Saturday, September 18, 2021

AT&T Free Msg: You know you shouldn't click ... so we did it for you!

 If you live in the United States and have an AT&T phone, you are almost certainly receiving SMS messages that look something like this:

AT&T Free Msg: August bill is paid. Thanks, MARY! Here's a little gift for you: n9cxr[.]info/dhmxmcmBTQ (from +1 (718) 710-0863) 

or 

AT&T Free Msg: August bill processed. Thanks, Mary! Here's a little something for you: l4bsn[.]info/C2Lx3oggFi (from +1 (332) 220-7291) 

or 

AT&T Free Msg: Latest bill is paid. Thanks, Fedencia!  Here's a little freebie for you: k5amw[.]info/VloTBdytEl  (from +1 (870) 663-5472) 

AT&T has sort of trained us that it's cool to get messages from them with links in them.  Every time your bill is available, or paid, or has a new charge, you get a text message from them that starts with "AT&T Free Msg:" and ends with a link such as "att.com/myattapp" or "att.com/myViewBill."

This is where some independent amateur researchers make a mistake.  If you visit the URL in the first message from your Windows computer, you are automagically forwarded to Google.


That's what's happening in the background. My web browser (in red) tells the server, hey look! I want this page dhmxmcmBTQ and btw, here's my user agent.  n9cxr[.]info replies,
"Never heard of it - why don't you go to Google instead." by sending a "302 redirect."

If you had clicked on that same message from your phone, you would NOT be sent to Google.  That's because the web server is checking to see if you are asking for the information from a phone or from a computer.  Because they know they only sent their spam via "SMS-blasting" they believe that every legitimate potential victim should be coming from a phone.  Since I don't have a great set of rich monitoring tools on my phone, I'll just tell my Virtual Machine's Chrome instance that it should lie when it visits web servers and pretend to be an iPhone. I'm being a bit lazy here and using another Chrome Plug-in, this one called "User Agent Changer," which gives me a menu like this: 

Once I change my Chrome Virtual Machine to pretend to be "Safari on iPhone" we revisit the URL that was sent to my phone: 


Notice on line 5 that where it previously said I was "Windows NT 10" it nows says I am "(iPhone; CPU iPhone OS 9_2 like Mac OS X)." (Which is super out-of-date, but apparently good enough for this criminal's scheme, because now I get this!


We've written several times in the past about these never-ending surveys.  Their objective is to gather as much personal data from you as they can and to show you as many advertisements as they can.  They then experience revenue by both showing you ads during the survey, but also by selling the personal information that they gather you to organizations that need "qualified sales leads."  They will tell those organizations that you are looking for things like savings on college tuition, health insurance, car insurance, electronics, a new vehicle, etc, and you will start getting more spam messages from those organizations who will have believed that you asked for their spam! 

We asked our friends at Zetalytics, via their Zone Cruncher tool, "So where in the world is the IP address n9cxr[.]info?"  They told us that it is located in Hong Kong on a server that is hosted by Alibaba Inc.  


That's very interesting!  Thanks, Zetalytics!  Could you also tell us OTHER DOMAIN NAMES that have recently been seen on that same IP address?  After all, we've received three such domains in the three messages that I received on my personal phone!

All of those domains are of course registered at the scummy domain registrar NameCheap.  They claim that if we inform them of bad domains, they will de-register them.  Once I post this, I'll send them a copy and report back what happens.


By the way, the content is not exactly the same with each visit.  My next visit to the n9cxr URL gave me this pop-up instead:


So how are we getting to the fake AT&T page?  That's where a tool that CAUCE Director Neil Schwartman showed me comes in.  While I don't recommend the company necessarily, this little Chrome plug-in is gold for mapping out redirect paths!  (Search for the Chrome Extension "Ayima Redirect Path" and please remember you should only be reviewing potentially hostile URLs in a Virtual Machine!)



What does all that mean? It tells us that the first URL's webserver claimed that the page we were looking for "dhmxmcmBTQ" had been temporarily redirected to "themechallenge[.]club" and that we should ask that server for a particular "key."
That key caused the server to send us a Javascript that redirected us to another URL on their website, which in turn did a "META Redirect" to the webserver "go.metreysi[.]info" where we should tell them we were sent by a certain "cnv_id."  That server then pretended that we had clicked on it, and sent us via another "302 temporary redirect" to a webserver called "redirect.usersupport[.]net." UserSupport then did yet another redirect which took us to the webside "att.usersupport[.]net."

More domains to look up in ZoneCruncher!

https://themechallenge[.]club/click.php?key=abrrkduwznt79g18cx66

go.metreysi[.]info => hosted on LeaseWeb at 23.108.57[.]187
redirect.usersupport[.]net => hosted on 2606:4700:3032::6815:2b25
att.usersupport[.]net => hosted on 2606:4700:3031::ac43:da02


I'm guessing that all of these other "go" sites that are sharing the same IP address will also be involved in illegal "redirection" scams that start off with SMS Blasting.


By the way, do you remember the "key" we had to pass?  In a similar way to our User-Agent, if you visit one of these sites and fail to pass it a "key" it will just redirect you to 127.0.0.1, which means, "visit your own machine." 

Not just AT&T!

One of Zetalytics other tricks is being able to show me other hostnames on the same domain.  (The term for this is called "PassiveDNS")

It looks like "UserSupport[.]net" is also being used to imitate TikTok, CostCo, Walmart, and Google, shipping company UPS, FedEx, and US Postal Service, and Cell phone providers, AT&T, Comcast, Spectrum, T-Mobile, and Verizon!


Because I haven't received those particular SMS messages, I can't navigate to them.  (I have the wrong "key" to get the chain started.) But I'd love to see some more of these if you would be willing to share a screenshot! 

List of SMS-spam-abusing .info (and .xyz) domains believed to be associated with these campaigns.  It sort of makes sense that there are exactly 100 of them.

1find[.]info
1fwnx[.]info
1nvc[.]info
2edcc[.]info
2gtex[.]info
2ofgm[.]info
3mgie[.]info
3ohmd[.]info
4gogm[.]info
4onnr[.]info
4onnr[.]info
6ghme[.]info
6nbfu[.]info
6omrf[.]info
6wqbv[.]info
7botm[.]info
7gboe[.]info
7gboe[.]info
7uwhn[.]info
7wxcd[.]info
8bmxw[.]info
9bmdx[.]info
a2sct[.]info
a7tev[.]info
appsc[.]info
appsf[.]info
bjdz2[.]xyz
bmeq9[.]info
bookc[.]info
bookx[.]info
cartm[.]info
cartm[.]info
cartz[.]info
faceg[.]info
faceg[.]info
faceh[.]info
facem[.]info
faceu[.]info
facey[.]info
fuwd2[.]info
gg0l[.]info
gi3t[.]info
gi3t[.]info
gitn4[.]info
goen4[.]info
gotr6[.]info
gr8f[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havec[.]info
havej[.]info
havew[.]info
hidej[.]info
hidej[.]info
hidem[.]info
hidep[.]info
hidep[.]info
j1bcs[.]info
j1bcs[.]info
j2bmf[.]info
k2ave[.]info
k4acr[.]info
k4acr[.]info
k8bvz[.]info
kpl5[.]info
kpp8[.]info
kpp8[.]info
kse0[.]info
ktf4[.]info
l1bmz[.]info
l5brv[.]info
lgte3[.]info
m2cxn[.]info
m6cda[.]info
mbdz2[.]xyz
mqbvn[.]info
n4csv[.]info
n9cxr[.]info
nameb[.]info
pexw0[.]xyz
qkkk2[.]xyz
raini[.]info
rainl[.]info
rainz[.]info
s1vrk[.]info
s2avr[.]info
s2avr[.]info
s4asc[.]info
s6axe[.]info
s7axm[.]info
s8avx[.]info
toer9[.]info
toer9[.]info
vbjh9[.]xyz
wodm7[.]info
wordc[.]info
wosn9[.]info


