SOLDIERX.COM Nobody Can Stop Information Insemination

As many of you know, we have been battling IRC bots and web attacks (mostly DDoS) for many years now. We have developed a pretty good system of identifying the bots and preventing them from collecting IRC data. We know that IRC and public forums are easily accessible and should not be considered as a secure means of communication, but we are still annoyed when groups try to collect our conversations. After many months of preventing the bots access to our IRC network (and forcing our attackers to find more and more proxies), a strange individual joined our IRC and refused to talk. Their username was “anomy” and initially they were connecting from aim.engr.arizona.edu. We kept kicking them when they refused to talk, and they changed their handle a few times (happybruce and ttc).

anomy/happybruce/ttc eventually seemed to figure out we were detecting them by their IP address (150.135.219.128 which resolves to aim.engr.arizona.edu) and connected via a poneytelecom.eu IP address. This rang a bell due to some frequent DoS attacks we had noticed from poneytelecom.eu back in 2013. After mentioning it to ttc, they immediately changed their IP address to a different network. I decided to do some digging, so I checked out aim.engr.arizona.edu and noticed it was a Cybersecurity Lab for Arizona University sponsored by NSF. With this level of sponsorship involved, I decided to do some digging on possible NSF projects designed around hacker chatter.

Much to my dismay, I discovered that 1.3 million USD had been wasted on a grant to the University of Arizona for just such a thing (see http://nsf.gov/awardsearch/showAward?AWD_ID=1314631 and https://nsf.gov/discoveries/disc_summ.jsp?cntn_id=136513&org=NSF). So wow, 1.3 million dollars wasted looking at public conversations of security professionals (not criminal hackers) on public forums and public IRC. I decided to look back into what we thought was a DDoS attack from poneytelecom.eu - I didn’t like what I found.

What we thought was part of our DDoS attacks now actually looks more like an information gathering campaign. The attackers have been hitting our feeds since November of 2013 via an application written in Golang (we know it was golang because they had bad opsec and didn’t use a custom user agent originally). Initially we blocked this user agent as we thought it was a DDoS, and they changed the user agent to the current version of Chrome at the time. Since that time, they have continued to mine the feeds at soldierx.com - though at a much slower rate as to not trigger our DDoS alarms. They’ve also continued to use the same Chrome user agent which at this point isn’t used by any of our users other than them. The sad thing is that they’re not logging into the site, so they’re only getting the same information that they would be getting from google. They’re also in clear violation of our Usage Policy (see https://www.soldierx.com/Usage-Policy).

Now it’s possible that the IRC user, the bots, and the web scraper aren’t connected - but it seems much more likely that they are. The fact that the scraping began around the time of the project being funded (attacks started in November 2013 and funding was in September 2013), that after blocking the bots one of the students (or professor) connected from the NSF lab to see what was going on, and that the default IP address they hid behind is the same service is a lot of coincidence - and I don’t believe in coincidence.

To sum things up, I’m disgusted that the University of Arizona and NSF would waste our hard earned tax dollars on collecting the conversations of security professionals. Keep in mind that SOLDIERX is behind the HardenedBSD Project - which looks to stop exploitation from criminal hackers. We also have donated money to the Grsecurity Project, which is the currently the best exploit mitigation security enhancement in existence. These attacks demonstrate yet another failure of “Threat Intelligence” from people who don’t know what they’re doing. The NSF would have honestly been better off just investing the 1.3 million USD in Threatbutt.

To any security groups that feel they may have been targeted, please contact me (rat at soldierx.com) and I will happily share attack signatures of this lame threat actor with you. Attack signatures may not be effective against real criminal hackers, but they definitely work on clueless academics trying to do threat intelligence.