0nw1ng١٩٨١”, this exact search-term also came up inconclusive. The Arabic numbers in the handle may be an indicator for the hacker’s cultural background. Next up, we will search for the handle in different variations, including a “standardized” one:

2

Not many results to look at here, so we can easily go through each and every page. Next to a Russian PlayStation profile named Dragonwing1981, we stumble upon some interesting results that might be related to our case.

3

Several data-breaches and leaks show an email address using the exact name. Dragonwing1981@yahoo.com was registered to a member of an internet forum called Kataib Hezbollah. This forum in Arabic language no longer exists and was used to disseminate terrorist propaganda. Since our hacker used Arabic numbers in his handle and the handle seems quite unique (based on the low amount of Google results), the email address might be linked to our guy.

The oldest mentioning of “dragonwing1981” came from another internet forum. In August 2004, the forum was hacked by someone with the email address we found before:

4

Research done by the forum members linked the perpetrator to Iraq:

5

Looks like things are coming together. There is one more approach we can try, in order to back our claims further. When using the password reset function in Yahoo, it gives you parts of the phone number (without the country code). Let us see what happens, when we try to reset Dragonwing’s password:

6

07 is the operator code used by Iraqi mobile networks and the length of the number also fits Iraqi mobile phone numbers. Luckily, Yahoo (unlike Google) displays the exact amount of digits of a phone number.

Let us review the evidence we have collected so far:

  • Use of Arabic numbers in the handle
  • Unique handle, not found often on the internet
  • Username and a related email address found in an Arabic internet forum
  • Email address used in a hack in 2004, identified as possibly originating from Iraq
  • Phone number linked to the email address possibly an Iraqi mobile phone number

Can we be sure that all these pieces of evidence are really linked to each other? Not really, but that is why we use words of estimative probability in intelligence analysis. Cyber attribution is not always about tradecraft, infrastructure or the malware/attack itself. Digging into individual actors may help shed light upon the origins of cyber-attacks and the OSINT process shown above should always be incorporated into any research effort as soon as “personal data” (e.g. tags, names, handles) is involved.

Of course, we could just send Dragonwing1981 an email and congratulate him on his defacement. However, unlike other stories on my blog, this one is completely made up and is based on a CTF-task I created for the OSINT courses I instruct. As far as I am concerned, Dragonwing1981 is innocent…

Matthias Wilson / 02.05.2019

Why Primary Sources Matter

Hurray! German company data is now available in OpenCorporates! Does this mean I don’t have to pay for the official company register access anymore?

This morning I confronted my boss Christian with a fact that I had found on the internet yesterday evening. Although he claimed to be the director of his company, I could not find him on OpenCorporates. For those of you who do not know what this platform does: OpenCorporates is the largest open database of companies and company data in the world. The site claims to have over 160 million companies indexed. As of yesterday, they added 5 million German companies to their database. Should I believe Christian or OpenCorporates in this matter?

When I conduct due diligence and background checks, OpenCorporates is among one of the first platforms I use. As good as it is, OpenCorporates is still a secondary source and when it comes to reliable and present-day information, I rather choose to trust primary sources.

Don’t get me wrong, secondary sources such as the aforementioned or compliance tools like LexisNexis are amazing and are really helpful to get an overview of what you are dealing with, but they all have little flaws. In some cases, the data is not as up-to-date as it should be, in other cases they are lacking essential information, such as the company shareholders. The worst-case scenario is when data is falsely aggregated during the import-process, linking the wrong entities to each other. Throughout my investigations, I have stumbled upon these issues more than once when using secondary sources.

Based on yesterday’s import of the German company data into OpenCorporates, I decided to check my own employer: Corporate Trust, Business Risk & Crisis Management GmbH. This is what OpenCorporates provided:

sources

There are some flaws in this dataset, because I am sure Christain would love to see his name in here as well. After all he founded the company and has been the director of Corporate Trust ever since. This is not just a problem within OpenCorporates, I have seen similar issues quite often in expensive commercial compliance databases as well. As you can see, the dataset is also missing information on the company’s shareholders. Even when this information is contained in compliance databases, it is sometimes outdated.

These are the reasons I always try to use primary sources, such as official government company registers, whenever possible. OpenCorporates is a great starting point to tell me where to look for more detailed information, especially since it offers the possibility to search for individuals (something that many government company registers lack), but the official company registers provides the real intelligence. This is where things can get challenging. Let us have a look at the company register in Germany, our Handelsregister. It requires a formal registration, which is only available in German. No credit card payments are possible, only direct debit. For many countries, this alone may prove to be an obstacle. On the bright side, once you have access to this database, you will gain access to the original company documents, including a list of shareholders for private limited companies.

In other countries, you can only gain access to the national company registers if you are a resident of that country and in most cases against payment. Unfortunately, nothing in life is free (except the amazing British Companies House). So when it comes to obtaining all relevant and up-to-date data, a bit more is required than just the access to (free) secondary sources.

Just to be sure about Christian, I checked our company in the official German company register. Turns out he is listed as director in the Handelsregister after all.

Matthias Wilson / 06.02.2019