Skip to main content

Islamic Hacker Group Revealed



For several hours the site of the Bloc Québécois, a federal political party in Canada, was not available. Visitors encountered a black screen with threatening red letters: "United Islamic Cyber Force, Salami Ala Aqsha."

An active pro-Islamic hacker group – United Islamic Cyber Force (UICF) – was behind this website defacement in March 2015. The attack was their response to criticism by Canadian politicians of a Muslim woman who appeared in a hijab in the House of Commons.

The UICF became first known in January 2014. There have been no less than 40 members of the group from Indonesia, Pakistan, Morocco, Algeria and Kosovo at different times. All members of the group openly support Islamic radical movements.


The majority of the attacks committed by the UICF are Deface (substitution or blocking of the main page of the site) or DDoS (denial of service). During a Deface attack on a hacked site, the official content was replaced with pro-Islamic radical slogans, as was the case with the Bloc Québécois. Some of the slogans were connected with ISIS.


In addition to the slogans, those pages indicate the name of the operations, the aliases of the hackers who conducted the attacks and sometimes even their contact information. This is a kind of "note" from the hacktivists officially taking responsibility for the action, and a tip-off for journalists and potential followers.


Since the main goal of hacktivists is to attract attention to their actions, information about these attacks is actively disseminated on social networks. To do this, almost every one of them has a lot of profiles on Facebook, Twitter, Google+ and specialized hacking forum.
List of UICF Members
LiByA SqL RoOtNivenzal Attacker
Zishan RiderPal_Intifada
3l Muh4j1m1Physicaal AL, Kosova?
MrBz Alfatihr00t-Pwn
Thex@b1_MaRoot Max
Xknight / xKnight Al MarocSpirit KniGht
W3bh4x0rAnoaGhost aka Shiro'Tenshi
Syuhada1337KidSZonk
soul_hiTz 98Senyum 420
Alpha-Kill3rAlboCyber AL
Backdoorcoder AL51N1CH1
Dr.RawCyberHack Al
Haxor-GazaDK.r00t
irhaby_newbieGunz_Berry
Ivan Al HasyimL1ttle M0nster
J1h4d_attackerAtique
Kazi Shaheb4prili666h05T
Lakhdar DZYunus
LogOut MaCReZZ DoT ID
infern0Ali Lord Hacker
Cemongwawthe black monster
matrixRBG hack
Anas Colere
A photo from the Facebook profile of a purported hacktivist, in which his real name is easily seen
Two other pages were found on Facebook with the name AnoaGhost, used by the attacker in Deface attacks, one of which contains references to another nickname used by the attacker: ShiroTenshi.

https://www.facebook.com/AnoaGhost.gov/

https://www.facebook.com/anoaghost.moe/

Based on the nickname found on one of the pages on Facebook, we found the attacker's website shiro-tenshi.ml, registered in the Netherlands through the organization Freenom, was discovered. We also found additional accounts belonging to the attacker:

https://twitter.com/shirotenshii

https://pastebin.com/u/anoaghost
Screenshot of the interface software of the hacker AnoaGhost
There is another interesting detail. The hacker used AnoaGhost Shell File Manager v3.0 software, which also mentions the attacker's website shiro-tenshi.ml in its text.
Gunz_Berry
Location: Indonesia
Participates in groups such as AnonCoders, Falllaga Team, Indonesian Code Party and Khilafah Cyber Army.
This is likely the attacker with the alias Gunz_Berry. Photo from his Facebook profile

We discovered the email address gunz_berry@yahoo.com used as contact information in a Deface attack.
Part of a Deface page on a hacked website containing contact information of the attacker
This is the e-mail address he used to register on 000webhost.com with the name Guntur.

In addition to the email address, the attacker often left in the text of Deface pages a link to the Facebook profile as contact information: https://www.facebook.com/newbieyangtakbisaapaapa. The name Guntur, shown in the profile, corresponds to the name of the user on 000webhost.com. There are also posts with links to mirror sites of hacked sites in this user's name.

Based on this information, we determined the real name of the attacker. It is Guntur R. He lives in Indonesia.
Based on the alias of the hacktivist, another profile was found on Facebook. However, now it is inactive: https://www.facebook.com/gunz.berry.9.