Wednesday, September 08, 2021

The Taliban Leadership: By the Sanctions

 The Taliban announced the leadership of their new Afghan government this week.  As expected, there were many familiar names to those who follow terrorism sanctions.  What does this mean for financial organizations who do business with Afghanistan?  Probably too early to tell.  This will likely be "a living document" as we update it with new information as we have time to integrate it.

Our first pass it to provide UN Sanctions designations where possible.  All "TAi" indications come from the current UN Security Commissions Consolidated Sanctions List as retrieved on 08SEP2021.

Mullah Muhammad Hassan Akhund - Prime Minister

TAi.002  Name: 1: MOHAMMAD 2: HASSAN 3: AKHUND 4: na
Name (original script): محمد حسن آخوند
Title: a) Mullah b) Haji Designation: a) First Deputy, Council of Ministers under the Taliban regime b) Foreign Minister under the Taliban regime c) Governor of Kandahar under the Taliban regime d) Political Advisor of Mullah Mohammed Omar DOB: a) Approximately 1955-1958 b) Approximately 1945-1950 POB: Pashmul village, Panjwai District, Kandahar Province, Afghanistan Good quality a.k.a.: na Low quality a.k.a.: na Nationality: Afghan Passport no.: na National identification no.: na Address: na Listed on: 25 Jan. 2001 (amended on 3 Sep. 200320 Dec. 20059 Jul. 200721 Sep. 200729 Nov. 2011 ) Other information: A close associate of Mullah Mohammed Omar (TAi.004). Member of Taliban Supreme Council as at Dec. 2009. Belongs to Kakar tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 21 Jul. 2010.

Mullah Abdul Ghani Baradar - 1st Deputy to Prime Minister

TAi.024  Name: 1: ABDUL GHANI 2: BARADAR 3: ABDUL AHMAD TURK 4: na
Name (original script): عبدالغنی برادر عبد الاحمد ترک
Title: Mullah Designation: Deputy Minister of Defence under the Taliban regime DOB: Approximately 1968 POB: Yatimak village, Dehrawood District, Uruzgan Province, Afghanistan Good quality a.k.a.: a) Mullah Baradar Akhund b) Abdul Ghani Baradar (previously listed as) Low quality a.k.a.: na Nationality: Afghan Passport no.: na National identification no.: na Address: na Listed on: 23 Feb. 2001 (amended on 3 Sep. 200318 Jul. 200721 Sep. 200713 Feb. 2012 ) Other information: Arrested in Feb. 2010 and in custody in Pakistan. Extradition request to Afghanistan pending in Lahore High Court, Pakistan as of June 2011. Belongs to Popalzai tribe. Senior Taliban military commander and member of Taliban Quetta Council as of May 2007. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010.

Maulvi Abdul Salam Hanafi (Uzbek) - 2nd Deputy to Prime Minister

TAi.027  Name: 1: ABDUL SALAM 2: HANAFI 3: ALI MARDAN 4: QUL
Name (original script): عبدالسلام حنفی علی مردان قل
Title: a) Mullah b) Maulavi Designation: Deputy Minister of Education under the Taliban regime DOB: Approximately 1968 POB: a) Darzab District, Faryab Province, Afghanistan b) Qush Tepa District, Jawzjan Province, Afghanistan Good quality a.k.a.: a) Abdussalam Hanifi b) Hanafi Saheb Low quality a.k.a.: na Nationality: Afghan Passport no.: na National identification no.: na Address: na Listed on: 23 Feb. 2001 (amended on 3 Sep. 200318 Jul. 200721 Sep. 200727 Sep. 20071 Feb. 200829 Nov. 2011 ) Other information: Taliban member responsible for Jawzjan Province in Northern Afghanistan until 2008. Involved in drug trafficking. Believed to be in Afghanistan/Pakistan border area. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010.

Maulvi Mohammad Yaqub Mujahid - Minister of Defense

TAi.052 Name: 1: MOHAMMAD YAQOUB 2: na 3: na 4: na
Name (original script): محمد يعقوب
Title: Maulavi Designation: Head of Bakhtar Information Agency (BIA) under the Taliban regime DOB: Approximately 1966 POB: a) Shahjoi District, Zabul Province, Afghanistan b) Janda District, Ghazni Province, Afghanistan Good quality a.k.a.: na Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011, 1 Jun. 2012, 31 Dec. 2013 ) Other information: Member of Taliban Cultural Commission. Directs a Taliban "front" and coordinates all military activities of Taliban forces in Maiwand District, Kandahar Province, Afghanistan as of mid-2013. Believed to be in Afghanistan/Pakistan border area. Belongs to Kharoti (Taraki) tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010.

Alhaj Mullah Siraj Ud Din Haqqani - Interior Minister (H)

TAi.144 Name: 1: SIRAJUDDIN 2: JALLALOUDINE 3: HAQQANI 4: na
Name (original script): سراج الدين جلال الدين حقانى
Title: na Designation: Na'ib Amir (Deputy Commander) DOB: Between 1977 and 1978 (Approximately) POB: a) Danda, Miramshah, North Waziristan, Pakistan b) Khost province, Afghanistan c) Neka district, Paktika province, Afghanistan d) Srana village, Garda Saray district, Paktia province, Afghanistan Good quality a.k.a.: a) Siraj Haqqani b) Serajuddin Haqani c) Siraj Haqani d) Saraj Haqani Low quality a.k.a.: Khalifa Nationality: Afghanistan Passport no: na National identification no: na Address: a) Kela neighborhood/Danda neighborhood, Miramshah, North Waziristan, Pakistan b) Manba'ul uloom Madrasa, Miramshah, North Waziristan, Pakistan c) Dergey Manday Madrasa, Miramshah, North Waziristan, Pakistan Listed on: 13 Sep. 2007 ( amended on 22 Apr. 2013 ) Other information: Heading the Haqqani Network (TAe.012) as of late 2012. Son of Jalaluddin Haqqani (TAi.040). Belongs to Sultan Khel section, Zadran tribe of Garda Saray of Paktia province, Afghanistan. Believed to be in the Afghanistan/Pakistan border area. Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010.

