Overnight, the different listeners we had open were reporting data being sent by the crawler. We had mail files, several document and spreadsheets files, configuration files (host file, info stored on the registry of several machines, etc.) and a matrix map of how the computers were connected to each other or network architecture. It was a crude map, but it was invaluable to us if we decided to start moving inside the attacker’s network.
While Y kept an eye on the computers, D and I began checking the files sent. They were in Russian, or at least Cyrillic. That was to be expected, given where the team was operating. This also meant we needed someone who could translate this information for us.
The spreadsheets had a lot of IP addresses. When we checked a bunch we realized these were addresses belonging to several EU banks and financial institutions across the EU.
The network map showed us that we were dealing with a simple network, no domain controllers apparently, and with each computer connected to a proxy of sorts that acted as gateway to the internet. We managed to get an external IP. A simple whois showed us that it belonged to a Russian internet provider, so nothing we could gain from that. Still, having an external address gave us a way to start pinpointing the location of the bad guys.
or Log In
Good write up, Uri. Instructive.
Uri, you write this article and then a huge hacking storm hits - China and our weapons systems. All of a sudden it's all over the news.
ufridman TKW406 LOL - I seem to get that response a lot from you!
TKW406 Can't confirm nor deny...
I'm seriously hoping that you & your team didn't give the client control of ALL the backdoor access you'd built. Please tell me that you are able check in on these bad guys every now & then to see who they're trying to screw over now. Great story Uri! Glad to see it on SOFREP.