QUANTUM MURMURATIONS

“… the actual instantiation of neoliberal free trade requires active state intervention, regulation and monopolies. And the global regulation of intellectual property law is perhaps one of the clearest instances of the contradictory underpinnings of neoliberal practice – a monopoly mandated by trade associations as a global precondition for so-called free trade” – Gabriella Coleman

“My government used DDoS attack against servers I own, and then convicted me of conducting DDoS attacks. Seriously, what the fucking fuck” – Chris Weatherhead/Nerdo reportedly instrumental in bringing down PayPal for 10 days in Operation Avenge Assange

I-Security Document: 20 Years of the Infamous Wu Shu Hackers – Threat Actor Research

The Infamous Wu Shu Hackers (IWSH) are an active cyber espionage cellular network that has been very aggressive and successful in recent years. The network’s activities demonstrate that global espionage relating to football is the group’s primary motive, and not financial gain. Its main targets are bookmakers, football agents, matchfixing consortia, football clubs, politicians and news media.

We are able to trace IWSH actions as far back as 2010 but there are substantial evidences that the network was established in the mid-1990’s. We have shared several detailed analyses of IWSH in recent years and this new paper attempts to dissect the network’s attacks and methodologies to help governments and the relevant business sectors perceive a more comprehensive up-to-date view of IWSH’s processes and tactics.

Under normal circumstances, we would share (on a consultative level) defence strategies against IWSH but, in our view, there are none. These are not normal circumstances.

The IWSH are becoming increasingly relevant particularly as they have begun to undertake more than simple football espionage activities. In 2016, the IWSH hacked into several senior figures in the Conservative government (leading to the withdrawal from politics of one individual) and one individual in the House of Lords, and sought to utilise the information so gained to force through the establishment of a government-based entity to address corruption in British football. Moreover, IWSH claim to have evidence that there exists a mafia state orchestrating corruption and matchfixing on behalf of a global array of governments, institutions, businesses, football clubs and private individuals. The impact of these malicious activities are now being felt by various governments, enterprises and businesses globally. Even citizens of different countries might be affected as the IWSH tries to manipulate people’s opinions about corruption in football. The attacks by the IWSH might even serve as an example for other entities, who might copy tactics and repurpose them for their proprietary aims.

As we have attempted to monitor IWSH’s operations since 2010, we can perceive how the network has evolved into a 5th Estate media organisation, manipulating events and public opinion via the collection and dissemination of information gained by hacking. Some events e.g. the MOBgate and Leicester City Affairs and ‘Football Leaks’ (the former suggestive of systemic matchfixing in the Premier League and the latter allegedly proving that the exposures of a media group were based on mafia turf wars) have been covered extensively. The network’s cyber propaganda methods – using electronic means to change public opinion – create issues on an array of levels. The eruption of fake news in 2017 may in part be attributed to repetitive information leaks and manipulations by malicious actors. Mainstream media sources in Britain have confirmed that the IWSH offered exclusive snippets of high-impact hacks, presumably to alter public perceptions of British football.

In this document, we seek an overview of the IWSH and explore the variety of attacks being propagated (although it is critical to add that the cellular nature of this network makes a complete analysis impossible). The IWSH are known for sophisticated phishing activities, zero days, false flag operations and for trespassing on prohibited ground and leaving without any trace – they seek information not power nor financial gain.

Centrally, the IWSH – also known as Football is Fixed, La Brigade de la Surete and Synonymous – remain a driven cyber espionage network. Hackers co-ordinate multiple attacks with various methods from secured nodes on the same target to achieve their aims. Whereas most hacking entities phish for financial gain, the IWSH would seem to have no interest in monetising their activities – their initial slogan from 1995 describes the purpose as “to save football from the mafia”.

The IWSH leak sections of their stolen information online but, perhaps surprisingly, would appear to withhold some key breaches. We assume that this is a defensive tactic against any future legal actions that might be brought against the network. We do not know for certain how much knowledge resides in this network. In this manner (and in this manner only), IWSH are similar to the Fancy Bears Hacking Team who revealed doping by US and UK athletes in the Brazil Olympics and co-ordinated systemic doping by the Team Sky Cycling body. The IWSH is not, in our opinion, linked to any one government.