The new Interior Minister is also on the FBI Most Wanted list!

Maulvi Ameer Khan Muttaqi - Foreign Minister

TAi.026 Name: 1: AMIR KHAN 2: MOTAQI 3: na 4: na
Name (original script): امیر خان متقی
Title: Mullah Designation: a) Minister of Education under the Taliban regime b) Taliban representative in UN-led talks under the Taliban regime DOB: Approximately 1968 POB: a) Zurmat District, Paktia Province, Afghanistan b) Shin Kalai village, Nad-e-Ali District, Helmand Province, Afghanistan Good quality a.k.a.: Amir Khan Muttaqi Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Member of the Taliban Supreme Council as at June 2007. Believed to be in Afghanistan/Pakistan border area. Belongs to Sulaimankhel tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 21 Jul. 2010. 

Mullah Hidayatullah Badri (Gul Agha) - Finance Minister

TAi.147 Name: 1: GUL 2: AGHA 3: ISHAKZAI 4: na
Name (original script): كُل آغا اسحاقزی
Title: na Designation: na DOB: Approximately 1972 POB: Band-e Temur, Maiwand District, Kandahar Province, Afghanistan Good quality a.k.a.: a) Mullah Gul Agha b) Mullah Gul Agha Akhund Low quality a.k.a.: a) Hidayatullah b) Haji Hidayatullah c) Hayadatullah Nationality: na Passport no: na National identification no: na Address: Pakistan Listed on: 20 Jul. 2010 ( amended on 29 Nov. 2011, 31 Dec. 2013 ) Other information: Member of a Taliban Council that coordinates the collection of zakat (Islamic tax) from Baluchistan Province, Pakistan. Head of Taliban Financial Commission as at mid-2013. Associated with Mullah Mohammed Omar (TAi.004). Served as Omar's principal finance officer and one of his closest advisors. Belongs to Ishaqzai tribe. 

Sheikh Maulvi Noorullah Munir - Education Minister

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Khairullah Khairkhwa - Minister Information and Culture

TAi.093 Name: 1: KHAIRULLAH 2: KHAIRKHWAH 3: na 4: na
Name (original script): خيرالله خيرخواه
Title: a) Maulavi b) Mullah Designation: a) Governor of Herat Province under the Taliban regime b) Spokesperson of the Taliban regime c) Governor of Kabul province under the Taliban regime d) Minister of Internal Affairs under the Taliban regime DOB: Approximately 1963 POB: Poti village, Arghistan district, Kandahar province, Afghanistan Good quality a.k.a.: a) Mullah Khairullah Khairkhwah b) Khirullah Said Wali Khairkhwa, born in Kandahar on 01 Jan.1967 Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 3 Oct. 2008, 12 Apr. 2010, 29 Nov. 2011, 31 Dec. 2013, 7 Sep. 2016 ) Other information: Belongs to Popalzai tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010. 


Qari Din Hanif - Minister of Economy 

TAi.043 Name: 1: DIN MOHAMMAD 2: HANIF 3: na 4: na
Name (original script): دین محمد حنیف
Title: Qari Designation: a) Minister of Planning under the Taliban regime b) Minister of Higher Education under the Taliban regime DOB: Approximately 1955 POB: Shakarlab village, Yaftali Pain District, Badakhshan Province, Afghanistan Good quality a.k.a.: a) Qari Din Mohammad b) Iadena Mohammad born 1 Jan. 1969 in Badakhshan Low quality a.k.a.: na Nationality: Afghanistan Passport no: OA 454044, issued in Afghanistan National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 9 Jul. 2007, 21 Sep. 2007, 29 Nov. 2011, 25 Oct. 2012, 7 Sep. 2016 ) Other information: Member of Taliban Supreme Council responsible for Takhar and Badakhshan provinces. Believed to be in Afghanistan/Pakistan border area. Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. 

Sheikh Maulvi Noor Muhammad Saqib - Minister Hajj and Religious Affairs

TAi.110 Name: 1: NOOR MOHAMMAD 2: SAQIB 3: na 4: na
Name (original script): نور محمد ثاقب
Title: na Designation: Chief Justice of Supreme Court under the Taliban regime DOB: Approximately 1958 POB: a) Bagrami District, Kabul Province, Afghanistan b) Tarakhel area, Deh Sabz District, Kabul Province, Afghanistan Good quality a.k.a.: na Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Member of Taliban Supreme Council and Head of Taliban Religious Committee. Belongs to Ahmadzai tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010.

Maulvi Abdul Hakim Sharia - Minister of Justice

(no apparent UN sanctions under TAi - please provide more information in comments below!)
possibly QDi.120

Mullah Noorullah Noori - Minister for Borders and Tribal Affairs

TAi.089 Name: 1: NURULLAH 2: NURI 3: na 4: na
Name (original script): نور الله نوری
Title: Maulavi Designation: a) Governor of Balkh Province under the Taliban Regime b) Head of Northern Zone under the Taliban regime DOB: a) Approximately 1958 b) 1 Jan. 1967 POB: Shahjoe District, Zabul Province, Afghanistan Good quality a.k.a.: Norullah Noori Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011, 31 Dec. 2013, 7 Sep. 2016 ) Other information: Belongs to Tokhi tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 29 Jul. 2010. 

Mullah Muhammad Younas Akhundzada - Minister for Rural Rehabilitation and Development

(no apparent UN sanctions - please provide more information in comments below!)

Sheikh Muhammad Khalid - Minister for Dawat & Irshaad (Preaching and Guidance) and Amr Bil Maroof Wa Anil Munkar 

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Abdul Mannan Omari - Minister for Public Works

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Muhamad Essa Akhund - Minister for Mines and Petroleum

TAi.060 Name: 1: MOHAMMAD ESSA 2: AKHUND 3: na 4: na
Name (original script): محمد عیسی آخوند
Title: a) Alhaj b) Mullah Designation: Minister of Water, Sanitation and Electricity under the Taliban regime DOB: Approximately 1958 POB: Mial area, Spin Boldak District, Kandahar Province, Afghanistan Good quality a.k.a.: na Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Belongs to Nurzai tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. 

Mullah Abdul Latif Mansoor - Minister for Water and Power

TAi.007 Name: 1: ABDUL LATIF 2: MANSUR 3: na 4: na
Name (original script): عبد اللطيف منصور
Title: Maulavi Designation: Minister of Agriculture under the Taliban regime DOB: Approximately 1968 POB: a) Zurmat District, Paktia Province, Afghanistan b) Garda Saray District, Paktia Province, Afghanistan Good quality a.k.a.: a) Abdul Latif Mansoor b) Wali Mohammad Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 31 Jan. 2001 ( amended on 3 Sep. 2003, 18 Jul. 2007, 21 Sep. 2007, 13 Feb. 2012, 18 May 2012, 22 Apr. 2013 ) Other information: Taliban Shadow Governor for Logar Province as of late 2012. Believed to be in Afghanistan/Pakistan border area. Belongs to Sahak tribe (Ghilzai). Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. I

Hameedullah Akhundzada - Minister for Civil Aviation & Transport

(no apparent UN sanctions - please provide more information in comments below!)

