Debugging the Pakistan Cyber Army: From Pakbugs to Bitterbugs

For over a year, the ThreatConnect Research Team has been tracking Pakistan-based cyber espionage activity associated with a custom malware implant recently dubbed “BITTERBUG.” In August of 2013, we reported our initial findings and analysis of the malware. In 2014, we teamed with FireEye to publish a comprehensive overview of the activity within Operation Arachnophobia.

As we continue to delve into the details surrounding this activity, we are uncovering more information about the personas and relationships between identified individuals and organizations. These new data points introduce additional questions about actor relationships, their respective levels of involvement in other hacking activities, and the likely motivations of those involved.

The Pakistan Cyber Army:

In one vein of our research, we focused on specific defacement activity that occurred against notable Indian websites between 2008 and 2010, specifically, defacements originally claimed by the Pakistan Cyber Army (PCA).

One of the earliest dates we could identify involving the PCA, was the November 24th, 2008 defacement of www.ongcindia.com, India’s Oil and Natural Gas Corporation Ltd. (ONGC). Within the defacement content, we observed the attackers using the statement “We were sleeping but not dead”. This defacement also contained tags of the presumed defacers: “HAroon + HAmza + ABunasar + Naveed + Hassan.”

Takeaways:

• The initial PCA ONGC defacement contained the statement “We were sleeping but not dead”.
• The initial PCA ONGC defacement contained the tags “HAroon + HAmza + ABunasar + Naveed + Hassan.”

These “tags” (or attacker aliases) also appear to coincide with relationships between individuals and organizations identified within the Operation Arachnophobia research. Public comments and elicitations by PCA members contained notable commonalities with several of the Operation Arachnophobia personas. The timing of the PCA defacement activity also overlaps dates in which the identified personas may have established personal or professional relationships. Many of the personas also maintained a skillset specific to web service and web application exploitation.

Abunasar Khan:

One of the primary personas we identified as being associated with an organization that hosted and served as BITTERBUG command and control, was a Pakistani hacker named Abunasar Khan. As outlined in the Operation Arachnophobia research, Khan maintained certain associations with a Pakistan-based VPS provider VPSNOC, a subdivision of Digital Linx.Khan was involved in hacking activities since at least 2007, and his website (abunasar.net) has referenced “Antisec” since at least April of 2010. Currently, the page “abunasar.net/new” has an HTML title tag of “Alive” and page content that simply states “Not Dead”.

Abunasar Khan also maintains a Google+ profile, and included in his “circle” is former Tranchulas Lead Penetration Tester Hamza Qamar.

Takeaways:

• Pakistani hacker Abunasar Khan was associated with BITTERBUG infrastructure within the Operation Arachnophobia research.
• Abunasar Khan currently maintains abunasar.net and has likely done so since 2004.
• Abunasar Khan was observed conducting hacking activities as early as 2007.
• Abunasar.net has reflected an affinity or affiliation with AntiSec since 2010.
• Abunasar.net currently contains a similar reference to an early PCA defacement, with a unique alternative “Alive/Not Dead”.

Muhammad Haroon:

According to Muhammad Haroon’s LinkedIn profile, between June of 2006 and May of 2009 Haroon was employed by Tranchulas in Islamabad, Pakistan. Haroon’s resume details an advanced penetration testing skill set, as well as web application security testing based on OWASP standards. Haroon is also listed as the OWASP Chapter leader in Pakistan.

Haroon has been credited for identifying zero day vulnerabilities and specifically references his participation within Chase.org.pk, presenting on spear phishing research in 2007 and WEP cracking and SQL injection techniques at the “Hackers Convention” in 2009. The Hackers Convention 2009 was an event promoted by Tranchulas CEO Zubair Khan at the Air University auditorium in Islamabad. Haroon includes a YouTube link within his resume that consists of a Dawn News interview with Zubair Khan who summarizes the event. Note the Youtube profile “iamviewer1” has only five public videos, two of which are newscasts associated with the PCA defacements.