The IWSH have released documents relating to the ‘Charlotte Fakes’ Twitter account detailing collusion between the Scottish FA and Glasgow Rangers, alleged ‘mafia state’ activities producing matchfixing in the Premier League, the alleged control of the England and Scotland national teams by a cartel of football agents as well as other disclosures outlined elsewhere in this document. The IWSH claim to stand for “anti-corruption, fair play and clean sport”, however, in reality, they released private information that was, in effect, stolen. These activities markedly weaken the institutions governing football and are having considerable impacts on betting turnover, television subscriptions and attendances at matches.

In 2016, ‘Football Leaks’ information was released on the ‘Synonymous’ blog (now largely archived aside from a cryptic message on the homepage). We were able to intercept documents Synonymous released to servers in Greece, Romania and Moldova which revealed that ‘Football Leaks’ had physically stolen documents from football clubs in Spain, Portugal, France and the Netherlands and that the campaign against manipulations and Third Party Player Ownership (TPO) linked to the Gestifute agency was orchestrated by a group of British football agents who also utilise TPO and who were commercially at war with Gestifute. The IWSH could have given this information to the Portuguese police but, for reasons that remain unclear, chose not to do so.

Two national newspapers shared with us evidence that clearly link the IWSH to Synonymous.

Between 2009 and 2017, one particular firm of football agents ###### (who wish to remain anonymous) were repeatedly hacked by the IWSH. Stolen information was published by ‘Football is Fixed’ and ‘Synonymous’ websites. No individual ever claims responsibility nor the fame that is usually attached to such activities. The IWSH were able to access password-protected parts of the ###### site via credential phishing campaigns. The IWSH attack both free and corporate webmails, they have gained access to private betting accounts of individuals they claim are involved in insider trading on football matches that have been allegedly fixed – they claim to “open markets” in the same manner that Wikileaks “opens governments”.

There have been numerous occasions where the IWSH use media to publicise their attacks in order to influence public opinion. Influential British newspaper ############### confirmed that they were offered exclusive access to alleged corruptions over player selection for the England national team and considerable evidence about the fixing of a Premier League match between Fulham and Wigan Athletic in October 2009. This ‘evidence’ included phone hacking.

In our view, we suspect that the successful hacks undertaken by the IWSH of which we are aware are but a mere fraction of the full extent of the network’s activities. Even when we are able to detect intrusions, they have frequently been active for considerable periods prior to detection and often have been terminated as a source of further information by the network. Of particular concern is the hacking of private market activities. One of our clients has been made aware that the IWSH have full details of every bet that has been placed since February 2009 – the IWSH claim that this proves matchfixing but the group’s activities are criminal in that they invade the privacy of this client.

In the Spring of 2016, the IWSH launched phishing warfare against certain senior members of the British government in coincidence with a parallel phishing campaign against two European free webmail providers. It is not known whether IWSH were successful or not but knowledge shared with a doubled operator by the group suggests that some vital information was gathered and the network publicly proclaimed that “systemic corruptions orchestrated by the Deep State (sic) in relation to the Premier League triumph of Leicester City has yielded between £6 billion and £24 billion profit for a global consortium in one season”. No further evidences have been released yet but, in some instances, the IWSH will wait a decade or more to release information to the media (as shown by the group’s recent releases relating to ‘Gekko’ from 1995).

The IWSH never doctor the information that they publicise and we are not able to find any evidence that the group benefits in the betting markets from insider trading information that they steal. The authenticity of all leaked data is robustly verified. By publishing carefully selected undoctored information, threat actors are more effective in influencing public opinion in a manner that aligns with their mission statement.

Phishing is a valuable weapon in espionage campaigns. Professional hackers create ingenious social engineering tactics and avoid spam filters and any security installed on the target systems. Huge amounts of valuable data can be stolen via phishing and such campaigns frequently provide a foundation for future warfare. The IWSH has utilised phishing to silently gather data over long time windows and to use such penetration to delve further into the network of the victim organisation e.g. by sending emails from stolen identities.

It is very likely that, throughout his tenure as England manager, the email accounts of ########### were compromised and that other actors were compromised by association.