Abdul Baqi Haqqani - Minister for Higher Education

Not a positive match ==> possibly TAi.038  Please comment if you can clarify!

TAi.038 Name: 1: ABDUL BAQI 2: BASIR 3: AWAL SHAH 4: na
Name (original script): عبد الباقي بصير أول شاه
Title: a) Maulavi b) Mullah Designation: a) Governor of Khost and Paktika provinces under the Taliban regime b) Vice-Minister of Information and Culture under the Taliban regime c) Consular Department, Ministry of Foreign Affairs under the Taliban regime DOB: Between 1960 and 1962 (Approximately ) POB: a) Jalalabad City, Nangarhar Province, Afghanistan b) Shinwar District, Nangarhar Province, Afghanistan Good quality a.k.a.: Abdul Baqi (previously listed as) Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: na Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 7 Sep. 2007, 21 Sep. 2007, 29 Nov. 2011, 13 Aug. 2012 ) Other information: Believed to be in Afghanistan/Pakistan border area. Taliban member responsible for Nangarhar Province as at 2008. Until 7 Sep. 2007 he was also listed under number TAi.048. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010.

Najibullah Haqqani - Minister for Communications

Ai.071 Name: 1: NAJIBULLAH 2: HAQQANI 3: HIDAYATULLAH 4: na
Name (original script): نجیب الله حقانی هدايت الله
Title: Maulavi Designation: Deputy Minister of Finance under the Taliban regime DOB: 1971 POB: Moni village, Shigal District, Kunar Province Good quality a.k.a.: Najibullah Haqani Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: Afghan national identification card (tazkira) number 545167 (issued in 1974) Address: na Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 18 Jul. 2007, 21 Sep. 2007, 27 Sep. 2007, 29 Nov. 2011, 16 May 2014 ) Other information: Cousin of Moulavi Noor Jalal. Grandfather’s name is Salam. Taliban member responsible for Laghman Province as of late 2010. Believed to be in Afghanistan/Pakistan border area. Review pursuant to Security Council resolution 1822 (2008) was concluded on 1 Jun. 2010. 

Khalil ur Rehman Haqqani - Minister for Refugees

TAi.150 Name: 1: KHALIL 2: AHMED 3: HAQQANI 4: na
Name (original script): خلیل احمد حقانی
Title: Haji Designation: na DOB: a) 1 Jan. 1966 b) Between 1958 and 1964 POB: Sarana Village, Garda Saray area, Waza Zadran District, Paktia Province, Afghanistan Good quality a.k.a.: a) Khalil Al-Rahman Haqqani b) Khalil ur Rahman Haqqani c) Khaleel Haqqani Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: a) Peshawar, Pakistan b) Near Dergey Manday Madrasa in Dergey Manday Village, near Miram Shah, North Waziristan Agency (NWA), Federally Administered Tribal Areas (FATA), Pakistan c) Kayla Village, near Miram Shah, North Waziristan Agency (NWA), Federally Administered Tribal Areas (FATA), Pakistan d) Sarana Zadran Village, Paktia Province, Afghanistan Listed on: 9 Feb. 2011 ( amended on 1 Jun. 2012 ) Other information: Senior member of the Haqqani Network (TAe.012), which operates out of North Waziristan in the Federally Administered Tribal Areas of Pakistan. Has previously traveled to, and raised funds in, Dubai, United Arab Emirates. Brother of Jalaluddin Haqqani (TAi.040) and uncle of Sirajuddin Jallaloudine Haqqani (TAi.144).

Mullah Abdul Haq Wasiq - Director General of Intelligence

TAi.082 Name: 1: ABDUL-HAQ 2: WASSIQ 3: na 4: na
Name (original script): عبد الحق وثيق
Title: Maulavi Designation: Deputy Minister of Security (Intelligence) under the Taliban regime DOB: a) 1971 b) Approximately 1975 POB: Gharib village, Khogyani District, Ghazni Province, Afghanistan Good quality a.k.a.: a) Abdul-Haq Wasseq b) Abdul Haq Wasiq Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 31 Jan. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 3 Oct. 2008, 29 Nov. 2011, 31 Dec. 2013, 11 Feb. 2014, 7 Sep. 2016 ) Other information: Review pursuant to Security Council resolution 1822 (2008) was concluded on 27 Jul. 2010. 

Haji Muhammad Idris - Director General of Afghanistan Bank

(no apparent UN sanctions - please provide more information in comments below!)

Maulvi Ahmed Jan Ahmadi - Director General of Administrative Affairs

Possibly TAi.159 - but unclear.  If you can help clarify, please comment below

TAi.159 Name: 1: AHMED JAN 2: WAZIR 3: AKHTAR MOHAMMAD 4: na
Name (original script): احمد جان وزیر اختر محمد
Title: na Designation: Official of the Ministry of Finance during the Taliban regime DOB: 1963 POB: Barlach Village, Qareh Bagh District, Ghazni Province, Afghanistan Good quality a.k.a.: a) Ahmed Jan Kuchi b) Ahmed Jan Zadran Low quality a.k.a.: na Nationality: na Passport no: na National identification no: na Address: na Listed on: 6 Jan. 2012 ( amended on 31 Dec. 2013, 11 Feb. 2014 ) Other information: Key commander of the Haqqani Network (TAe.012), which is based in Afghanistan/Pakistan border area. Acts as deputy, spokesperson and advisor for Haqqani Network senior leader Sirajuddin Jallaloudine Haqqani (TAi.144). Liaises with the Taliban Supreme Council. Has travelled abroad. Liaises with and provides Taliban commanders in Ghazni Province, Afghanistan, with money, weapons, communications equipment and supplies. Reportedly deceased as of 2013. 

Mullah Muhammad Fazil Mazloom Akhund - Deputy to Defense Minister

TAi.023 Name: 1: FAZL MOHAMMAD 2: MAZLOOM 3: na 4: na
Name (original script): فضل محمد مظلوم
Title: Mullah Designation: Deputy Chief of Army Staff of the Taliban regime DOB: Between 1963 and 1968 POB: Uruzgan, Afghanistan Good quality a.k.a.: a) Molah Fazl b) Fazel Mohammad Mazloom Low quality a.k.a.: na Nationality: Afghanistan Passport no: na National identification no: na Address: Qatar Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 3 Oct. 2008, 31 Dec. 2013, 7 Sep. 2016 ) Other information: Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010.