The Chase 2009 Conference on Hacking and Security was held from November 6th – 10th, 2009 in Lahore, Pakistan. During the event, various training sessions were offered. Within Training Track 3 “Web Application Hacking and Vulnerability Analysis”, Mr. Muhammed Haroon and Mr. Hamza Qamar were scheduled to teach a day long course on various web service and web application hacking techniques.

According to their public LinkedIn profiles both Muhammad Haroon and Hamza Qamar were employees of Tranchulas at different times. Muhammad (June 2006- May 2009) and Hamza (since 2011). Haroon and Qamar established a professional working relationship as early as 2009.

Takeaways:

• Muhammed Haroon was employed by Tranchulas between June of 2006 and May of 2009.
• Muhammed Haroon was listed as the OWASP Chapter leader in Pakistan (Currently in Oman).
• Muhammed Haroon presented at “The Hacker Convention 2009” an event promoted by Tranchulas CEO Zubair Khan.
• Muhammed Haroon and Hamza Qamar taught a Web Application Hacking and Vulnerability Analysis course at the Chase 2009 Conference on Hacking and Security.
• Muhammed Haroon and Hamza Qamar were both employed by Tranchulas at different times.

Hamza Qamar:

Hamza Qamar was initially identified within the Operation Arachnophobia research as a Lead Penetration Tester for Tranchulas in August 2013. After the initial blog-posting, ThreatConnect Research followed up with Qamar via his Tranchulas email address seeking an explanation to many of the inconsistencies identified within Zubair Khan’s official Tranchulas response. Qamar issued a simple denial to altering an image and failed to follow up to any other ThreatConnect Research questions. Qamar’s public Google+ profile has only Abunasar Khan’s Google+ profile within his circle, suggesting some sort of personal or professional relationship.

 Takeaways:

• Hamza Qamar was previously employed by Tranchulas.
• Hamza Qamar interacted with ThreatConnect Research in response to the August 2013 blog.
• Hamza Qamar taught a web application hacking class with Muhammed Haroon in 2009.
• Hamza Qamar’s Google+ profile has only Abunasar Khan within his public profile.

Pakistan Cyber Army Linkages to Pakbugs:

Prior to 2009, Pakbugs was an “underground” webforum that hackers used to collaborate and share hacking tactics and techniques, sell malicious code and stolen data. In July of 2010, five Pakistani members of Pakbugs were arrested by Pakistani authorities.

PCA members would issue an official statement in response to the arrest of members of Pakbugs. The statement reaffirmed credit for the original PCA ONGC defacement and striking a “peace deal” between Pakistani and Indian hacker groups, putting end to the bilateral defacement activities. The PCA members indicated that they had warned “Pakbugs” members of the effectiveness of Pakistani authorities “many times”, asking them not to target internal Pakistani sites. PCA referenced the Pakbug members as “kids” and requested that the Pakistani authorities be lenient in their punishment. The PCA statement included a general message of caution for “upcoming hackers” and a stern warning to “Indian hackers” not to exploit the situation by targeting Pakistani sites. The closing of the statement included hacker handles for the respective PCA members “Haroon aka D45H & Hamza aka r4yd3n”.

This official statement suggests that there may have been some level of a mentorship-protégée relationship between elder PCA members and younger Pakbugs members.

A September 2009 F-Secure blog confirms that the Pakbugs user database was leaked on the Full Disclosure mailing list by unidentified whitehats. Later, in a July 2010 blog, Gary Warner posted details regarding a Pakbugs arrest, which included a reference that “someone named R4yd3n was a member at Pakbugs as well, using the email sana2005@fastmail.fm.” Although it does appear that someone was using the “R4yd3n” alias and sana2005@fastmail.fm email within the Pakbugs forum, there are no additional details as to the nature of “R4yd3n’s” membership or activity within the Pakbugs forum.

