Deep dive into attribution trove of Hacking Team

Attribution is probably one of the toughest things to deal with during a major Cyber Security breach, yet it is one of the most demanded skills.

Earlier in the first incident response cases, attribution was based solely on IP address location. Even though proxy servers have been there all along, individuals, companies and researchers could easily get away with this type of attribution.

Attribution and Advanced Persistent Threats
Since recent years, and especially since the community has started to attribute and specifically mention certain hacker groups by giving them a name, this ability to attribute cyber attacks has been a spear point for companies to showcase their skills. Often were fashionable names created and in other cases solely the abbreviation APT (Advance Persistent Threat), with a connecting number has been used to identify specific hacker groups.

Attribution is not easy, attribution can be based on all sorts of circumstantial evidence. As long as that unique specific blueprint pops up during the whole attack, you can be able to attribute an attack.
One thing most people often forget is that we are living on huge globe, with continents, habits and completely different mindsets. Cyber attacks in Europe and America are completely different by nature than cyber attacks in the Asia Pacific region and let alone from Russia.

Hacking Team
In order to help future attribution cases, we @RedSocks have decided to pinpoint all specific details from the Hacking Team leak as much as possible, and get to the slightest detail into pinpointing who is behind them.

What stands out most is the different use-cases you see in how specific parties are maintaining contact with hacking team. There are clients that don’t really mind if their identity is known, clients that are in a hurry, and clients that care about their identity. A lot of Hacking Teams clients for example use Gmail, Yahoo and Outlook email addresses. Some clients even prefer to only have contact by phone, and others only via encrypted email.

It turns out a few (if not all) customers prefer to have their Collector server in their own home country.

Below we have mentioned some of these clients of whom we were able to pinpoint their Collector server:

  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 81.192.195.* – Morocco
  • 80.18.231.* – Italy
  • 202.131.234.* – Mongolia
  • 190.242.96.* – Colombia
  • 95.59.26.* – Kazakhstan
  • 175.143.78.* – Malaysia


The massive Hacking Team leak allowed us to gain insight in the client infrastructure of Hacking Team. The Hacking Team company used various anonymizers and you can find them in our previous post on Hacking Team.

On the bottom of this blog post is a list of associated Hacking Team Collector server anonymizers and connected email addresses.

These details should give researchers the ability to gather valuable information about current and future APT groups, their tool set, IP ranges, capabilities and motives.

We have highlighted some for you:

The Russian customer KVANT. This customer is associated with the following two email addresses:


But it is also associated with this email address:


JohnD here could be related to placeholder name John Doe.

This specific customer connected from the Russian IP address
An IP address known to be a Bitcoin Seed node.

Below is a screenshot this customer send to Hacking Team for debugging purpose.
Officially, Hacking Team sold its wares to a company called “

Advanced Monitoring“, whose corporate parent has a license to work with the FSB, as recently as August 28, 2014.

The 5163 Army Division customer
This customer was one of the most active users, it is associated with the email address:
It has connected with at least 109 different IP addresses from at least 15 different countries. All of them where TOR exit nodes. It can be noted that this customer had good operational security in place in order to hide its original location on the internet.

This customer was using a large variety of VPS infrastructure to infect its targets:

  • DE –
  • DE –
  • CZ –
  • CZ –
  • NL –
  • NL –
  • DE –
  • RU –
  • US –

The 5163 Army Division is thought to be the front office of National Intelligence Service of South Korea.

Kevin White
It turns out there is a customer by the abbreviation of MOI. This user has used the following email addresses:


This customer also consequently connected through the TOR network. Thus far we have not been able to identify this customer. The email address is from a secure anonymous email provider only accessible through Tor.

The operational security of this customer turned out to be excellent.
This customer was infecting its client through Word documents that mimicked documents from the “United Nations Human Rights Council” (UNHCR) and the “Revoltionary Front in Defence of the People’s Rights” (RFDPD) from Brasil.

We have not been able to identify this customer.

Intech Solutions
Last but not least we have the customer Intech Solutions.
Associated company domains for this customer are:


Intech Solutions seems to be a customer from Germany but it turns out this customer is a reseller.
Intech Solutions is servicing its customers from three different geographical locations:

  • Luxembourg –
  • Germany – 188.210.58.*
  • Lebanon –

According to several documents we believe Intech Solutions is serving two customers.

  • The Secret Service of Luxembourg, codenamed Falcon.
  • The Iraqi Government, codenamed Condor.

The Falcon customer is mainly interested in the Network Injector capabilities of Hacking Team’s RCS while the Condor customer uses the following links related to the infection of its targets:

  • ttp://

To summon some very specific characteristics that can be noticed during an attack I have decided to write some down that are able to help you. And others that can easily cause tunnel vision, and thus should be taken less into account.


