TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: III
Serial: TR-18-064-003
Report Date: 20180305
Industries: All
Turkish Cyber Army (TCA)
Summary
A Red Sky Alliance member reported a suspicious email to Wapack Labs for analysis. The suspicious email originated from sender: pvtromeo2007@aol.com. The subject of the email was Pvtromeo Notification N4821. The malicious email was posing as the FedEX company and attempting to get the user to click on a malicious link. The email contained an Iranian domain, www.tvtd[.]ir/wp-content/sufficing.php. Analysis revealed the domain, tvtd.ir, was compromised by the pro-Pakistani Turkish Cyber Army (TCA, Ayyildiz Tim).
Figure 1: Message of malicious email. The attacker was claiming to be FedEx, baiting the victim to clicking on the malicious link.
The link in the email tvtd.ir is a legitimate website, however it was briefly compromised by TCA. During time of the compromise, the link was uploaded to Virus Total and had a low detection rate (2 of 67), containing malware.[1] One TTP of Ayyildiz Tim, is to compromise domains with malware and lure victims to the compromised domains. The threat actor has been seen using this method on twitter, compromising accounts and sending malicious links to all the compromised users followers.
Background
Ayyildiz Tim, a Turkish hacker group, was founded in 2002 by Tim Cedk. The hackers characterize themselves as patriots, nationalists and Ataturk supporters (First Turkish president after revolutionary). The group is considered the most powerful hacker group in Turkey.
The Turkish Cyber Army website, golgeler[.]net, is used to advertise sites they deface and compromise. TCA shows the works of multiple members/groups who post their defacements to this webpage. Wapack Labs observed the link in their malicious email (tvdi.ir) on the golgeler website; with Ayyildiz Tim claiming the hack.
Figure 2: Turkish Cyber Army’s webpage, golgeler[.]net, where TCA posts videos of sites they have compromised/defaced. TCA posted the link, tvtd.ir, which was the domain sent to the MPS-ISAO in a malicious email. This is an indicator that TCA compromised the domain and leveraged it as malware domain to conduct more attacks.
TCA owns a Twitter account where they post their political opinions.[2] The Twitter account was created January 2011. However, the account’s last tweet was 15 March 2016. The TCA Twitter account was used to post TCA’s political opinions and claim hacks they committed.
In January 2018, two Fox News hosts, Eric Boling and Greta Van Susteran, had their Twitter accounts compromised by TCA.[3] The attackers sent out tweets from these accounts and used the accounts to direct message United States President, Donald Trump. Donald Trump only follows 45 accounts on Twitter, which include both Boling and Van Susteran, thus giving the attacker the ability to send Trump a direct message from the compromised accounts. The attacker claiming these Twitter tack overs is Ayyildiz Tim, the same hacker who compromised the domain sent to MPS-ISAO member.
Conclusion
TCA appears to be politically motived hacktivist group targeting governments with opposite opinions. The motive is unclear why the group sent a malicious email to a Red Sky Alliance member. Wapack Labs believes that the receiver of the email may have received the email due to the attacker sending out a blast email attempt to a large number of targets. The port member who received the email, has their email address in open source and can easily be found using search engines.
For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com
[1]https://www.virustotal.com/#/url/78494b63f4b501b05cb66502e70802b699891e4fa08faabcf50bbd00c10a9fd5/detection ;
[2] https://twitter.com/turkishcybrarmy?lang=en
[3] https://globalnews.ca/news/3969438/twitter-accounts-trump-follows-hacked/
Comments