Do It For the 'Gram

Telegram as a communications platform is very popular with certain attack groups as a place to interact with their "community". And for some groups it is a critical place to even try and create that community of followers to draw themselves more clout and credibility that can be leveraged later into a proper “brand” that will strike fear in the hearts of others. This is incredibly important for groups that leverage extortion for payment. The stronger the name, the more likely someone is to pay to not have to deal with the potential cyber-attack. But can you take a shortcut to gain followers, clout, and credibility as an attack group? Sure, you can, and it will probably include lying and stretching the truth about what you and your team has accomplished. But that is OK if it gets you more clout and followers, right?

Recently Russian DDoS and attack groups such as KillNet have been using Telegram to great affect to spread their messages, show off their attacks, gain more followers, and gain more recruits. Their channels are growing rapidly as followers come to see what these groups are doing in support of perceived Russian objectives in the Russo-Ukrainian Crisis. But some of these groups may be stretching the truth or using a bit of misdirection to hype up their Russian followers while not actually accomplishing their stated goals. Let us look at a recent example from KillNet…

June 30th, 2022

KillNet, coming off strong attacks against Lithuania, finds an American target PayUSATax.com. The attack lands, and the service is temporarily brought down.

PayUSATax is one of the officially approved vendors from the IRS for paying your taxes by credit card. It is a corporation founded by Woldpay and Value Payment Systems, and while it services the IRS, it is not the Federal Government. But that does not matter to KillNet and their followers, because generally speaking their followers will not research further into the target. KillNet claims it as a successful attack against the Federal Tax Payment System. The posts get thousands of views, and hundreds of engagements. KillNet may be stretching the truth a bit, but their followers don’t care to research further.

But what about a group that may just be making up entire parts of their attacks?

CIA, don’t forget about Zarya…

On June 26th, an offshoot of the Russian DDoS group KillNet known as Zarya makes a post indicating they're poking around US Government websites.

Roughly translated, Zarya states:

"WARNING You have accessed the US Government information system

Thank you, we know

ed.:

CIA, don't forget about Zarya

SQL deflated"

The post gets plenty of views and even draws some responses from KillNet and other groups. Zarya makes a couple more posts about potentially accessing the system and making some changes, such as temporarily setting the language to Russian and mocking the email security features. Zarya doesn't name the site or agency. Going out to a search engine and looking for the language in the bid invite brings up a page at hxxps[:]//ma[.]gov[.]procurement[.]secure[.]ammac06[.]com.

It's a pretty convincing copy of the State of Massachusetts website at mass.gov but it does not appear to actually be owned or operated by the State's IT team. This fake page has been active since at least April 20th, 2022 according to data on URLScan. The domain ammac06[.]com was registered on 8/30/2018 with BookMyName and today, 6/30/2022, it has about 38 subdomains. Almost all subdomains appear to be spoofing US entities such as alabama[.]gov[.]procurement[.]secure[.]ammac06[.]com, www[.]usda[.]gov[.]3[.]22[.]invitation[.]ammac06[.]com, and hhs[.]gov[.]procurement[.]server[.]ammac06[.]com. The domain currently lives at the IP 109[.]234[.]165[.]70 hosted by o2switch.fr, and the domain ammac06[.]com has been hosted at that IP since it was purchased. It's a pretty standard shared hosting solution, and the fake sites appear to be running on WordPress.

Zarya may have found this collection of spoofing websites by a Google search, but group members may also be the ones creating and running the spoofed pages. Two days after the first post about an ammac06[.]com site, on June 28th, Zarya posts about the Government websites they've found. They claim to have defaced multiple US Federal, State, and Local Government pages...

Roughly translated, Zarya states...

"Briefly speaking. Nothing interesting was found there. They leaked what happened and finally defaced the gateways:

URIs

Left a surprise for 'friends'. P.S. Now SQL is also suitable for AMMAC (Association de Marins et Marins Anciens Combattants) Why? Because we can"

The listed URIs of hawaii[.]gov[.]procurement[.]server[.]ammac06[.]com, alabama[.]gov[.]procurement[.]secure[.]ammac06[.]com, hhs[.]gov[.]procurement[.]server[.]ammac06[.]com, ma[.]gov[.]procurement[.]secure[.]ammac06[.]com, ne[.]gov[.]procurement[.]secure[.]ammac06[.]com, usda[.]gov[.]3[.]22[.]invitation[.]ammac06[.]com, wsdot[.]wa[.]gov[.]3[.]21[.]2022[.]ammac06[.]com all show the same supposed defacement at the time of the post. The supposed defacement is a linked image from a Russia news source for the background with English text overlaid. We can see the URI for one of the spoof pages and the start of the message in the following screenshot.

And the full defacement message...

That statement in their post about the domain being part of AMMAC also gets a follow up post trying to clarify to their followers what AMMAC is and some more details on their findings.

AMMAC is actually a French organization focused on helping sailors and their families and is part of the Federation of Associations of Sailors and Veteran Sailors. It has no association with the United States Government entities that Zarya is claiming to have defaced. The SQL database released isn't for any US Government entities, it's for the WordPress site of ammac06[.]com.

A sample of the database output is shown below.

So, with this last bit of info, it seems we may be able to start putting together the full puzzle for what Zarya has done.

AMMAC does appear to actually own and operate the website ammac06[.]com and has since at least 2020 according to information at the Internet Archive. They've most likely been operating it since the domain was registered in 2018. Their website is a WordPress site that may have some form of vulnerability or poor password management that has allowed Zarya operatives to take over the domain. The primary website still exists and is shown to the right. Some attacker with access to the hosting solution from AMMAC has taken over their site and added the spoofed US Government pages this year. Either Zarya has come across these spoofing pages and then exploited the domain to deface them, or the operatives took over the domain earlier this year and made the pages for phishing attacks, and then later used them for this fake defacement claim. Zarya does appear to have attacked the website of AMMAC, but that isn't interesting enough to share and build clout, so the fake US Government defacement pages may have been created. These may also have been used in earlier phishing attacks against other organizations. It is not currently guaranteed that Zarya created the original spoofing pages, but there may be a high likelihood of that being the case. The fake defacement of these spoofing pages, though, appears to only have been done for chasing clout. A little research would indicate to any follower that the defacement attacks and pages are not actually attached to a US Government entity.

But accuracy doesn't matter when chasing clout and trying to build a following, especially when your group is already not concerned with laws and ethics. The most important part is building that brand, creating the right optics, and doing it for Telegram.