Who Hacked Mahamevnawa? Who Are The Algerian DZ Hackers? All Explained

If you don’t know already, the popular Buddhist website Mahamevnawa (Mahamevnawa.lk) was hacked and defaced by a group of Algerian Hackers calling themselves H4ck Dz Team. You can read the gossip9 article about the hack here (unfortunately I couldn’t find an English version of the news)

Because, this is an attack against an innocent but popular website in Sri Lanka we decided to look in to it to see who these people are. If you don’t know who these people are just Google the term “H4ck Dz Team”and you will see the hacks and the defacements they’ve done in the past.

So I’m going to tell you what I found,

I went through the comments of the Gossip9 article, on the comments someone has found and posted a link to “H4ck Dz Team” hackers’ Facebook page : https://www.facebook.com/H4ck.Dz.Team

Then looking at the search results of the “H4ck Dz Team” and going through the defacements you can see that he used to call himself “nO lov3” as well as “H4ck Dz Team”. And in some of the defacements there is an email address for contacting “H4ck Dz Team” : nolove49@gmail.com.

If you look at Facebook the email address nolove49@gmail.com is used to register a Facebook profile : https://www.facebook.com/soufain.dz.

But obviously this can’t be a real profile. So I looked on and found some few things which I won’t say what right now, but then I came to a dead end.

So I showed what I found to my good friend which I call him “V”, and he somehow found and gave me the website of H4ck Dz Team” : http://dz-team.biz.

DZ-Team.biz is a hacking forum that is being run by H4ck Dz Team“, looking at the whois info of dz-tam.biz won’t give that much info. But if you reverse ip the dz-team.biz you can see that only 7 websites are hosted on the ip that has dz-team.biz : http://www.ewhois.com/dz-team.biz/

They are,

dz-team.biz
al-daa.com
dz-mafia.net
atddz.com
rahahbb.com
mahdiadz.com
2algeria.org

dz-team.biz and dz-mafia.net belongs to the H4ck Dz Team Hackers. But because so little amount of websites are hosted at this IP and all of these websites being Algerian there is a stong possibility that all these websites are hosted under the same account.

Now, because the hackers that we are looking for are Algerian I first checked the 2algeria.org website. The website uses Adsense and Google Analytics. The same Google Analytics ID and Adsence ID is being used on 3 websites. Which means the 3 websites use the same Google account for Google Analytics and Google Adsence.

There can be more websites using the same Google Analytics and Google Adsence ID.

The Google Analytics ID is : UA-3582164
The Google Adsence ID is : pub-7586127814300842

The 3 websites using the same Analytics and Adsence IDs are :

2algeria.com
2algeria.org
DZWORLD.INFO

The same person who owns the DZWORLD.INFO also owns DZWORLD.NET and DZWORLD.ORG. So many DZs repeating over and over again and belonging to the same person, is this a coincidence?

Because DZWORLD.INFO and 2Algeria.org uses same Google account for Analytics, they should belong to the same person although their whois information are different.

So if you look at the 2Algeria.org who is info it looks like this,

So khadir ben youcef owns DZWORLD.ORG, DZWORLD.NET and DZWORLD.INFO. If you look at the websites that are hosted at the ip of dz-team.biz all the websites other than dz-team.biz and dz-mafia.net are registered under the same name khadir ben youcef or has some connection to that name.

Looking at the email you will find so many domains registered under the name and the email : khadir ben youcef ,khadir_khadda@hotmail.com.

I found nearly 20 domains registered under the same name and email, there can be more.

The email : khadir_khadda@hotmail.com is used to register the https://www.facebook.com/benyoucef.khadir

Googling khadir ben youcef you will find this Facebook profile : https://www.facebook.com/khadda

The email khadir_khadda@hotmail.com, which is used to register all the domains appear in his contact information of that Facebook profile (https://www.facebook.com/khadda) , and khadir ben youcef also lives in Algeria the same country where DZ Hackers are from.

Looking at the LinkedIn profile of khadir ben youcef you can see that his occupation is Information Technology and Services so he has the technical knowledge to do such hacking.

So looking at all these things we can come to a conclusion that khadir ben youcef is Hack DZ team member of n0 l0ve hacker, and according to @ipv10, this https://www.facebook.com/khadda is also a fake profile and the real people behind it are the so called “brothers” of the https://www.facebook.com/khadda Facebook profile, which is also a possibility because there are no photos of that person in real life.

