Who Hacked EC-Council?

20120220

It’s not really hacking. Just FYI.

Update: Since the writing of this article, I was invited to see the contents of Mr. Kivimaki’s dedicated server after another party compromised it. You can read the analysis of what I found here.

Two days ago, the website for the EC-Council was broken into and defaced. The EC-Council is an organization that certifies so-called ‘ethical hackers’. The website was defaced and its content was replaced with a picture of Edward Snowden, and an HTML comment that gives away the identity of the “hacker”.

Once control of the website was given back to the rightful owners, a known password was used to again deface the website, to bring it to it’s current state now. It now contains a scan of Mr. Snowden’s passport and a letter from the US Department of Defense affirming his experience as a security researcher.

Continue reading to learn the hacker’s identity.


For those of you who are absolutely lazy and don’t wish to read, the assailant’s name is Julius Kivimaki. Julius is a 15  16 year old male who resides in Finland, with his father. His father works at Nokia, but he doesn’t want anybody to know about that. Shhhhh. Mr. Kivimaki uses quite a few nicknames online. These include zee, zeekill, ryan, and ryanc.

Update 25 February 00:53 GMT: Two updates at this time: eccouncil.org appears to have been taken down completely, and there’s been some backlash over the naming of the attacker. This backlash is obviously coming from people unfamiliar with him, so here’s the short version: He’s actually 16 (not that it matters), and this isn’t his first attack. In fact, the original version of this article mentions at least two others. The reality is that Julius has been doing this since 2010. Gizmodo even wrote a story about him last year! He’s not a curious young man exploring the information security field, he is a career criminal; cut and dry. Finally, his dox have already been dropped by other people. I’m not exactly breaking new ground in that department.

First things first.. just by looking at the page source of the defaced website, we see a very interesting comment…

<!–htp6–!>

Who he thinks he is...

Who he thinks he is…

This is a reference to a now dissolved hacking group known as ‘Hack the Planet’. The name of the group is itself a reference to the 1995 movie “Hackers”. This movie is referenced again in the page, as the taunt to the website owners is signed by the name ‘Eugene Belford’, a character from the movie.

Mr. Kivimaki was removed from this group after they obtained access to hosting company Linode. Mr. Kivimaki, for reasons of personal gain and grandeur, had taunted Linode with the fact that they had obtained access to their service. It is important to note that Mr. Kivimaki isn’t a member of Hack the Planet, and that Hack the Planet has been permanently disbanded.

...And the grody little twink he really is.

…and back to reality.

So now that’s out of the way, we can move on to more concrete things. Like the IP address the website was redirected to. For the first defacement, Mr. Kivimaki called the registrar of the domain ECCOUNCIL.ORG and socially engineered the customer service service representative into giving him control of the domain’s DNS. He then used this control to have the domain point to 93.174.95.82. While it no longer leads there, this fact was documented by quite a few people on Twitter…

This IP address leads to an Ecatel server owned by Mr. Kivimaki. How did we get to that conclusion?

Well, that IP’s got a pretty wild history. Just check out these logs from when HTP got access to Linode:

-!- ryan____ [[email protected]] has joined #linode
13:10 -!- SABU [[email protected]] has joined #linode
13:10 <SABU> hello
13:10 <ryan____> mysqldump -hnewnova.theshore.net linode_forums -ulinode -pcfr41qa –lock-tables=false > linode.sql
13:11 <ryan____> QUICK
13:11 <ryan____> NOBODY RUN THAT COMMAND
13:11 <SABU> hello that’s illegal
13:11 <ryan____> IT WILL HACK LINODE

Full Disclosure: This IP address was also used during an attack on my employer.

While this isn’t exactly solid evidence, it’s the most we’re allowed to give you. The big issue is that the single biggest reason I know Mr. Kivimaki was responsible for the hack, is because this information is coming directly from a few FBI informants (who wish to remain anonymous for obvious reasons) who are watching Julius carry out these attacks in real time. They were also able to obtain chat logs of Mr. Kivimaki bragging about his endeavor to a friend:

<Ari> ryan: r u actively haking ec council
<Ari> or are they just too dumb to fix
<Ari> cause the site’s still defaced
<ryan> I
<ryan> locked their domain
<ryan> they cannot fix
<Ari> oh my god lol
<Ari> redirected to someone else’s webservers?
<Ari> how long till they can unlock
<ryan> they’ll need to
<ryan> have the registrar do it
<ryan> but the registrar
<ryan> will have
<ryan> to manually reconstruct
<ryan> the db entry

But I do have one final piece of evidence for you. Somebody on Twitter noted that two other websites leading to that IP address were ra.pe and ns.cloudflaree.com. While ra.pe no longer leads to that address (it’s very recently been changed), a WHOIS search on both domains reveals a familiar owner; Julius Kivimaki. http://ns.cloudflaree.com/ still leads to the address in question. The tweet, below.

And finally, for what it’s worth, this is the same IP address that the website for “Realm of the Mad God” was redirected to when a similar attack occurred two weeks ago. I’m not as familiar with that incident, but Xnite has written a brief report about it. I note how the whois for the domain in that case was changed to information belonging to Ryan Cleary. Mr. Kivimaki is known for using Cleary’s information in the course of his own work, hence the nick RyanC. [email protected] is also an email address Kivimaki used when he obtained control of my Comcast account by socially engineering their customer service department.