The attacker also owns the domain name gunz-berry.com, which is registered in Indonesia.

We determined that Gunz_Berry uses in his attacks the software gunz_berry xh3LL Backd00r 1.0, a modification of the GaLers xh3LL Backd00r software distributed on underground Indonesian hackers' forums. Its author is a hacker with the alias Mr. DellatioNx196. This software is used in Deface attacks and serves to simplify the loading of pages and files onto the server where the hacked website is located.
Screenshot of the interface software of the hacker alias gunz_berry
When recovering the password of the Facebook account (https://facebook.com/gunz.berry.9) the following information was received: g*********i@y****.c*.id. Presumably, it is the Yahoo! Indonesia mail service in the domain yahoo.co.id, which confirms his presence in Indonesia.
W3bh4x0r
Location: Nigeria
Participated in the activities of groups such as Nigeria Cyber Force, United Nigeria Cyber Force, Extreme Crew, Naija S3curity Kill3rs, Nigerian Gray Hat Hackers and Cyb3r Command0s.
Presumed appearance of the hacktivist with the alias W3bh4x0r. Photo from his Facebook profile.

On some Deface pages left by the activist on hacked sites, the email address a*********ri@gmail.com, was found, presumably belonging to the attacker.
Part of the Deface page of the hacker of a website on the behalf of the UICF
The attacker also left a link to the Facebook account: https://www.facebook.com/web.haxor as contact information on Deface pages.

When attempting to recover the password for this Facebook account, it was determined that it was registered to the email address o***********e@gmail.com and phone number + ********** ** 36. The mobile phone number coincides with the numbers of the number to which the email address a****************ri@gmail.com is attached, which confirms the connection between them.

The hacktivist's name and photos of him were found on this page. The user name on the account – Habiblahi Adeleke Busari – coincides with the user name of a Gmail account with the email address a****************ri@gmail.com. While attempting to recover the password for this Facebook account, the following data were uncovered.
Thus, we can conclude that the possible real name of the attacker is Habiblahi Adeleke B. Place of residence: Nigeria.

Also, an account was found on the streaming service SoundCloud. A bog was found http://nigeriacyberforce.blogspot.ru/ related to the group United Nigeria Cyber Force. In this blog, an article titled "wordpress 0day exploit Revslider" was published by a user with the alias "adeleke busari."

We also found an account on Google+ https://plus.google.com/105478645066963208223/posts and the website http://www.mp3loaded.com.ng/, which belongs to the hacktivist.

Through the email address a****************ri@gmail.comads were found on the Nigerian nairaland.com forum from a user with the nickname Lekzy001, which coincides with the nickname listed on the Facebook page https://www.facebook.com/web.haxor.

Also in those ads were the WhatsApp number 07052547605 and website http://ictwebsitesolutions.com, where the contact telephone is +234**********6 (+234 is the country code of Nigeria) and Instagram https://www.instagram.com/lekzyone/, and https://www.facebook.com/web.haxor was indicated as its Facebook page.

The telephone number found +234************6 recovers the password for e-mail address adelekebusari@gmail.com and his Facebook account.
Lakhdar DZ
Location: Algeria
Lakhdar DZ is a member of the group United Islamic Cyber Force and has taken part in actions of the group Arab Warriors Team.
Presumed appearance of the hacktivist with the alias Lakhdar DZ.On Deface pages that the activist left on hacked sites, we found the e-mail address Lakhdar46Dz@gmail.com, presumably belonging to the attacker. Also, as contact information, he left a link to a profile on Facebook that is currently inactive https://www.facebook.com/lakhdar46dz.
Portion of the Deface page left by the attacker on a hacked site,
indicating contact information
Accounts on social media were obtained by a search of the alias used by the hacktivist:

https://www.facebook.com/lakhdar.22dz

https://www.instagram.com/Lakhdar***/

https://www.facebook.com/Lakhdar-DZ-14437794092594

The Facebook profile contained the following information: Skype account lakhdar.222 and Twitter account https://twitter.com/LakhdarX33, as well as real photos of the attacker.

Based on data from social media, the following information was obtained: the presumed name of the attacker is Lakhar B., 21.