So the final conclusion

So the final conclusion is that H4ck Dz Team consist of,

Ben Youcef Khadir aka khadir ben youcef

Facebook : https://www.facebook.com/khadda
Twitter : @dzworld
Gmail : khadirbenyoucef@gmail.com
Skype : khadir_khadda
Live mail : khadir_khadda@hotmail.com

Yakoub Khadir

 

 

 

 

 

 

 

 

Facebook : https://www.facebook.com/yakoub.khadir
Google Plus : https://plus.google.com/104249732338023001842/about

On his Facebook profile and Google + profile he lists 2algeria.org as his website. Which is registered under the name of khadir ben youcef.

Khadir Kamel

 

 

 

 

 

 

Facebook : https://www.facebook.com/CaPiTaiNeDz
Twitter : twitter.com/CaPiTaiNeDz

In his Facebook profile cover picture says his website is dziso.com,  that website too is registered under the name of Ben Youcef Khadir aka khadir ben youcef.

 

 

 

 

 

 

 

 

And also in his Facebook profile it says that his email is khadirdz@gmail.com however the Facebook profile that is registered under that email is a female profile called “Jojo Imily” (https://www.facebook.com/profile.php?id=100002768720690)

I think nearly 100 domain names (both active and inactive) are shared between these 3 and registered under different email address. A typical thing for hackers who use stolen credit card information to register domains on the internet.

Some of the emails that they’ve used to register domain names include,

elchoroukhost.net@gmail.com
cyberbellia@gmail.com
algerie@hotmail.com.tr

Flame, Another Weapon of Industrial Cyber Warfare.

My Twitter Timeline is full news about the discovery of the malware called Flame, which was found mainly in Iran and some other middle east countries. This is also another malware targeting particular countries and used for espionage which has some unique features that separates it from other malware like Stuxnet, and Duqu and some features that resembles them.

  • It is a backdoor virus, a trojan virus and also a worm combined, it spreads mainly via USB devices and through networks.
  • It has a complete malware, it can record audio from the mic of the computer, take screenshots and also log key presses and send them to the command and control center. Although there have been malware with such features this is the first  malware to have all these features.
  • Flame malware is large which is 20mb, where most of the malware that are found these days are mostly smaller in size.
  • The malware is highly complex, it has multiple compression and encryption methods to be used for the data sending to the command and control servers.

According to researchers it has some features common to Stuxnet, which targeted nuclear power plants of Iran, Flame is also used for industrial espionage and use the same vulnerability in Windows to infect. This is another example for cyber attacks targeting governments and high-profile targets of countries.

It’s not hard for one to imagine that an average person or a group, because :

  • An average coder or a group can’t create malware with such complexity. It requires a group of highly talented group of people specialized in designing such malware which only very few countries in the world possess.
  • An average person or a group has no need of such a malware to spy on Iran and other Middle Eastern countries other than another country who are keen to keep an eye on Middle East, and only few countries have talent to build such a malware, like US, Israel or China who are famous for its hacking capabilities.

As this article from Reuters points out,

It is the most complex piece of malicious software discovered to date, said Kaspersky Lab security senior researcher Roel Schouwenberg, whose company discovered the virus. The results of the Lab’s work were made available on Monday.

According to Kaspersky the Flame malware has gone undetected for five years which is a pretty long time and if someone or a country can build such a tool five years ago. One can imagine how complex these industrial malware have evolved now, and the tech skills of the builders of Flame could have achived by now.

This also makes a question that how many unknown cyber operations are currently out there happening around the world done by countries, and cyber capabilities of other countries. Because, malware like Duqu, Stuxnet are not malware that are not made and being used by ordinary hackers. According to my friend @ipv10 who is a web researcher herself looking at the distribution and capabilities required to build such a malware the origin of the malware should be non other than USA.

If you are skeptic about cyber warfare, it has already begun. And when other countries are moving fast in the direction of arming themselves with cyber weapons inducing India, all we are doing is hunting perverts on Facebook, time for us to move on improving out cyber capabilities.

You can read Kaspersky’s blog post of comprehensive explanation of Flame malware : http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers

The Curious Case of Jihad Cyber Attack.

I suggest you also read my prvious post “Why We Need A Cyber Army” because the two posts are written regarding similar topics. The story of attacked Jihad websites is getting interesting day by day. Today I stumbled upon an article posted at Yahoo news titled “Who is Waging Cyberwar Against the Jihadi Networks?” this article have some really good points that worth noting.

