On September 11th, 2012, US embassies had been hit with attacks known as the “Benghazi Attacks.” In online correlation, attacks that had been referenced as “Operation Ababil” had begun as a supposed act of solidarity attacking various US Bank websites. Bank of America, Regions, Wells Fargo, PNC, and others had been targeted with denial of service attacks, which had been notable both then and now.
During this time we had not launched ShadowDragon, but still had our tools in Packet Ninjas (sister company https://www.packetninjas.net). With some of our tools, we monitored what we could, mapped out networks, and privately engaged some of the operators at the time.
We released a few different reports within the community that had been helpful that I will share snippets of now that may be helpful if there are further acts of retaliation at this time.
- Report – Communication Signatures for Targeted Attacks Against US banks
- Report – “Suspect Profile: Hilf-012213-001” Draft Released 01/22/13
Hilf-ol-Fozoul is the current alias/moniker that has consistently published detailed information of attack targets before attacks occurring through his primary blog account (http://hilf-ol- fozoul.blogspot.com/ ). Sub sequentially the similar data is shared that is posted on Hilf-ol-Fozoul’s blog on the site ‘Pastebin’ (http://www.pastebin.com). Content posted on this blog has been a reliable indicator of new targets and information through the majority of every attack that has occurred against American banks during this campaign.
Online accounts (at the time) include/included:
- Blog Account – http://hilf-ol-fozoul.blogspot.com/ , (still alive) this has prior links to GooglePlus Accounts.
- Twitter Account – @hilfolfozoul ( https://twitter.com/hilfalfudul )z
- Email account – “hilfolfozoul @ gmail.com”
- Facebook Account – https://www.facebook.com/hilfolfozoul
- Flickr Account – http://www.flickr.com/photos/hilfalfudul/
- YouTube Account – http://www.veengle.com/s/hilf-ol-fozoul.html
- VK Account Links –
http://vk.com/id170773129?z=photo170773129_287663440%2Falbum170773129_00%2Frev (Still Active)
- Vimeo Account – http://vimeo.com/47172972 (Still Alive)
- Telegram Account – https://telegram.dog/hilfalfudul
Communication By Hilf-ol-Fozoul
During the first week of attacks communications first showed up on pastebin (which have many have now been redacted and deleted). We have archived off the majority of these communications to aid in timeline analysis and linguistic analysis.
The workflow for monitoring of external communication included monitoring all external sites for communication and social media. We did not spend much time working on brobot, but did spend time engaging some of the online monikers behind “hilf” at the time.
What we found was a lower than average operational security model in place, and shared infrastructure with Russian IP addresses that haven’t had much activity associated with the IP/DNS pairs observed during the period.
Detailing some of the targeting details below are shared.
The results in this investigation so far show that the source IP that clicked on this link was 46. 38.57. 155 (Russian IP space), with English character, sets installed by default. Secondary goals will be followed up upon at a later time. The recorded IP at the time of writing was not known to be apart of any known darknet or TOR network. There have been known exploit kits in the /24 network block surrounding this IP. All we knew was some of the people operating “Operation Ababil” had also shared space on servers that had (at the time) been in Russian IP space.
In 2012, correlations with this IP had been the following:
|IP Address||ASN||BGP Netblock||First Seen||Host/Domain|
Conclusions on brobot and closure on Operation Ababil had come to a close, banks resumed operation, denial of service capabilities had been enhanced. The overall internet security community had joined together in monitoring and analysis to meet a threat that had affected many.
Many of our customers have asked about the current risks coming from places like Iran or folks sitting in other countries joining in solidarity.
The simple answer – we don’t know just yet. We are analyzing small portions of chatter that may or may not be helpful. When we find a reliable signal to monitor and engage, we will do the same as we did in the past.
If I had to bet, I don’t think this will be that much of an issue. Beware of the hype.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.