Takeaways:

• Pakbugs was an underground hacking forum.
• In July 2010, Five members of the Pakbugs were arrested by Pakistani authorities.
• PCA made an official statement in response to the Pakbugs arrests.
• PCA requested that Pakistani authorities be lenient with Pakbugs.
• PCA referred to Pakbugs as “kids” and that they had a “childish attitude”.
• PCA included hacker handles “Haroon aka D45H & Hamza aka r4yd3n” within the official statement.
• Pakbugs member “R4yd3n” used the email sana2005@fastmail.fm.

“HAmza” aka “R4yd3n” aka “Sana2005”:

A PCA statement regarding the Pakbugs arrest included an interesting elicitation “Hamza aka r4yd3n”, coupling this with the Pakbugs forum full disclosure and Waners blog, we see an association with the Pakbugs alias “R4yd3n” and the email address sana2005@fastmail.fm.

In a posting to Pakwheels (November 23, 2008), a user with a profile named “Sana2005” announced the Indian ONGC PCA defacement ahead of any media reporting. Several hours later “Sana2005” followed up with a request for Pakwheels members to “report to the media if any one of you can.” and “…this news has not been on the media yet.” Most notably were statements which included “we” such as “If we can do this work, you people can at least spread this news.” and “We will appreciate your help.” The post was signed with “PCA” which is assumed to refer to the Pakistan Cyber Army.

This posting implied that “Sana2005” was claiming responsibility for the defacement and or speaking authoritatively for the PCA. Other Pakwheels postings from “Sana2005” indicate that he lives in Islamabad/Rawalpindi and could be reached on his phone numbers 0312-5151946 and 0345-8571337. The initial posting to Pakwheels announcing the defacement, as well as follow on posts several hours later, suggests that “Sana2005” aka “r4yd3n” is actually PCA’s “Hamza.” The “Sana2005” profile was likely how PCA members were aware of Pakbugs members hacking activities and were able to issuing warnings and guidance regarding the Pakistani authorities.

Pakwheels serves as another point of overlap when considering it is also frequented by Abunasar Khan (aka abunasark), as highlighted earlier within the Operation Arachnophobia research. Note in the posting above, “sana2005” makes a reference to an “Abunasar”, however it is unknown if this is a reference to Abunasar Khan or another unrelated Pakwheels user “abunasar”.

Takeaways:

• Sana2005 posts to the same Pakistani car forum as Abunasar Khan.
• Sana2005 claims to be in Islamabad Pakistan.
• Sana2005 appears to be the first to post public details of the ONGC PCA defacement in November 2008.
• Within a posting Sana2005 refers to “we” and concludes the post with “PCA”
• Sana2005 can be linked to Pakbugs and the alias “R4yd3n.”
• The alias “R4yd3n” can be linked to official PCA responses and the aliases “Hamza” and “Sana2005.

PCA CopyCats:

In mid-August of 2010, the personal website of Indian industrialist Vijay Mallya was defaced by Pakistani actors claiming to be associated with the PCA.

The defacement included the comment “We are sleeping, not dead” however, even a Pakistani blogger who was previously in contact with PCA members noted inconsistencies from earlier PCA defacements, suggesting the defacement was a copycat attack and the attackers were simply using the PCA banner as a false flag.

On 24 August, 2010, PCA provided a detailed official statement denying any involvement with the Mallya defacement. The PCA specified, “Please do not associate ‘Pakistan Cyber Army which has only three members Haroon aka D45H, Hamza aka R4yd3n and Abunasar aka Abunasar’ with any other hacking groups in Pakistan.” The references to “Haroon”, “Hamza” and “Abunasar” names substantiate the inference to a surname for Muhammed Haroon, and and given names for Hamza Qamar and Abunasar Khan, the usages of the respective aliases “D45H”, “R4yd3n” and “Abunasar” indicate that the PCA members may have been using real names within their official statements.

In May 2011 the Indian Cyber Army would breach pakcyberarmy.net and disclose details of “Shak” one of the Vijay Mallya website defacers.

