Saturday, May 17, 2008

Spanish Arrest D.O.M. Team

Spanish police announced the arrest today of five members of a prolific hacking team known as "D.O.M.". The D.O.M. team has been a political activism team active for quite some time. Zone-H, the "scoreboard of the underground", lists D.O.M as being #5 in prevalence of "Special" defacements - those against governments or major corporations or organizations. For all types of attacks, D.O.M is listed as #26, with 21,191 attacks credited to their account.

Update: Press Release from Spanish Police shows that the arrest operation was coordinated by "el Grupo de Seguridad Lógica de la Brigada de Investigación Tecnológica de la Policía Nacional" with cooperation from " agentes de la Brigada Provincial de Policía Judicial de Burgos, Málaga, Valencia y Sabadell". Congratulations to them all on their police work!

Recent defacements by the group list their members as:

an0de, ka0x, Xarnuz, and Piker

while hacks from earlier in the year listed:

crane0x, ka0x, Xarnuz, and S0cratex

We're not sure yet which were actually arrested, as the Spanish are protecting the identities of the group who are mostly minors, with two of those arrested being only 16 years old, and the other three being 19 and 20. Those arrested resided in four Spanish cities - Barcelona, Malaga, Valencia, and Burgos.

A Spanish speaking group, the actual membership has varied over time to include members from Spain, Argentina, and Mexico. For a short time a Brazilian hacker, "nwx0x" was also a member of their group, and "vpn0" and "Nitronet" have also been seen to claim membership. Their recent defacements have been Environmental Activism, decrying the pollution of rivers and the building of paper mills. The Spanish investigation began after a member of the group hacked the "Izquierda Unida" website and left supposedly "obscene messages" and caricatures of politicians on the site on March 3rd, a week prior to the March 9th election.

The actually words were:

"Tenemos algo en común, le dijo un presidente a un embustero..."
(roughly, "we have something in common, said the President to the liar/cheater" - which doesn't sound nearly as nasty as "obscene messages").

and the caricature may still be found on ImageShack, where it was originally hosted:





A spanish blogger at the time provided some clues as to what happened, including giving links to ka0x's profile on "spanish-hackers.com" (now offline) and pointing them to the current "D.O.M" website -- domlabs.org

Some of the more high-profile attacks credited to the group, at least from an American perspective, would include having hit the US government's National Cancer Institute with an SQL injection attack back in July of 2007, ( archived from Zone-H). In February, an0de defaced an MIT server with an anti-American, anti-Bush message, archive from Zone-H .

Members of the group are said to have hit NASA back in March, but it is unclear whether "Spanish Hackers Team"'s March defacement of "climate.gsfc.nasa.gov" is the same reference. Certainly its the same server that the closely allied hacker "SSH-2" hit as recently as April 25th, but we do have a positive reference of D.O.M member "an0de" hitting the NASA server "issues.worldwind.arc.nasa.gov" back in August 2007.

In a typical environmentally-motivated hack of Groton South Dakota's government website by the group in April 2007, the hacker used a gmail address: 3sk0rbut0@gmail.com and posted the message:


Defaced by ka0x

This is a cyber-protest against climatic change!!
Stop contamination!
(censored) to all governs that allow the contamination of the world!

we are: [ Arp; ka0x; an0nyph; xarnuz; Tequila ]

(SPain - Mexico - Argentina}



The spanish police say they are responsible for more than 21,000 website defacements including many government sites. (A statistic they surely got from Zone-H!) That matches what we see in the Zone-H archives, where hacks against the governments of India, Thailand, Turkey, Columbia, China, Malaysia, and others are readily found in the archives.

For several years the team ran a website, called "DomTeam.info", although their hosting was sketchy at best as they were run off numerous webservers. The original registration, from back in September of 2005, shows the email address "arcax.ath@gmail.com" as the contact address. "ATH" was another hacker group called "Arrow Team Hispanic", where Arcax partnered with KingMetal to cause script-kiddie type trouble to websites.

From the whois data from October of 2005, we find the meaning of the "D.O.M" name, as the whois information was changed to being registered to "Dark Owned Mafia". The members actually listed themselves in the WHOIS information later in 2005, when the whois "Street Address" was given as: "XgdnX - Davidu - Rootbox - ArCaX-ATH", the then current members of the group. That would remain the team's street address until November of 2007 when the domain was shut down by the Registrar (Melbourne IT).

ArCaX-ATH posted his "retirement from the underground" message on April 4, 2007, claiming at that time that he had been personally responsible for 10,880 website defacements. Here's that farewell message:


Bueno esto es algo que notaba desde hace algunos meses, mi poco tiempo para hacer las cosas del grupo D.O.M... y que muchos estaban anciosos de poder leer, así que hay les otorgo el siguiente regalo, baj la una reunión de costumbre. el domingo pasado he decidido delante de todos los miembros del grupo y con aprobación de los mimos, he decidido retirarme completamente de la scene Underground sin aviso por nuevo reintegro ni nada por el estilo, tenia pensado en hacerlo en octubre de este año cuando el team cumpliera los 2 años ... pero ya no podía tener en espera a los demás compañeros del grupo, aunque el echo de mi retirada no quiere decir que el grupo también se pare, se que anonyph los demás lo llevaran por el buen camino; agradezco en especial a her0 y ka0x que me llevaron a tomar la decisión correcta para el team. también se ha decido que la web de DOM no seguiría con portal ya que un portal requiere un cuidado exhaustivo con los foros y demás, se ha decido que me quedase con los 2 dominios (INFO y BIZ) para utilizarlo en mi blog personal, y otros proyectos personales... de ArCaX-ATH tendrán para rato eso sí, solo que con menos frecuencia que antes....


Although he was withdrawing, he states that "anonyph" will carry the team forward in the right direction.

ka0x was the one, however, who took the reins to set up the new website on January 31, 2008, and we find his gmail account listed in the registration for "domlabs.org" -- "ka0x01@gmail.com", with a (probably fake) Peruvian street address.

Using the same email, ka0x posted several exploits that he had written to the milw0rm collection of attack tools, including Remote SQL injection programs written in Perl, and a program to insert your own user information into an LDAP directory, which was bannered with this:


Title: LDAP injections
Author: ka0x
contact: ka0x01[!]gmail.com
D.O.M TEAM 2007
we: ka0x, an0de, xarnuz, s0cratex
from spain



Ten exploits and two papers are credited to ka0x on his milw0rm author page, including an 11 page paper on "Blind MySQL Injection" where he also lists the gmail address of one of his fellow team members, Piker, at piker0x90@gmail.com.

an0de also kept a blog at: http://buclenoapto.wordpress.com/

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.