Qari Fasihuddin (Tajik) - Chief of Army


(said to be killed by airstrike according to the Afghanistan Ministry of Defense) 


Sher Muhammad Abbas Stanakzai - Deputy Foreign Minister


https://en.wikipedia.org/wiki/Sher_Mohammad_Abbas_Stanikzai

Maulvi Noor Jalal - Deputy Interior Minister 

(no apparent UN sanctions - please provide more information in comments below!)

Zabihullah Mujahid - Deputy Minister of Information and Broadcasting

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Taj Mir Jawad - 1st Deputy to Intelligence Chief (H)

(no apparent UN sanctions - please provide more information in comments below!)

Mullah Rahmatullah Najib - Administrative Depty to Intelligence Chief

possibly TAi.137 - if you can clarify, please comment below!

TAi.137 Name: 1: RAHMATULLAH 2: KAKAZADA 3: na 4: na
Name (original script): رحمت الله کاکا زاده
Title: a) Maulavi b) Mullah Designation: Consul General, Taliban Consulate General, Karachi, Pakistan DOB: 1968 POB: Zurmat District, Paktia Province, Afghanistan Good quality a.k.a.: a) Rehmatullah b) Kakazada Low quality a.k.a.: Mullah Nasir Nationality: Afghanistan Passport no: D 000952, issued on 7 Jan. 1999, issued in Afghanistan National identification no: na Address: na Listed on: 25 Jan. 2001 ( amended on 3 Sep. 2003, 25 Jul. 2006, 18 Jul. 2007, 21 Sep. 2007, 29 Nov. 2011 ) Other information: Taliban member responsible for Ghazni Province, Afghanistan, as of May 2007. Head of an intelligence network. Believed to be in Afghanistan/Pakistan border area. Belongs to Suleimankheil tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 21 Jul. 2010. 

Mullah Abdul Haq Akhund  - Deputy Minister of Interior for Counter Narcotics Affairs 

possibly TAi.051 - if you can clarify,please comment below!

TAi.051 Name: 1: ABDULHAI 2: MOTMAEN 3: na 4: na
Name (original script): عبدالحی مطمئن
Title: Maulavi Designation: a) Director of the Information and Culture Department in Kandahar Province under the Taliban regime b) Spokesperson of the Taliban regime DOB: Approximately 1973 POB: a) Shinkalai village, Nad-e-Ali District, Helmand Province, Afghanistan b) Zabul Province, Afghanistan Good quality a.k.a.: Abdul Haq son of M. Anwar Khan (عبد الحق ولد محمد انور خان) (Afghan passport number OA462456, issued on 31 Jan. 2012 (11-11-1390) by the Afghan Consulate General in Peshawar, Pakistan) Low quality a.k.a.: na Nationality: Afghanistan Passport no: Afghanistan number OA462456, issued on 31 Jan. 2012 (issued under the name of Abdul Haq) National identification no: na Address: na Listed on: 23 Feb. 2001 ( amended on 3 Sep. 2003, 21 Sep. 2007, 29 Nov. 2011, 31 Dec. 2013, 16 May 2014 ) Other information: Family is originally from Zabul, but settled later in Helmand. Member of the Taliban Supreme Council and spokesperson for Mullah Mohammed Omar (TAi.004) as of 2007. Believed to be in Afghanistan/Pakistan border area. Belongs to Kharoti tribe. Review pursuant to Security Council resolution 1822 (2008) was concluded on 23 Jul. 2010. 

Wednesday, July 28, 2021

Hushpuppi Pleads Guilty: Sentence Estimate? 11-14 Years

On July 27, 2021, Ramon Olorunwa Abbas, also known as Hushpuppi, decided that his best plan would be to avoid spending the rest of his life in prison was to plead guilty.  I've actually never seen a plea agreement with so much redacting, but we can still see SOME of what he is pleading to in the 29 page plea agreement that was posted today on PACER, the Public Access to Court Electronic Records.

"Beginning no later than or about January 18, 2019 through on or about June 9, 2020, defendant knowingly combined, agreed, and conspired with multiple other persons ("coconspirators") to conduct financial transactions into, within, and outside the United States involving property that represented the proceeds of wire fraud.   ... The coconspirators targeted multiple victims and laundered and/or attempted to launder funds fraudulently obtained, and attempted to be fraudulently obtained, through bank cyber-heists, business email compromise ("BEC") frauds, and other fraud schemes."

In particular, he admits that he helped launder the money:
  •  stolen from a bank in Malta (which we know is the Bank of Valetta from public news sources which was hacked by North Korean hackers) and 
  • the BEC funds stolen from a law firm in New York State, 
  • and the funds stolen from two companies located in the UK. (one of which was likely an English Premier League Club, from previous court filings.)

"Defendant admits" that he conspired to launder the funds, and that he knew they were funds that were the proceeds of fraud.  "Defendant also admits the truth of the allegations in Overt Acts 1 to 17."

Overt Acts 1 to 17

What were these Overt Acts 1 to 17?  These are from a previous court filing.  The first set, Overt Acts 1 - 12, all make reference to "UIUC-1" who we now believe is Ghaleb Alaumary, then age 37, from Mississauga, Canada.

Overt Act No. 1 - 18JAN2019 - ABBAS provides bank account information for a bank in Romania to be used to receive a 5 Million Euro wire transfer

Overt Act No. 2 - 18JAN2019 - ABBAS confirms via electronic message that the Romanian bank account is "for large amounts" 

Overt Act 3 - 18JAN2019 - ABBAS confirms that he will clear the funds from the Romanian account right away.

Overt Act 4 - 10FEB2019 - ABBAS provides another bank account, this time in Bulgaria, to receive an additional 5 million Euros.

Overt Act 5 - 12FEB2019 - ABBAS is informed the first 500,000 Euros have been deposited to Romania and confirms he will let his people know.

Overt Act 6 - 12FEB2019 - ABBAS confirms he is ready to receive more funds in the Romanian account. "Yes please"

Overt Act 7 - 12FEB2019 - ABBAS sends a screenshot of the Romanian Bank account to UICC-1, showing the IBAN numbers, Account numbers, and account balance for the account.

Overt Act 8 - 13FEB2019 - ABBAS sends a new screenshot of the Romanian Bank account to UICC-1.

Overt Act 9 - 10MAR2019 - UICC-1 asks for a bank account in Dubai that can receive "5m" saying "Brother I need it now or we will lose our chance pls."  ABBAS sends him the information for a Dubai bank account.

Overt Act 10 - 08MAY2019 - UICC-1 asks for an account that can "handle millions and not block" and Hushpuppi gives him the details of a bank account in Mexico.

Overt Act 11 - 13MAY2019 - UICC-1 tells ABBAS that the Mexican bank account will receive 100 Million pounds from an English Premier League Club and 200 Million pounds from a victim UK company and wants to know if he can proceed.  Abbas seems to express concern here, saying these accounts "cost a lot of money now to open." 

Overt Act 12 - 13MAY2019 - UICC-1 tells ABBAS that he has "10 more to do" after the Premier League Club job and says he will need to use each bank account for 2 contracts. 