What will law enforcement do? Nothing.

Julius is already on the FBI’s radar, and has been for some time. Obviously, he’s wanted in connection with all of the fun things that HTP was involved with, but his crimes run the gamut, including pretty much everything they have a law for. DDoS, carding, defacement, you name it.

When the FBI captured Julius during a 2013 DEFCON sting in Las Vegas, they had to let him go. Why? Because he’s 15 16 years old, and from another country. He was literally in custody, and they let him go back home, where he continues to thumb his nose at law enforcement. FBI Special Agent Ryan Brogan, who has been assigned to the case, says there’s absolutely nothing the FBI can do about Julius. Politicians like to talk about cybersecurity, and we can’t even apprehend a 15 16 year old kid who’s address is known to the FBI. If this doesn’t bother you, it should.

Once federal law enforcement gets off their duff and finally puts forth some effort into capturing and prosecuting Mr. Kivimaki, the Internet at large will rejoice, along with his brand new best buddy. Our dedicated team of animators has created a wicked accurate computer rendering of what that might look like. It’s not safe for work. Enjoy.

15 comments on “Who Hacked EC-Council?

  1. Pingback: CEH site hacked - Page 2

  2. Doxing a fifteen-year old… Calling him a “grody little twink”… Real classy bro. We all know you’re frustrated over the lack of prosecution but this doesn’t really solve anything. Don’t degrade yourself further.

  3. Well what can I say? As a fellow CEH and CHFI and ECSA and LPT and many many more certifications, I can safely say that it is NOT the fault of the CEH certification and the CEH certification is the BEST in the market for 50% theory and 50% practical. It is the most standardised as a certification and it is ALWAYS up to the instructor to be the best he/she can be to deliver the course. The courseware is a guideline. When I deliver the course I go far beyond the material and we delve into Buffer Overflow and Assembler coding, so try and not blame the certification and the instructors around the world! Be logical. This can happen to any company and it has! This is a user error and heads will roll and EC-Council will just improve and overall it will be a good result for all CEH’s and the public in the long run.
    Pride is at stake and well Yes there needs to be an honest reply from EC-Council and to be honest, who can accurately say they are 100% secure? That does not exist!

    Anyway lets wait and see and lets work together rather than just make silly remarks and immediately doubt what has taken well over 10 years to build. Have some faith that certifications are good, but also understand that reconnaissance and footprinting a company with TIME always beats any security, no matter which vendor!

    • I’ll bet the sixteen year old hacker who allegedly pulled this off doesn’t have any vaunted certs like CEH…there’s certs and there’s skills. One’s worth something. Guess which?

      =;^)

    • Are you serious? EC-Council is a paper mill as far as I am concerned.

      Surely there won’t be a lot of people that didn’t already think their certifications were worthless, and will now change their mind due to this defacement…

      In any case, I sure hope their certification isn’t ‘the best in the market’, because that doesn’t bode well for the future.

  4. I am unafraid to say that if you were my employee I would be cutting you loose pronto.

    If you are going to dox a minor, I suppose we can agree to disagree. But celebrating prison rape of that minor, a committer of non-violent crimes, is reprehensible.

    Shame! I am going to guess this tasteless reveal will follow you much longer than the eccouncil defacement will follow the young man.

    • You’re acting like the EC-Council defacement is the first thing this kid has done. This “young man” also likes to sit in Russian carder IRC channels and brag about how they can’t touch him for one reason or the other. This kid socials his way into ISP, water, and electricity accounts of random people and just has services shut off. Julius isn’t some curious youth who wanted to show off his skills, he’s a sociopath. Maybe do some research before you hop on your high horse.

      While ED is hardly a scholarly source, (and for the record, neither is my website), I think it will give you some fantastic insight as to how this little wretch behaves. https://encyclopediadramatica.es/Zeekill

      You’re also implying that I’m the first person to drop his name. Untrue. Other, much more skilled people he’s angered over the years have already done that. I’m just assigning a name to a crime, that’s all. https://doxbinicsjqqmohl.onion/doxviewer.php/?dox=RyanC_aka_zeekill

  5. To the guys defending the young Kivimaki, consider that he’s been doing this stuff for around 3 years now with no legal recourse, sending SWAT teams to innocent peoples’ houses and wasting the money of American taxpayers for his own entertainment. I have recordings of him doing this if anyone wants proof, and you can send me an email to [email protected] requesting those.

  6. Hold on,,, forget about 16 years old ones…
    I want 7-8 year old ones crucified and burned at stake!!!
    YES….??? No???
    Do I smell fascist here?
    Unfortunately YES…

  7. Pingback: So Who Hacked EC-Council Three Times This Week? – InfoSec News

  8. Pingback: Weekendowa Lektura | Zaufana Trzecia Strona

  9. Pingback: EC Council official website hacked (http://www.eccouncil.org/) » CYBER COPS India

Leave a Reply

Your email address will not be published. Required fields are marked *