If you didn’t read my previous post, most of the prominent Jihad websites that helps terrorist to communicate online using forums have mysteriously gone offline, without any reason and some of the websites appear online from time to time bust most of the time they stay offline, some believe this is a Denial of Service attack by someone or a counter terrorism attack.  Read my previous post and watch the video for further details.

First of all no one has taken responsible for the attacks, first I thought this might be an attack of the anti terrorist hacker The Jester but still he hasn’t taken any responsibility of it. According to the Yahoo article :

Britain brought down jihadist websites in 2010, but did not admit to doing so until this year. So it is likely that the responsible party, whomever it is, will not be confessing anytime soon.

So there can be government intelligence agencies behind these attacks, but that’s not the interesting part.

“My source, who works as an outside consultant for Spain’s National Intelligence Center, told me that U.S. intelligence agents got in touch with their Spanish counterparts in late March,”. “They told them that, a few days earlier, a team of 10 hackers working for the Obama government had broken the passwords of several of the principal Islamist forums. They said it was the biggest cyberattack yet against these sites.” ~ Pelayo Barro, a journalist for the Spanish digital newspaper El Confidencial

If this is true and government hackers are actually behind these attacks then that proves what I’ve been talking and believing for a long time, that Governments must use talented hackers or their intelligence agencies to tackle these cyber terrorist online.

According to some the above cracking of Jihad forums helped to arrest an Administrator that ran few Jihad Websites and the terrorists took the remaining forums offline to protect themselves.

So what really happened to these Jihad websites? Did they took them down voluntarily or is it because of an arrest of a Jihad website administrator? If it was a cyber attack then why aren’t these terrorists making any comment about it? However each day more and more information is coming up, I hope we’ll get to know what really happened soon.

The cyber war is imminent, and the next frontier on the war against terrorism is the cyberspace. Some might argue about the freedom of speech but these are terrorists and for the safety of the majority such actions are needed.  So the time is right for the authorities to fights these LTTE cyber terrorist online.

I asked from Sam Bowne and Mikko Hypponen, they had two different ideas about the matter. Should authorities take action to take down terrorist/extremist websites from the internet?

There is an unequal amount of good and bad in most things, the trick is to figure out the ratio and act accordingly. TANGO DOWN.

Related Articles : 

Who is Waging Cyberwar Against the Jihadi Networks?

Why We Need A Cyber Army.

If you are following the recent news on cyber security, you might have seen that most of the prominent Al Qaeda websites are currenly down or most of the time offline due to DDoS (Distributed Denial of Service) or DoS (Denial of Service) attacks, I mentioned DoS separately because it can also the work of th3j35t3r who has a special kind of a denial of service tool and it might be him behind these attacks.

If you watch the YouTube video above Mikko Hypponen of F Secure talking about terrorists online you’ll understand that terrorist are no longer people hiding in jungles, or suicide bombers attacking high-profile targets. They are now occupying the internet, spreading their propaganda online, recruiting new members and gathering funds for their future activities.

When it comes to the LTTE the situation is not as severe as Al Qaeda but if LTTE were still militarily active in the country things might have been the same. However there are  pro LTTE websites out there spreading their propaganda online and gathering funds for diaspora. Tamilnet, Tamil News Network and TYO (Tamil Youth Organization). Although Tamilnet is blocked by the government it can be accessed online via proxies or via Google Reader as I’m doing it. So censoring  website is not enough to stop the propaganda on terrorist organizations.

Leaving speech of freedom aside, these are terrorists acting online, as terrorist are  eliminated in the ground, these cyber terrorist must be eliminated too. There for it’s a must for countries to have cyber armies. United States already have one, China has a cyber army that some say the largest in the world, Israel also has a cyber army.

Therefore it’s time to set up a cyber army in Sri Lanka to :

  • Take down terrorist websites offline
  • Track cyber terrorist online
  • Hacking cyber terrorist and disrupting their communication

Terrorist must be defeated militarily, diplomatically and from cyberspace alike, the cyber war has already begun Wikileaks was taken down for a period of time when they published sensitive data about US military. Without stopping these terrorist websites the war against terrorism is not fully won. TANGO DOWN.

Related articles :

Al Qaeda rocked by apparent cyberattack. But who did it?

Mystery surrounds silencing of key al Qaeda websites