As first reported SO SOG recommended using BGP hijacking and Hacking Team helped with the setup of new RAT CnC servers. In this post we’ll take a closer look at the exact details of this incident and support the Wikileaks findings with BGP data.
The SO SOG is the Special Operations Group of the SO National Military police. The group focuses on investigating organized crime and terrorism. Hacking Team sells its RAT software known as Remote Control System (RCS) to law enforcement and intelligence agencies, SO SOG included.
SO SOG infected and installed the RCS client on the machines of persons of interest (referred to in the emails as targets). These Remote Access Tools can provide SO SOG with all kinds of information and typically provide the tool’s operator with full access over a victim’s machine. The RCS clients normally need to check in with a server, which is a machine the clients can get their commands (orders) from and then upload stored data, recorded communications, logged keystrokes, etc., to. The Wikileaks emails uncovered how after SO SOG abruptly lost access to one of its RCS servers and worked together with Hacking Team to recover the loss.
Initially, SO SOG used machines from a provider called SOMTEL, a well known bulletproof hoster. Brian Krebs dedicated an article about them in Oct 2013.
Obviously the RCS clients (also referred to as agents in the Wikileaks emails) only work well if they can communicate with the server. If the server becomes unreachable the client essentially becomes an orphan and loses most of its value. This is exactly what happened on July 3rd, 2013 when after nine earlier outages that year, the one of SOMTEL's IPv4 prefix became permanently unreachable. The Wikileaks document described how the SO SOG reached out to Hacking Team to work together on recovering the VPS server that ran on AS37563. In SO SOG terminology, the server was called "Anonymizer”. The emails also revealed that this server relays updates to another back end server called "Collector” from which SO SOG presumably recovers the targets’ data.
Hacking Team first proposed that SO SOG work with SOMTEL in order to bring the VPS back online, so they could subsequently help reconfigure the RCS server to receive updates from the RCS clients (installed on targets’ devices) but that plan did not materialize.
A plan then was devised to make the AS37563's prefix reachable again by announcing it in BGP. Since the prefix wasn’t announced by SOMTEL anymore, originating it from a different AS should make the network reachable again. The Wikileaks documents show how SO SOG worked with another network operator to get the prefix announced in BGP and bring up a new "Anonymizer” server with the appropriate IP address. SO SOG also was hoping that other ISPs wouldn’t filter that hijacked announcement.
When we look at historical BGP data we can confirm that SOMTEL indeed started to announce the prefix. The Wikileaks emails outline how SO SOG complained to Hacking Team that the IP was reachable only via several SO providers but not yet through SO, concluding not all RCS clients were able to connect back to the server immediately, since the prefix was not seen globally. BGP data further confirms this per the visualization below.
Historical BGP data shows how AS37563 (SOMTEL) started to announce the prefix to its peers via the Internet Exchange Point and how it became reachable via the peers that then accepted this BGP announcement. The peers below were some of the networks that accepted the announcement and would have had a path to the new ‘fake’ RCS server.
AS12874 Fastweb
AS6939 Hurricane Electric, Inc.
AS49605 Reteivo.IT
AS4589 Easynet
AS5396 MC-link Spa
After some frustration on SO SOG’s part due to summer vacation delays, eventually the IP address of the server became reachable again, at least for many SO networks and the new server was up and running with the same IP address. Hacking Team then stepped in to reinstall and setup a new RCS server on that IP.
Consequently, the RCS clients were able to "sync” back in with the server. On Aug 20th the SO SOG confirms with Hacking Team that it had indeed recovered contact with 3 of the 4 RAT clients.
Finally on August 22 at 13:35 UTC the prefix is withdrawn again, which would indicate that the operation was successful and the RAT clients were likely configured to use a different server IP.
As the supporting evidence from historical BGP data concludes, the information revealed in the Wikileaks documents is factual and the SO SOG and Hacking Team did work with the network (SOMTEL), to announce various prefix between Aug 16 and Aug 22. in order to regain access to their RAT clients.
