Update: Since the writing of this article, I was invited to see the contents of Mr. Kivimaki’s dedicated server after another party compromised it. You can read the analysis of what I found here.
Two days ago, the website for the EC-Council was broken into and defaced. The EC-Council is an organization that certifies so-called ‘ethical hackers’. The website was defaced and its content was replaced with a picture of Edward Snowden, and an HTML comment that gives away the identity of the “hacker”.
Once control of the website was given back to the rightful owners, a known password was used to again deface the website, to bring it to it’s current state now. It now contains a scan of Mr. Snowden’s passport and a letter from the US Department of Defense affirming his experience as a security researcher.
Continue reading to learn the hacker’s identity.
For those of you who are absolutely lazy and don’t wish to read, the assailant’s name is Julius Kivimaki. Julius is a
15 16 year old male who resides in Finland, with his father. His father works at Nokia, but he doesn’t want anybody to know about that. Shhhhh. Mr. Kivimaki uses quite a few nicknames online. These include zee, zeekill, ryan, and ryanc.
Update 25 February 00:53 GMT: Two updates at this time: eccouncil.org appears to have been taken down completely, and there’s been some backlash over the naming of the attacker. This backlash is obviously coming from people unfamiliar with him, so here’s the short version: He’s actually 16 (not that it matters), and this isn’t his first attack. In fact, the original version of this article mentions at least two others. The reality is that Julius has been doing this since 2010. Gizmodo even wrote a story about him last year! He’s not a curious young man exploring the information security field, he is a career criminal; cut and dry. Finally, his dox have already been dropped by other people. I’m not exactly breaking new ground in that department.
First things first.. just by looking at the page source of the defaced website, we see a very interesting comment…
This is a reference to a now dissolved hacking group known as ‘Hack the Planet’. The name of the group is itself a reference to the 1995 movie “Hackers”. This movie is referenced again in the page, as the taunt to the website owners is signed by the name ‘Eugene Belford’, a character from the movie.
Mr. Kivimaki was removed from this group after they obtained access to hosting company Linode. Mr. Kivimaki, for reasons of personal gain and grandeur, had taunted Linode with the fact that they had obtained access to their service. It is important to note that Mr. Kivimaki isn’t a member of Hack the Planet, and that Hack the Planet has been permanently disbanded.
So now that’s out of the way, we can move on to more concrete things. Like the IP address the website was redirected to. For the first defacement, Mr. Kivimaki called the registrar of the domain ECCOUNCIL.ORG and socially engineered the customer service service representative into giving him control of the domain’s DNS. He then used this control to have the domain point to 126.96.36.199. While it no longer leads there, this fact was documented by quite a few people on Twitter…
So eccouncil[dot]org used to be hosted on 188.8.131.52 (TTL: 3600)…as of 2/24/14 184.108.40.206 (TTL: 86400) answers
— Andrew Hay (@andrewsmhay) February 23, 2014
— Zack ✏️ (@zackhimself) February 23, 2014
This IP address leads to an Ecatel server owned by Mr. Kivimaki. How did we get to that conclusion?
Well, that IP’s got a pretty wild history. Just check out these logs from when HTP got access to Linode:
-!- ryan____ [[email protected]] has joined #linode
13:10 -!- SABU [[email protected]] has joined #linode
13:10 <SABU> hello
13:10 <ryan____> mysqldump -hnewnova.theshore.net linode_forums -ulinode -pcfr41qa –lock-tables=false > linode.sql
13:11 <ryan____> QUICK
13:11 <ryan____> NOBODY RUN THAT COMMAND
13:11 <SABU> hello that’s illegal
13:11 <ryan____> IT WILL HACK LINODE
Full Disclosure: This IP address was also used during an attack on my employer.
While this isn’t exactly solid evidence, it’s the most we’re allowed to give you. The big issue is that the single biggest reason I know Mr. Kivimaki was responsible for the hack, is because this information is coming directly from a few FBI informants (who wish to remain anonymous for obvious reasons) who are watching Julius carry out these attacks in real time. They were also able to obtain chat logs of Mr. Kivimaki bragging about his endeavor to a friend:
<Ari> ryan: r u actively haking ec council
<Ari> or are they just too dumb to fix
<Ari> cause the site’s still defaced
<ryan> locked their domain
<ryan> they cannot fix
<Ari> oh my god lol
<Ari> redirected to someone else’s webservers?
<Ari> how long till they can unlock
<ryan> they’ll need to
<ryan> have the registrar do it
<ryan> but the registrar
<ryan> will have
<ryan> to manually reconstruct
<ryan> the db entry
But I do have one final piece of evidence for you. Somebody on Twitter noted that two other websites leading to that IP address were ra.pe and ns.cloudflaree.com. While ra.pe no longer leads to that address (it’s very recently been changed), a WHOIS search on both domains reveals a familiar owner; Julius Kivimaki. http://ns.cloudflaree.com/ still leads to the address in question. The tweet, below.
220.127.116.11/21 is on AS 29073 owned by Ecatel Network in the UK. Hoster of such wonderful domains as ra.pe and http://t.co/SCXIaAXkvq
— Andrew Hay (@andrewsmhay) February 23, 2014
And finally, for what it’s worth, this is the same IP address that the website for “Realm of the Mad God” was redirected to when a similar attack occurred two weeks ago. I’m not as familiar with that incident, but Xnite has written a brief report about it. I note how the whois for the domain in that case was changed to information belonging to Ryan Cleary. Mr. Kivimaki is known for using Cleary’s information in the course of his own work, hence the nick RyanC. [email protected] is also an email address Kivimaki used when he obtained control of my Comcast account by socially engineering their customer service department.
What will law enforcement do? Nothing.
Julius is already on the FBI’s radar, and has been for some time. Obviously, he’s wanted in connection with all of the fun things that HTP was involved with, but his crimes run the gamut, including pretty much everything they have a law for. DDoS, carding, defacement, you name it.
When the FBI captured Julius during a 2013 DEFCON sting in Las Vegas, they had to let him go. Why? Because he’s
15 16 years old, and from another country. He was literally in custody, and they let him go back home, where he continues to thumb his nose at law enforcement. FBI Special Agent Ryan Brogan, who has been assigned to the case, says there’s absolutely nothing the FBI can do about Julius. Politicians like to talk about cybersecurity, and we can’t even apprehend a 15 16 year old kid who’s address is known to the FBI. If this doesn’t bother you, it should.
Once federal law enforcement gets off their duff and finally puts forth some effort into capturing and prosecuting Mr. Kivimaki, the Internet at large will rejoice, along with his brand new best buddy. Our dedicated team of animators has created a wicked accurate computer rendering of what that might look like. It’s not safe for work. Enjoy.