Previous Research:

As highlighted in his 2008 research of the PCA activity, researcher Nart Villeneuve made observations of the ONGC defacement by analyzing details of an email sent from the Pakistan Cyber Army. Villeneuve’s independent observations from 2008 are consistent with new details uncovered as a result of the Operation Arachnophobia research. We focus on two of Villeneuve’s key observations from 2008 that also apply to our research today.

Observation #1: Rather than deface some random .pk (although they did deface several others sites too) they retaliated by defacing the .in equivalent of the site the HMG defaced. To me, this indicates skill above the scriptkiddie level.

The PCA attackers claimed that they planned and directed their attacks to deface ONGC in retaliation to the Indian defacement of the Pakistani Oil & Gas Regulatory Authority. If the PCA attacks against the ONGC were not opportunistic and indeed planned, this may suggest that the PCA attackers were more coordinated and sophisticated than run of the mill “script kiddies.” Many of the personas identified within the Operation Arachnophobia research have previously worked in proximity of one another and possess the skill set to conduct defacement activity.

Observation #2: They are self-proclaimed “whitehats” whose motivation appears to be revenge and nationalism.

Within the email claiming responsibility, PCA members also made nationalistic statements such as, “This is just a matter of our nation Pakistan” and “…Pakistani’s should really be proud of this…” as well as “…plus it shows we Pakistanis can do it.“ The PCA’s claim that they are “whitehats” is also consistent with the public profiles of many of the personas identified during the time of the 2008 defacement, in either their professional employment or personal research.

Of the personas identified within the Operation Arachnophobia research, many of them maintain a certain degree of experience and professional security industry certifications. There also seems to be a deliberate and overt element of “white hat” professionalism within the public profiles of some of the individuals and organizations identified.

Conclusion:

We cannot conclusively attribute the personas identified with the original 2008 Pakistan Cyber Army (PCA) defacement activity to the personas detailed in the Operation Arachnophobia research. However, there are notable historic relationships between these individuals and organizations identified within the Operation Arachnophobia research that seemingly match the names, aliases, skillsets, and geographic location of actors who claim to be responsible for the original PCA defacements.

• ThreatConnect Research has identified overlaps between Operation Arachnophobia (2014) personas, PCA defacement activity and official PCA statements (2008).
• The alias Haroon may reference Muhammed Haroon a web security professional, previously associated with zero-day research and a former Tranchulas employee.
• Muhammed Harron attended and presented at a hacker convention organized by Tranchulas CEO Zubair Khan.
• Muhammed Haroon and Hamza Qamar were both employed at Tranchulas and were instructors for a web security and application hacking course in 2009.
• The alias Abunasar may reference Abunasar Khan, a Pakistani hacker tied to BITTERBUG infrastructure, Anonymous and Antisec, who also includes the reference “Alive/Not Dead” in a personal website.
• The alias Hamza may reference Hamza Qamar, former Tranchulas Lead Penetration tester and associate of Abunasar Khan.
• Members of the Pakistan Cyber Army maintained an unspecified relationship with members of Pakbugs.
• Pakistan Cyber Army and Pakbugs both maintained a common member “Hamza” who was also known as “R4yd3n” (PCA) and “Sana2005” (Pakbugs).
• “Sana2005” publicly posted details of an early Pakistan Cyber Army defacement using the term “we” and concluding the post with “PCA” to the same Pakistani auto forum that was also frequented by Abunasar Khan.
• Pakistan Cyber Army later claimed the defacements were nationalistic in nature, that the group comprised of only three members, and that they were also “white hats”.

Operation Arachnophobia serves as an example of the benefits of cross-industry collaboration. Understanding why and how collaboration can be used as a modern security control assumes a certain level of maturity. As organizations evolve their respective threat intelligence processes and programs, organizations must also seek to mature their ability to procedurally and programmatically aggregate, analyze and act on the threat intelligence they either develop organically or receive from other parties.

---