Is this “really really” the work of Russian and Chinese hackers?
During the latests hours, we have read all kind of statements regarding the latest attacks against Dyn infrastructure. Statements include that the group is formed by hackers from Russia and China.
The information spread in the media pointing to Russia and Chinese hackers lacks serious evidence so we have decided to disclose what we know from the group.
- New Word Hackers share common methods and infrastructure that @BannedOffline. They operate using free services including free trials of VPN and CDNs from several providers.
- @newworldhacking and @BannedOffline advertised bangstresser.com the stresser service and ghostantiddos.com
- @BannedOffline and Fantomnet claim to be operating ghostantiddos.com
- Fantomnet keeps source code of the DDOS tools in github here
- @SinfulHazeCE claims membership of NWH.
- Hidden servers from NWH are hosted in BlazingFast LLC aka dotsi.pt
- During the past days, free attacks were offered via the site www.newsworldhackers.com
- Spoofit has received attacks directly claimed by @BannedOffline originated from AS30823 Combahton IT.
- The group and @BannedOffline has never showed any evidence of controlling the IoT botnet Mirai or any of their variants.
- Update 24th October: @BannedOffline deactivates and then reactivates his twitter account.
A free DDOS tool
New World Hackers announced a few DDoS tool in their website newworldnews.com.The tool reassembles the old versions of “LOIC” but in this case the tool is just proxying the attacks to the origin server.
Those interested can browse the source code here and notice the skill level of the group, we are providing a mirror copy of the DDOS portal of the New World Hackers DDoS tool.
Where is the origin?
In the past we have tracked hidden services from this group to the IP 220.127.116.11
fantomnet.cf cdn.ghostantiddos.com www.ghostantiddos.com anycast.ghostantiddos.com ghostsquadhackers.org www.ghostsquadhackers.org
The provider is blazingfast.io trading as dotsi Solucoes Internet and AS4939
After scanning their IP space to find the hidden origin, we discovered the location of the hidden website of New World Hackers is at 18.104.22.168 also in blazingfast.io
So, Is this “really really” the work of Russian and Chinese hackers?