  • New malware strains, from same source code
  • Lateral movement characteristics
  • Reconnaissance characteristics
  • Persistence/Backdoor characteristics
  • Connecting IP space
  • Plurality of IP series
  • Amount of concurrent (active) backdoor connections
  • Routine of instructions
  • Batch/Script files used and purpose of those
  • Favorable tools of common open source tool sets
  • Entry point details (hacked, bought, bought in underground, hijacked, stolen)
  • Sophistication of malware (sole purpose, modular, ease of creation)


  • Possible motives
  • Compilation time stamps

Tunnel vision:

  • Specifically attributed known malware (Could be Re-used.)
  • IP ranges solely
  • Strings in malware

Below is a list of customer email addresses, customers code names, customer names and connecting IP addresses. Researches willing to receive the complete list are free to contact us. ROS rosreptc CNI netsec ES MIMY batujem balapatik MY MIMY Alice Felistica Failed MIMY Arena MY MIMY eagle cobra Failed MIMY error 007 MY MKIH Gábor Farkas HU MKIH IntDiv Failed PCIT INFOP Failed PCIT Cesare Failed ROS Andrea Raffaelli Failed SKA devilangel CH UZC Josef Hrabec Failed UZC UZC Bull CZ UZC Tomas Hlavsa CZ INTECH Simon Thewes LU CBA KD PL CBA KD PL PMO Megat MY PP Alessandro Scagnetti IT INSA SW ET INSA Walcot Woly PY INSA Biniam Tewolde Failed KATIE Joshua HOLLISTER Failed KATIE Jonathan Leonhard Failed KATIE Brett Blackham Failed PHOEBE John Solano US PHOEBE James Houck US GEDP UIAPuebla MX GNSE Mohammed EG GNSE Ali Hussein 2 Failed TCC-GID Ahmed Al Masoud SA TCC-GID Sultan Alrashed SA NSS i.eugene UZ ALFAHAD miloudi franck MA CIS CSS CY CIS CSS CY CIS cis group Failed RCS Simone Cazzanti IT RCS Antonino Bonanno IT RCS Duilio Bianchi Failed CSDN HelpTeam66 MA KATIE Michael P. Casey CO KATIE Michael P. Casey CO NSS Jasurbek Khujaev UZ MKIH Janos Dankovics Failed MOACA ulziibadrakh MN MOACA Erkhembayar MN MOACA Erkhembayar MN MOACA davaadorj MN UZC Richard Hiller CZ MIMY tzm MY BHR Amo BH TCC-GID Walled Mohammed SA PEMEX Oscar Israel González MX SSPT Keila MX UZC Marek Bartos CZ PGJEM Miguel Angel Corral Failed PGJEM Ing. Carlos Rdz MX NISS-02 Abdullah SD PANP Teofilo Homsany Failed SDUC comunicaciones mexico MX EDQ Felipe Romero Sánchez MX PANP Teofilo PA EDQ Jaime Calderón MX SSNS E. Failed PCIT Laura IT KNB Astana Team KZ AZNS Test Wizard 003 AZ SEGOB Marco Antonio MX MKIH Gábor Farkas HU KVANT Peter RU PHOEBE John Amirrezvani US PHOEBE Pradeep Lal US SEPYF Dan. Moreno MX IDA 7S39831 SG MOI Kevin White LU MOI Kevin White LU MOI Kevin White LU SEPYF Juan US YUKI MX ARIEL Ariel IT DUSTIN eduvagpo74 MX DUSTIN jrenato melendez MX NISS-01 Nizar SD DUSTIN Dan MX PGJEM Rigoberto Garcia Failed PGJEM Luis Díaz MX PGJEM Luis Díaz MX JASMINE Support MX MOD Magbool Failed MOD User_Mod_01 SA MOD User_Mod_02 SA UAEAF Akhtar Saeed Hashmi AE UAEAF Syed Basar AE UAEAF UAEAF_user Failed UAEAF UAEAF_user1 AE UAEAF UAEAF_user2 AE HackingTeam Test Failed PHANTOM Jorge IT PHANTOM CC CL BSGO Anil Ajmani NG BSGO Hanan Dayan NG BSGO Haim Lewy Failed BSGO Bruegge Thor Failed SENAIN TRUST Failed SENAIN TRUST Failed PCIT Mauro Sorrento IT PP Francesco Sperandeo IT SIO Gruppo SIO x HT IT ROS Jacopo Cialli IT ROS Jacopo Cialli IT ROS Raffaele Gabrieli IT ROS Raffaele Gabrieli IT CSH Salvatore Macchiarella MT YUKI MX VIKIS VN MDNP Ricardo Periñan CO TNP TNP User TR THDOC NOC TH TNP-old tnp notcenter TR TNP-old Daniele Failed ZUEGG CH MDNP Ricardo Periñan CO SCICO Pasquale D’Ambrosio IT SCICO Salvatore Galati IT SCICO Federico Speranza IT SCICO Giuseppe Della Cioppa IT SCICO Marco Bartiromo IT SCICO Diego Rappazzo IT VIKIS Support Team VN SEPYF SaidO MX DUSTIN SAIDO MX ORF cateringlllc OM PHANTOM Manuel IT PHANTOM Sergio CL GIP Nasser Asiri Failed HON SoporteHT.2015 HN HackingTeam Test Failed MACC Kamarul Zamani Failed MACC Zuriana MY MACC Zuriana MY BRENDA Suporte BR BRENDA gilberto BR CSH Salvatore Macchiarella MT TIKIT Takayama TH UZC Hrabec Josef Failed VIRNA Virna VN TREVOR ERDTECH EG DUSTIN Miguel Angel Renteria Failed
Back to overview