Overt Act 13 - 15OCT2019 - Abbas "or a coconspirator" induce the Victim Law Firm to send $922,857.76 from their Quontic Bank account in New York to a Chase Account.

Overt Act 14 - 17OCT2019 - ABBAS sends a screenshot to UICC-1 showing a wire transfer of $396,050 from the Chase Account to a CIBC account in the name of UICC-2. 

Overt Act 15 - 17OCT2019 - UICC-2 was in California and informed by UICC-1 to look for the wire transfer to the CIBC Account

Overt Act 16 - 17OCT2019 - UICC-2 confirmed they had received the funds

Overt Act 17 - 17OCT2019 - UICC-1 told ABBAS that they $396,050 from the Chase account had been received into the CIBC account.

The Qatari Scam and the Watch

Hushpuppi also admits that he conspired to defraud a Qatari construction company that was seeking funds to build an international school.  Hushpuppi used the alias "Malik" and offered to help them open a bank account in the United States where a $15 Million loan could be deposited.  He arranged for a coconspirator to open a Wells Fargo bank account in Canoga Park, California, after creating a fictitious company with the Los Angeles County Registrar.  Then another coconspirator in Nigeria created a false "power of attorney" document and sent that information to Wells Fargo in December of 2019.  The victim was convinced that he needed to deposit funds into the account in order to secure the $15 Million loan.  However, after depositing $330,000, Hushpuppi and his colleagues stole the money, sending $230,000 to a Wells Fargo account belonging to a luxury watch seller and $100,000 to a Capital One bank account belonging to another co-conspirator.  

That's how Hushpuppi came to have a Richard Mille RM11-03 watch (co-created by Richard Mille Engineer Fabrice Namura and McLaren Automotive design director Rob Melville).  The watch was picked up in New York by one person, then flown from JFK Airport in New York to the UAE by another person, who delivered the watch to Hush on January 4, 2020, who immediately posted it on Instagram, calling it a New Year's present to himself.

Hushpuppi boasted on Instagram: "Quarter a million dollar watch as New Years gift to they self #RichardMille #RM1103 #EpainThem

As for the $100,000 that went to "Coconspirator D?"  Hush instructed them to send two cashier's checks one for $40,000 and one for $10,000 and use them to buy Hush a St. Kitts passport and a Nevis citizenship and passport.  He received his passport in February 2020.  The rest of the funds were converted to Naira.

Later, Hush and his coconspirators made another play at the Qatari businessman and convinced him that he had to pay "taxes" on the $15,000,000 imaginary loan in order to receive it.  To pay his taxes, the Qatari victim sent $299,983.58 into a bank account in Kenya. 

The Penalties of Crime

Altogether, in the Plea Agreement Hush agrees that he and his co-conspirators stole: 
  • $14,700,000 from a Foreign Financial Institution
  • $7,740,000 from UK victim companies
  • $922,857.76 from the New York Law Firm
  • and $809,983.58 from the Qatari victims.
"Defendant admits that all of the money laundering described above was sophisticated, extensive, and involved multiple persons." 

In the United States there are Sentencing Guidelines that are supposed to be used by the judge to ensure that sentences are standardized and consistent across different courts.  These sentencing guidelines are explained in the U.S. laws and each judge and prosecutor in Federal Courts is well aware of these guidelines.

The defendant agrees that these are fair interpretations of how to determine a sentence:
  • Underlying Offense Level:  7 Points 
  • Fraud Scheme outside the U.S. using Sophisticated Means:  +2 Points 
  • Conviction under 18 USC § 1956 (which is the law on Money Laundering):  + 2 Points 
  • Sophisticated Money Laundering: +2 Points 
  • Financial Losses between $9.5 Million and $25 Million:  +20 points 
===============
Total Sentencing Guideline Points: 33 Points


According to the Sentencing Guidelines Table available on the United States Sentencing Commission website, a 33 Point offense with no previous criminal history SHOULD indicate a sentence of between 135 and 168 months, or 11 1/4 to 14 years.

Hushpuppi and his lawyer both understand this and have signed the plea agreement anyway.  While there may be extenuating circumstances lying behind some of the redacted pages, here is Hushpuppi's signature to these terms:



However, who is to say what else may be stated in the plea agreement behind all of the Redaction markings? Seven pages of the 29 page document look like this!  



For comparison, Ghaleb Alaumary, in many ways the man who HushPuppi was working for, pled guilty to his crimes in November 17, 2020.  The sentencing guidelines were similar, however Alaumary received a stiffer penalty for the amount of money stolen.  He has not yet been sentenced, but under the sentencing guidelines, Alaumary has a "35 offense level" which makes the recommendation 14 to 17.5 years in prison.  Alaumary had previous criminal convictions, however those were in Canada, and I am unsure whether they would alter the sentencing guidelines in a U.S. court.

Alaumary's Guilty Plea Sentencing Guidelines calculation




Wednesday, July 21, 2021

Levashov Walks. Russian Spam King gets slap on the wrist

The US government and the White House like to talk tough on Ransomware.  If you listen to Joe Biden, fighting Ransomware is a top priority of the US Government.  He's spent time convincing the G7, NATO, and the EU to take pledges about how earnestly they want to fight Ransomware, a judge in Connecticut has decided that spammers who distribute Ransomware should walk free.




Brian Krebs, the journalist behind KrebsOnSecurity, posted a long piece about the travesty of Justice that this case represents => "Spam Kingpin Peter Levashov Gets Time Served."

From 2007 until 2012, I ran a project called the UAB Spam Data Mine.  The top spammer for the first several years was Peter Levashov, who first ran the Storm Worm and then the Waledac botnet. We regularly blogged about his spam campaigns. Here's some examples: 

15OCT2007 - "Is Your Fifth Grader Smarter Than a Laughing Cat?"

17NOV2007 - "Private Detective Spam"

26DEC2007 - "A Stormy Christmas and a Botnet New Year

16JAN2008 - "Storm Loves You!"

06JUN2008 - "A Romantic June Storm"

01JUL2008 - "July Storm Worm gives us some Love

03JUL2008 - "Storm Worm Salutes Our Nation on the 4th!"

22JUL2008 - "Amero to Replace Dollar? Could Storm Worm Be Right?"

29JUL2008 - "FBI & Facebook: Storm Worm gets it all wrong!"

03JAN2009 - "Happy New Year! Here's a Virus! (New Year's Postcard Malware)"

25FEB2009 - "Money Tight? Watch out for Coupon Offers from CyberCriminals

16MAR2009 - "Waledac: Fake Dirty Bomb in Your City"

18MAR2009 - "Carders do battle through spam - carder.su

09APR2009 - "Is There a Conficker E? Waledac makes a move..."

15APR2009 - "Waledac shifts to SMS Spy Program

29APR2009 - "Waledac Moving on to . . . Canadian Pharmacy?"

03MAR2010 - "Spamming Botnets - Strategies welcome

03JUL2009 - "Are You Ready for Independence Day Fireworks? Waledac Is!"