Place of residence: Sidi Bel Abbes, Algeria

These data were obtained mainly from the profile on Facebook https://www.facebook.com/lakhdar.22dz.
Several websites are associated with this hacktivist. Two domain names are registered at email address lakhdar46dz@gmail.com:

  • news-ar.com
  • geek-ar.com
In Twitter, Facebook and Skype accounts, the following websites of this attacker were found, with domain names are registered with false data:


While recovering the Facebook account (https://www.facebook.com/lakhdar.22dz) the following information was received: l********z@a**.com (presumably AOL mail service).

While recovering the password to the Twitter account (https://twitter.com/lakhdarX33) the following information was obtained: la*********@l***.** (presumably, mail service from Mail.Ru in the list.ru domain).
Zishan Rider
Location: India
Zishan Rider has taken part in the actions of such groups as Anonymous Afghanistan, Anonymous Laayoune, Anti-Sec Cyber Crew and IndianCyb3rDevils, as well as the FreePalestine movement.
Presumed appearance of the hacker with the alias Zishan Rider

Based on the alias Zishan Rider, used by the attacker, the following profiles were found on social networks:

Twitter https://twitter.com/zishanrider

Ask.fm https://ask.fm/ZishanRider

Also, on the Deface pages the attacker left on the hacked sites, two e-mail addresses were found to contact the attacker: zishanrider@cyberdude.com and zishanrider@mail.com.
Portion of the Deface page left by the attacker on a hacked site, with his contact email address
In the Twitter account found from the alias used by the attacker, a blog was found that he maintained on his zishanrider.com domain, which was registered to the email address zishanrider@yahoo.com, name Zishan Rider, address Delhi 110001 India, as well as the cellular telephone number +91.97******100 (+91 is the country code for India).

Based on the data obtained, we established his real name as Zishan S. The residence of the activist is Delhi, India. His birthday is June 27.

While recovering the password in the Yahoo! Mail service for the account mentioned previously, a mask of the backup Gmail account was obtained: z**********58@gmail.com.

While recovering the password of the attacker's Twitter account, the following mask of an e-mail address of the hacktivist was obtained: zi************@gmail.com.

In his attacks, he regularly makes reference to radical Islam, advocating its dissemination. He also uses photos depicting Adolf Hitler on his Deface pages.
Hidden threat
From their profiles, none of the hacktivists from the United Islamic Cyber Force looks like professional cybercriminals who attack banks, government institutions or strategic infrastructure facilities. They are yesterday's schoolchildren and students, with a limited life experience, easily amenable to someone else's influence. Their goal is not to steal money, but publicity – coverage of their actions by the world media.

Comments

Popular posts from this blog

NiceHash: security breach leads to 60 million lost - Iceman is behind?

A dark day for crypto currency miners, NiceHash has been hacked. Closely to 60$ millions (4,736.42 BTC) have been stolen while the bitcoin is crossing the 14k$ mark for the first time.













The hacker's bitcoin address cleary shows the steal of  4,736.42 BTC in a window of 48 hours: https://bitinfocharts.com/bitcoin/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq




NiceHash users are furious by the time of reaction of the team. It took about 24 hours to realise that big amounts have been stolen.

I've contacted a member of Iceman and knowing this security breach for some reason he explained that NiceHash actually owned their users bitcoin wallets in order to save transactions fees and collect unclaimed BTC. This issue leads to a massive security breach which allow access to all NiceHash wallets. He claimed that by reverse engineering of their miner client, Iceman group was able to access their API. Is Iceman really behind this attack?






NanoCore developper busted and senteced for 33 months

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.

Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.

Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.
This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.
Huddleston admitted to the court that he created his software knowing it would be used by other cybercrimina…

ICEMAN : Infecting Crystal Finance Millennium

Iceman gang member confirms that they are behind the introduction and spreading of malwares that have affected Crystal Finance Millennium, a Ukraine-based accounting software firm. Was this a political based attack? Read more to find out.
I’ve had a chance to speak to one of the gang member on XMMP and he confirmed that the Iceman group is behind this attack. They started by a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company. He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and "full automation of the doctor's office" - contrary to what their company name suggests, it appears they are (mostly) focused on medical software.
The…