Team Inject0r: The Multinational Connection

Thursday, July 07, 2011

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server.

A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.

image

This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements).

Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?

Maybe the PLA? Maybe the FSB?… Some other political orgs from Gaza? or Turkey?

Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.

Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking.

This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access.

If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.

Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.

Teams and Members:

In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3″ The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath.

In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.

Team Inj3ct0r: http://77.120.120.218/team

Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com). My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337″ quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” .

Someone’s a fan…

image

Team Inj3ct0r

r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru

  • The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
  • The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
  • The domain inject0r.com was hosted in China  61.191.0.0 – 61.191.255.255 on China net
  • Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
  • Another alias seems to be the screen name str0ke
  • Also owned www.0xr00t.com
www.inj3ct0r.com domain details: Registrant: Inj3ct0r LTD r0073r (e-c-h-0@mail.ru) Burdenko, 43 Moskow Moskovskaya oblast,119501 RU Tel. +7.4959494151 Creation Date: 13-Dec-2008 Expiration Date: 13-Dec-2013 Domain servers in listed order: ns1.suspended-domain.com ns2.suspended-domain.com Administrative Contact: Inj3ct0r LTD r0073r (e-c-h-0@mail.ru) Burdenko, 43 Moskow Moskovskaya oblast,119501 RU Tel. +7.4959494151                      Sid3^effectsr 4dc0reSeeMe XroGuE gunslinger_

indoushka
KnocKout

  • knockout@e-mail.com.tr
  • knockoutr@msn.com
  • Alleged to be Turkish and located in Istanbul
  • Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011

ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3

  • Claims to be from Algeria
  • kalashinkov3[at]Hotmail[dot]Fr
  • http://internetblog.pl/tag/kalashinkov3/
  • He’s a member of GazaHackers 

image

DIS9.com:

DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.

A Maltego of this data presents the following interesting bits: A connection to the site www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 )  vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.

The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”:

DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit - 
Kedans-Dz

: Team Exploit :

Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft

h4x0er.org aka DIS9 Team

Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.

Other Teams within the DIS9 umbrella:

image

In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.

More when I have it…

K.

Cross-posted from Krypt3ia

Possibly Related Articles:
23432
Network->General
Information Security
China Anonymous Hacktivist hackers Cyber Warfare NATO Russia Lulzsec Team Inj3ct0r
Post Rating I Like this!
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Everything old is new again. :)

YeAilin is certainly a blast from the past from back in my BOClean days. His gang was well-known for exploits and attacks on QQ, primarily for the purpose of stealing accounts and game data. In China, gaming is the equivalent of MP3's and so he did a brisk little business in selling details from QQ accounts and anything else he could filch from unprotected Windows boxes. By 2006, BOClean was adding more QQ trojans than just about anything else with Brasilian banker thieves running a close second.

Look up "chinese honkers" and you'll get a rich background on them going back as far as 1999 when I first encountered them. I'm not so sure that they're state-sponsored as much as "patriotic" ... these guys are pretty much China's "anonymous" with pretty much the same motivations in their own political sphere.

"Injector" goes back to around 2006'ish and was a favorite site of ours to plunder for new things for us to cover in BOClean before they became widespread. That group was also "coders for hire" in Latvia and Ukraine for those ZLOB "fake codecs" and other crimeware. These are all old familiar faces and very much "lulzer" types rather than straight-up terrorist types.

However, their code found their way into many a serious exploit later. Watching them was very beneficial indeed for our customers back in the BOClean days. Surprised to see so many of those folks still around after all these years. Some of them were very good at what they did, the rest of them were fools like we're dealing with now.
1310105035
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia @Kevin http://krypt3ia.wordpress.com/2011/06/06/the-dragon-and-eagle-chinas-rise-from-hacking-to-digital-espionage/ Honker reformed in 2005 and were co-opted by the PLA. There were also connections to icefish as well. Much more data is left out of my post..
1310118292
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Interesting turn of events since, although it makes sense. They had always been trying to get the government to support them and for the longest time, there was no linkage since most of them were ... well ... hacker kids. Most of them wrote rather competent code though. And while those of us outside China fear them, in general Chinese coders weren't all that more competent than our lulzy friends in all seriousness, and having looked at some of their exploit scripts for SQL, that still seems to hold.

From an analyst's standpoint, their code left very useful nuggets that made for good signatures and most of them signed their work internally which of course gave us an advantage in detecting their next variations fairly easily. At times, I miss those guys though. They were fairly easy to deal with.
1310153708
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.