31DEC2009 - "New Year's Waledac Card

In 2008, Levashov was secretly indicted for his spamming and Federal agents were deployed to Moscow to ask for Levashov.  I actually created a Google Map showing that every city in Russia had thousands of infected IP addresses that were being used to send the spam. Despite a mountain of evidence, he was protected.  He kept on spamming, but honestly, I gave up on there being any hope he would be captured.

After others tried to take down the Kelihos botnet, it re-emerged in the form of a Spam Campaign taking advantage of the Boston Marathon Bombing.  I attempted to get law enforcement interest in him again at that time. Surely a criminal who would use the Boston Marathon attack to relaunch the new version of his botnet would be worth interest.  Nothing.  I was reminded of 2009 and told "The Russians are protecting him."

10APR2013 - "New Spam Attack accounts for 62% of our spam!"

17APR2013 - "Boston Marathon explosion spam leads to Malware

18APR2013 - "Boston Explosion Spammer shifts to Texas Fertilizer Plant Explosion

TrendMicro confirmed this was Kelihos as well in their post: 

16APR2013 - "Kelihos Worm Emerges, Takes Advantage of Boston Marathon Blast

In 2016, we decided to try again, with the "Kelihos Must Die" task force.  We provided regular updates of the bad things Kelihos was doing.  Students in my lab, led by my friend (now) Dr. Arsh Arora, produced daily documentation of the behavior of the botnet, and we were starting to get excited that something might actually happen this time.  We believed that Kelihos was sending FOUR BILLION SPAM MESSAGES PER DAY, and took the time to prove it was delivering ransomware attacks, banking trojan attacks, and phishing attacks.  Levashov would send spam to deliver any payload you paid him to deliver.  

09JUL2016 - "Kelihos botnet delivering Dutch WildFire Ransomware"

04AUG2016 - "American Airlines spam from Kelihos delivers Ransomware"

12AUG2016 - "Kelihos botnet sending Panda Zeus to German and UK Banking Customers"

16AUG2016 - "Kelihos botnet sending geo-targeted Desjardins Phish to Canadians"

30AUG2016 - "Amazon Gift Card from Kelihos!"

14SEP2016 - "Long-Lived Pill Spam from Kelihos"

09NOV2016 - "Kronos Banking Trojan and Geo-Targeting from Kelihos"

30NOV2016 - "NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos"

01FEB2017 - "Kelihos infection spreading by Thumb Drive and continues geo-targeting

And then on April 20, 2017, it was over!  

Spanish authorities arrested Levashov in Barcelona and he was sent to the United States to stand trial. 

After initially pleading not guilty, he changed his plea to guilty on 12SEP2018.  He admitted controlling and operating Storm, Waledac, and Kelihos, and to disseminating spam that distributed other malware, including banking trojans and ransomware.  He admitted that he actively advertised the Kelihos botnet and his ability to deliver spam and malware and that he did so in order to enrich himself.  He admitted to stealing identities and credit cards and buying and selling them.

The US Prosecutor in the case filed this Sentencing Memo as he told the Judge what the Department of Justice thought should be done in this case: 

And just to make things clear, they used the Sentencing Guidelines and included this helpful (required by law) recommendation of sentence in the Sentencing Memo to help the judge understand what the law said should be done: 
The judge decided instead that he would ignore the recommendation of the Department of Justice and that based on nothing but his own intuition, (as reported by Brian Krebs:) 

"the total offense level does overstate the seriousness of Mr. Levashov's criminal culpability" and said he believed Levashov was unlikely to offend again.  "I believe you have a lot to offer and hope that you will do your best to be a positive and contributing member of society." -- Judge Robert Chatigny of Connecticut

And with that, a single judge in Connecticut decided that this CAREER CRIMINAL was "unlikely to offend again" and that he felt that the charges were overstated AND LET HIM GO.

So much for the government's priority on stopping Ransomware.

The message this incompetent judge has just delivered to the criminal community is this: 

"Spam as much as you want, as long as you have a good lawyer and an incompetent judge, spam clearly doesn't matter to the United States." 

Monday, July 19, 2021

Nations come together to condemn China: APT31 and APT40

 On Monday (19JUL2021) President Biden announced that the US and its allies were joining together to condemn and expose that China was behind a set of unprecedented attacks exploiting vulnerabilities in Microsoft Exchange servers conducted earlier this year.  The White House press release was titled: "The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People's Republic of China." 

After praising recent actions by world governments to condemn Russian ransomware attacks, today's memo goes on the offensive against China, reminding the world that the PRC intelligence enterprise hires contract hackers who operate both for the state and for their own profits.  Biden reminds us of charges brought against PRC Ministry of State Security (MSS) hackers in October 2018, July 2020, and September 2020 and says they have "engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft." Today additional charges were brought against additional MSS hackers.

While many court cases, agreements and foreign government statement were mentioned in the article, we thought it would be helpful to have all the links in one place.  In this article, we share links to the mentioned charges against MSS-sponsored hackers, indicators and characteristics of the APT40 attacks, including advisories from CISA and NSA, links to foreign government statements joining in condemning China's cyber attacks, and lastly, policy statements from G7, NATO, and EU supporting new Ransomware policy initiatives.

Justice.gov Previous Charges Against Chinese MSS-supported Hackers

The previous incidents referred to by the White House can be found on the Justice.gov website at the links below: 

30OCT2018 - "Chinese Intelligence Officers and their Recruited Hackers and Insiders conspired to steal sensitive commercial aviation and technological data for years

Zha Rong and Chai Meng were intelligence officers in the Jiangsu Province office of the Ministry of State Security (MSS).  Their hacking team included Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi and insiders of a French aviation company, Gu Gen and Tian Xi.  Their cyber attacks went back to at least 08JAN2010.  The indictment of these Chinese hackers which provides several aliases including leanov, Cobain, sxpdlcl, Fangshou, mer4en7y, jpxxav, zhuan86, and Sam Gu is available.

21JUL2020 - "Two Chinese Hackers working with the Ministry of State Security charged with Global Computer Intrusion Campaign targeting Intellectual Property and Confidential Business Information, including COVID-19 Research

LI Xiaoyu (李啸宇)and DONG Jiazhi (董家志).  The 27-page indictment of these Chinese hackers, which reveals Li's hacker handle of "Oro0lxy" and the fact they worked for Guangdong State Security Department, is also available from DOJ.

16SEP2020 - "Seven International Cyber Defendants, including 'APT41' actors, charged in connection with Computer Intrusion Campaigns against more than 100 victims globally."

Jiang Lizhi (蒋立志), Qian Chuan (钱川), and Fu Qiang (付强) operated Chengdu 404 Network Technology.   Zhang Haoran (张浩然) and Tan Dailin (谭戴林) of China were part of a conspiracy targeting the video gaming industry, along with Wong Ong Hua and Ling Yang Ching of Malaysia  who operated through Sea Gamer Mall.  A transcript of the press conference about these three indictments of Chinese hackers is available.