Source:http://www.cloudtacker.com/docs/AS37563
Waagacusub.net - Somalia's President Hassan Sheikh Mohamud on Sunday mourned the death of Namibia President Hage G. Geingob and sent condolences to the government of the African country. Full Article
Waagacusub.net - Somalia's former President Mohamed Abdullahi Farmajo on Monday warned of the risk of political crisis over plans by the incumbent President Hassan Sheikh Mohamud to overhaul the constitution. Full Article
Waagacusub.net - Egyptian President Abdel Fattah el-Sissi said his country will protect Somalia against any threat in what can be described as an indirect response to recent Ethiopia's move to access the seaport of Somaliland. Full Article
Egypt on Tuesday condemned a suicide bomber attack in Somalia that killed at least 20 soldiers. The attack took place at a training camp in the Somali capital, Mogadishu, on Monday. The al-Shabab terrorist group claimed responsibility. Full Article
President HSM's Proclamation to Defeat Al-Shabab by Force in Somalia To overcome the complex problems of civil war, state fragility, and underdevelopment, the Somali people supported risky political changes for a government that promotes freedom, justice, peace, and prosperity in Somalia. For example, the Islamic movements enjoyed popular support to end the brutal reigns of warlords and the military occupation of Ethiopia and establish new government. Full Article
Western Intelligence Agencies Oppose the Democratization of Somalia Intelligence Services (NISA) History documents the strong character of the Somali people associated with messy democratic rule that cherishes individual liberty, freedom of expression and opinion, Justice, and private entrepreneurship rather than with autocratic rule. British explorer, Sir Richard Burton wrote in 1856, "the Somalis are fierce race of republicans, constantly changing political loyalties – the Somalis lived in what amounted to a state of chronic, political schizophrenia, verging on of anarchy. Every freeborn man holds equal to his ruler and allows no loyalties or prerogatives to abridge his birthright of liberty." However, Somalis are docile to discipline and obedience if social mediation applied fairly. The appropriate model of government for Somalia is the democratic rule. Full Article
Waagacusub.net -Auditor General Mohamed Ali alias Afgoi has exposed missing millions of dollars from key departments within the Federal Government of Somalia [FGS], in what could raise questions about government expenditures. In his report, Afgoi said 25 entities and three embassies have been audited. Unsupported expenditure amounts to $9M; contracts worth $31M not registered with auditor general's office, the existence of unauthorized bank accounts outside the Treasury Single Account. Full Article
Waagacusub.net - IBS Bank Somalia, which is believed to have the largest amount of money, Al-Qaeda Finance Secretary Fazul Abdallah from Comoros has started issuing Visa Card Payments for the first time. Al-Shabaab's finance secretary confirmed that Mohamed Ali Warsame had $ 157 million in cash, according to Khalif Ereg, who was later bribed with $ 2 million. Full Article
Waagacusub.net - The Federation of Somali Journalists has launched a campaign to combat the spread of false information, fake news, hate speech and propaganda. The federation says Somalia is already seeing a huge spike in social media misinformation campaigns ahead of elections expected before the end of July. Full Article
Waagacusub.net - Somalia displayed a lot of pluck but were left ruing their luck as Oman advanced to the main draw of the FIFA Arab Cup with a 2-1 win Sunday evening. The Omanis scored twice in the first half of the lively game at the Sheikh Jassim Bin Hamad Stadium before Somalia pulled one pack nine minutes after the break. Full Article
President HSM's Proclamation to Defeat Al-Shabab by Force in Somalia To overcome the complex problems of civil war, state fragility, and underdevelopment, the Somali people supported risky political changes for a government that promotes freedom, justice, peace, and prosperity in Somalia. For example, the Islamic movements enjoyed popular support to end the brutal reigns of warlords and the military occupation of Ethiopia and establish new government.
Waagacusub.net -Auditor General Mohamed Ali alias Afgoi has exposed missing millions of dollars from key departments within the Federal Government of Somalia [FGS], in what could raise questions about government expenditures. In his report, Afgoi said 25 entities and three embassies have been audited. Unsupported expenditure amounts to $9M; contracts worth $31M not registered with auditor general's office, the existence of unauthorized bank accounts outside the Treasury Single Account.
Waagacusub.net - IBS Bank Somalia, which is believed to have the largest amount of money, Al-Qaeda Finance Secretary Fazul Abdallah from Comoros has started issuing Visa Card Payments for the first time. Al-Shabaab's finance secretary confirmed that Mohamed Ali Warsame had $ 157 million in cash, according to Khalif Ereg, who was later bribed with $ 2 million.
I hereby inform the country that By virtue of the Authority given to the President of Uganda by Articles: 108(2), 108A(1), 113(1) and 114(1) of the 1995 Constitution of the Republic of Uganda, I hereby appoint H.E. the Vice President, Rt. Hon. Prime Minister, Honourable Cabinet Ministers and other Ministers as indicated below:
The Associated Somali Journalists is deeply concerned that journalists were today barred from covering the meeting of the leaders of the Federal Government of Somalia and Federal Member States (FMSs) as well as the Governor and Mayor of Mogadishu.
Waagacusub.net - Somalia's President Hassan Sheikh Mohamud on Sunday mourned the death of Namibia President Hage G. Geingob and sent condolences to the government of the African country. Full Article
Waagacusub.net - Somalia's former President Mohamed Abdullahi Farmajo on Monday warned of the risk of political crisis over plans by the incumbent President Hassan Sheikh Mohamud to overhaul the constitution. Full Article
Waagacusub.net - Egyptian President Abdel Fattah el-Sissi said his country will protect Somalia against any threat in what can be described as an indirect response to recent Ethiopia's move to access the seaport of Somaliland. Full Article
Egypt on Tuesday condemned a suicide bomber attack in Somalia that killed at least 20 soldiers. The attack took place at a training camp in the Somali capital, Mogadishu, on Monday. The al-Shabab terrorist group claimed responsibility. Full Article
President HSM's Proclamation to Defeat Al-Shabab by Force in Somalia To overcome the complex problems of civil war, state fragility, and underdevelopment, the Somali people supported risky political changes for a government that promotes freedom, justice, peace, and prosperity in Somalia. For example, the Islamic movements enjoyed popular support to end the brutal reigns of warlords and the military occupation of Ethiopia and establish new government. Full Article
Hormuud's Assault on African Peacekeepers Figure 14: African Peace Keepers Hormuud launched a scorching public campaign against the Kenyan military forces in AMISOM in late August 2019. Full Article
Former Intel official stripped from NISA membership Full Article
PM KHEYRE USELESS AND COSTY OVERSEAS TRIPS. Full Article
Abiy says 'New Year' will be celebrated in Eritrea, Ethiopian Airlines to resume flights Full Article
Massive rise in Islamist militant attacks in Africa Full Article
How Hacking Team Helped Somali Group with BGP Routing Hijack on SOMTEL
As part of the Hacking Team fall out and all the details published on Wikileaks, it became public knowledge that Hacking Team helped one of their customers SO Special Operations Group (SO SOG), regain access to Remote Access Tool (RAT) clients.