Fighting Cyber Attacks during the Burmese Elections

DIGITAL FORENSIC ANALYSIS REPORT
November 2015

Executive summary

DSA_summary
Defense Services Academy at Pyin Oo Lwin.

In October 2015, the Irrawaddy.org website was defaced by the “Union of Hacktivists (UOH)” hacker group. This unknown group became notorious after the defacement of the Burmese media site Elevenmyanmar.com in April 2015 and their operation #Op Fucking Media that specifically targeted independent online media in Burma.

The UOH became increasingly active during October 2015, just one month before the General elections in Burma were to be held (8th November). During one week, the group defaced half a dozen Burmese media sites.

This document summarizes our findings during the days before and after the November elections and shows how we reached the conclusion that UOH might be operating from a Burmese military facility. During our effort to understand the attackers modus operandi, we discovered that UOH compromised the victim sites weeks or months in advance before making the defacements public.

During our effort to stop the attacks, we also learned that defacing websites is not the ultimate goal of the attackers. The attackers use passwords obtained from the content management systems to try to get access to key personnel email accounts.

Evidence suggests that the Union of Hacktivists (UOH) is in fact an undercover organization operating from military premises that has adopted the aesthetics of other hacker groups active in Myanmar to run operations to undermine the work of online media in the country.

After carefully analyzing the logs associated with the malicious activity, we built a graph of the daily activity of the attackers that shows how such malicious activity is taking place during working hours (8 AM-15 PM).

Malicious activity during three months.
Malicious activity during three months.

6th Nov 10:30 AM – My mailbox is compromised!

A request from one editor of the Burmese Irrawaddy.org online newspaper, reaches our emergency support to investigate what it seems an intrusion in his mailbox coming from a Burmese IP address 203.81.85.66 and with agent

Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0,gzip(gfe),gzip(gfe))

Our team accepts the emergency request and promises to look into the reputation of the IP address and if any malicious activity was recorded in the past against any Burmese media site.

6th Nov 13:30 PM – Is my site vulnerable?

Just a few hours after, a second request arrives via another help desk for advice regarding vulnerable WordPress plugins in the Irrawaddy.org website.

We escalated the emergency request and reached out via a secure communication channel to Irrawaddy.org to gain credentials to the their website to perform an emergency audit.

7th Nov 10:40 AM – 203.81.85.66, Bluecoat and military!

A report about malicious activity of 203.81.85.66 is sent to Irrawaddy.org. The IP address belongs to Myanma Posts & Telecommunications (AS9988) and HTTP traffic coming from that address includes the headers

X-BlueCoat-Via: 3DD8B0CE676F0FB8 
User-Agent: Mozilla/4.0 (compatible;)

The two headers are known to belong to a Bluecoat ProxySG device. We also found that several networks are operating behind such device and that traffic from those networks include the headers

    Via: 1.1 cgsc.mod (squid/3.1.10)
    Via: 1.1 dscd.mil.mm (squid/3.1.10)
    Via: 1.1 DSCD (squid/3.0.STABLE2)
    Via:1.1 srv2.dsstrc.site (squid/3.1.10)

Our first findings indicates that traffic from the IP address 203.81.85.66 is from:

DSSTRC, Directorate of Defence Services Science and Technology Research Center
CGSC, Command and General Staff College
DSCD, Defense Services Computer Directorate

DSSTRC is located in May Myo, also called Pyin Oo Lwin, DSSTRC is the academic wing number 2 of DSA, the Defense Services Academy (DSA). A large complex for the education of military officers and for research.

DSTA at Pyin Oo Lwin
DSTA at Pyin Oo Lwin

At this early stage, we could not fully guarantee that all traffic behind that IP was of “military” nature, but we had strong indicators to believe that several research units are operating behind that IP.

During our research we also discovered that in 203.81.85.72 a nearby IP, is behind a similar BlueCoat device and a proxy with the header NDC that might stand for National Defense College.

Via:1.1 ndc (squid/3.1.1) 
X-BlueCoat-Via: 915E4EA807B0E39D

The following graph shows the descriptions of the Squid Proxy servers operating behind each of the BlueCoat devices. The first device with ID 915E4EA807B0E39D hosts NDC and DSTA, while the second device with ID 3DD8B0CE676F0FB8 hosts the (DS)CGSC, DSCD and DSSTRC. (Note: The second device changed ID from December 18, 2015 to 3fd0b709d9aab914)

BlueCoat IDs associated to Squid Internal Proxies.
BlueCoat IDs associated to Squid Internal Proxies.

We also looked into the release date of the different squid versions operating:

  • DSCD 3.0.STABLE2, released March 2008
  • NDC 3.1.1 29, released March 2010
  • DSSTRC 3.1.10, released 22 Dec 2010
  • DSTA 3.3.8, released 12 Jul 2013

We tried to verify if such network was still operated by the military and we found that the following institutions are currently hosted in the same network Myawaddy TV, Radio Thazin and Ministry of Defense.

thazinfm.com
mod.gov.mm
myawady.net.mm

We could also verify that the internal domain name servers of the mil.mm, that back in the past were publicly announced are still hosted in the same network with IPs 203.81.85.114 (ns1.mil.mm) and 203.81.85.115 (ns2.mil.mm).

Reviewing historical DNS information, we could also confirm that 203.81.85.72 responded to the name cache1.isp.mil.mm