Justice.gov Newly revealed Charges

19JUL2021 - "Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research"

The current case charges that the Hainan state Security Department set up a shell company, Hainan Xiandun Technology Development Company (海南仙盾).  Three HSSD Intelligence officers, Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), interacted with a lead hacker at Hainan Xiandun, Wu Shurong (吴淑荣).  Working with his team, Wu and his hackers attacked universities and research facilities across the United States and the world, planting malware and stealing intellectual property.  The indictment against Ding, Cheng, Zhu, and Wu, which also uses the aliases Ding Hao, Manager Chen, Manager Cheng, Zhu Rong, and gives Wu Shurong's hacker aliases as goodperson and ha0r3n is available from justice.gov. 

Many research groups have referred to them and their malware by a variety of names, including APT40, Bronze, Mohawk, Feverdream, Goo65, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope, and Temp.Jumper.   A few reports on these would include: 

CISA.gov has released an APT40 TTP Advisory, available as "Alert (AA21-200A) Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department"

The Malware families and malicious tools named in the CISA advisory (with links to MITRE tool description pages) are:

  • BADFLICK/Greencrash
  • China Chopper [S0020]
  • Cobalt Strike [S0154]
  • Derusbi/PHOTO [S0021]
  • Gh0stRAT [S0032]
  • GreenRAT
  • jjdoor/Transporter
  • jumpkick
  • Murkytop (mt.exe) [S0233]
  • NanHaiShu [S0228]
  • Orz/AirBreak [S0229]
  • PowerShell Empire [S0363]
  • PowerSploit [S0194]
  • Server software component: Web Shell [TA1505.003]

NSA Advisory on Chinese State-Sponsored Cyber Operations


The National Security Agency, working with CISA.gov and the FBI, also released an advisory today, detailing in 31 pages more details about observed Tactics, Techniques, and Procedures (TTPs) used by Chinese hacking groups.  Their description, provides Tactics, Threat Actor Techniques, Threat Actor Procedures, and Defensive Tactics and Techniques using the MITRE ATT&CK and D3FEND models. Detailed Detection and Mitigation Recommendations are also shared for each tactic.

Just to share one example ... here is the way "TA0004" is described in the report.


That level of detailed explanation goes on for 14 pages of the report!  Please see the full report for more details by visiting "CSA Chinese State-Sponsored Cyber TTPs." 

International Coalition Joining In

The White House Press Secretary, Jen Psaki, mentions that the condemnation of Chinese hacking was joined by the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, and NATO!

The UK's National Cyber Security Centre issued this release: UK and allies hold Chinese state responsible for pervasive pattern of hacking while the UK's Foreign Secretary Dominic Raab issued a matching release. 

Canada's Minister for Foreign Affairs, the Honourable Marc Garneau, issued this statement: "Statement on China's Cyber Campaigns

New Zealand's GCSB (Government Communications Security Bureau) issued this release: New Zealand condemns malicious cyber activity by Chinese state-sponsored actors




ENISA, the European Union Agency for Cybersecurity, actually put out technical guidance on addressing Microsoft Exchange Vulnerabilities back in March, mentioning the LemonDuck cryptocurrency mining botnet, and DearCry Ransomware being delivered via these methods. At that time they referred to the first broad attackers using this technique as "Hafnium" (based on Microsoft's reporting of Hafnium Targeting Exchange Servers.)

NATO Press Release: Statement by the North Atlantic Council in solidarity with those affected by recent malicious cyber activities including the Microsoft Exchange Server compromise

Previous Ransomware Actions

The White House memo makes reference to three recent advances in international communications about cyber security, from the G7, NATO, and the EU.

In June, the G7 Summit Communique specifically called out Russia's inattention to Ransomware issues:

51. We reiterate our interest in stable and predictable relations with Russia, and will continue to engage where there are areas of mutual interest. We reaffirm our call on Russia to stop its destabilising behaviour and malign activities, including its interference in other countries’ democratic systems, and to fulfil its international human rights obligations and commitments. In particular, we call on Russia to urgently investigate and credibly explain the use of a chemical weapon on its soil, to end its systematic crackdown on independent civil society and media, and to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.

Also in June, the NATO Brussels Summit Communique reaffirmed the NATO Cyber Defence Pledge and again called out Russia's behavior:

12. In addition to its military activities, Russia has also intensified its hybrid actions against NATO Allies and partners, including through proxies.  This includes attempted interference in Allied elections and democratic processes; political and economic pressure and intimidation; widespread disinformation campaigns; malicious cyber activities; and turning a blind eye to cyber criminals operating from its territory, including those who target and disrupt critical infrastructure in NATO countries.  It also includes illegal and destructive activities by Russian Intelligence Services on Allied territory, some of which have claimed lives of citizens and caused widespread material damage.  We stand in full solidarity with the Czech Republic and other Allies that have been affected in this way.

32.         Cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent.  This has been recently illustrated by ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm.  To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defence Policy, which will support NATO’s three core tasks and overall deterrence and defence posture, and further enhance our resilience.  Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law.  We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.  Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack. ( ... ) If necessary, we will impose costs on those who harm us.  Our response need not be restricted to the cyber domain.  We will enhance our situational awareness to support NATO’s decision-making.  Resilience and the ability to detect, prevent, mitigate, and respond to vulnerabilities and intrusions is critical, as demonstrated by malicious cyber actors’ exploitation of the COVID-19 pandemic.  NATO as an organisation will therefore continue to adapt and improve its cyber defences.  ...

The European Union held their US-EU Justice and Home Affairs summit on 21-22JUN2021.  European Commissioner Ylva Johansson, and US Secretary of Homeland Security Alejandro Mayorkas met along with the European External Actions Service, Europol, Eurojust, and others agreed to create a new U.S.-EU working group dedicated to fighting against ransomware.  DHS reporting of the event can be found as "Readout of Secretary Mayorkas’s Trip to Portugal."  The EU's reporting of the same event can be found as "Joint EU-US statement following the EU-US Justice and Home Affairs Ministerial Meeting."

6. The United States and the European Union acknowledged the need to cooperate and shape a digital future based on our shared democratic values. The United States and the European Union acknowledged the potential benefits and risks of using Artificial Intelligence technologies for law enforcement and the judiciary. They also reaffirmed their dedication to develop and use such technologies in a trustworthy manner in conformity with human rights obligations. They further exchanged views on current and upcoming European Union efforts on tackling illegal content online, including the need to improve the cooperation between the authorities and online platforms to detect ongoing criminal activity. The United States and the European Union commit to continue to work together on how law enforcement and judicial authorities can most effectively exercise their lawful powers to combat serious crime both online and offline. They agreed on the importance of together combating ransomware including through law enforcement action, raising public awareness on how to protect networks as well as the risk of paying the criminals responsible, and to encourage those states that turn a blind eye to this crime to arrest and extradite or effectively prosecute criminals on their territory.