The IWSH has co-ordinated several long running campaigns against particular high profile entities via the hacking of free international webmail providers, minor webmail bodies in fringe territories and proprietary internal systems – we know of no other methods that might have revealed to the network the scores of aliases used by one particular football agent. IWSH have a full house. We have attempted to detect patterns in the activities of IWSH particularly with regard to the timing of attacks but the network would appear to be generating attacks using random number generators buried deep in their highly developed global network. At other times, IWSH will always react to particular news events in football claiming to offset the ‘fake’ mainstream media news with ‘reality’ claiming that all mainstream output is ‘hyperreal’.

Most bodies allow members and employees to read emails away from the office, enhancing business efficiency but introducing significant risks. Such webmail may be hacked in numerous manners. The IWSH use phishing lures that are indistinguishable from the websites being mimicked. The IWSH have also been known to target tabnabbing prompts to re-enter personal passwords, the abuse of Open Authentication standards, two-factor authentication via secondary phishing, VPN hacking and, in our estimation, only hidden security keys and biometric data offset this mode of attack. Unfortunately, phishing is but one tool in the IWSH armoury.

Another method that we know the IWSH utilise is the compromising of mail servers to direct to a server in another territory (in the case of IWSH, Tiraspol in Transnistria). These hacks are very obvious and quickly corrected but serve to demonstrate the mockery that seems to underpin all hacking groups. While this type of attack is simple in nature, the outcomes can be devastating as Clifford Stoll showed in his book “The Cuckoo’s Egg”. Further complications are added with this type of attack as phone hacking is often perpetrated in parallel.

The IWSH appear to curtail their activities around the movable date of Chinese New Year. We can only surmise that either the IWSH are linked to South East Asian entities or that the market structures relating to matchfixing change in this window. Of course, it might also be the case that the network simply alters strategy at these periods. We cannot know with any certainty. The group are also significantly less active in the football close season but, again, it may be that IWSH shift their focus to the summer leagues of Scandinavia and, most likely, Ireland.

Recently, we have found some evidence that the IWSH have turned to spear-phishing campaigns against lower level figures in target organisations. Emails are received about key news or current events directly associated with the business of the organisation directly mimicking headlines from BBC, The Guardian, Der Spiegel and many others. While it is easy to block such attacks against high profile individuals, weaknesses lower down the hierarchy are exploited by IWSH. One of the British government targets was however spear-phished after being caught off guard.

The IWSH is extremely careful with how they infect their targets. Initially, the exploit URLs are specific to each victim, each with ‘code’ that is unique to that target. Invasive JavaScript code then uploads information to the exploit server. Depending on the target, the exploit server will return an old exploit, a zero day or a social engineering temptation. The key input here for IWSH is the maintenance of the zero day and the avoidance of detection. Even after detection, waves of malicious activity might result from just-patched Flash zero day and open Windows privilege escalation vulnerability. The IWSH frequently infect with a lower grade of malware to determine whether the target is worthy of further investigation prior to hitting valuable targets with X-Tunnel or X-Agent or proprietary IWSH constructs beyond the limits of our current detection. The war strategy is to control as many of the nodes of the target network as possible.

So-called watering hole attacks are also a part of the IWSH armoury. Sites are compromised that IWSH suspect will be visited by their target (particularly betting companies). In one case, IWSH injected a Browser Exploitation Framework exploit onto ###### and this attack proved to be highly successful – there was a whole toolkit of exploits unleashed. There are parallels here with IWSH tabnabbing behaviours.

Perhaps surprisingly, the IWSH have only rarely used zero days. We do not know why.

Like all hacking groups, the IWSH exhibits preferences for certain webhosting providers and this has allowed us to spot some attacks swiftly but the network always appear one step ahead with an exponentially increasing network of IP addresses being used, many activated remotely via impenetrable nodes.

Although IWSH uses the infrastructure of well-developed territories e.g. Britain, Romania and Australia, the intelligence services are known to have struggled to break random number generated encryption and transport layer security. Some success was achieved in December 2016 via the hacking of several phones used by the network but each device became a discarded burner within days. But the IWSH evidently does not care that intelligence services might be exposed via the identities of targeted individuals.

At this point we need to address the unknown unknowns. We have only managed to infiltrate one member of the IWSH, Ojo del Toro. This actor is aware of our interest and this makes it difficult to determine how much of the output that is disclosed to us is real and how much is internal IWSH strategy. We have not been able to find any of the ‘offices’ that the network utilise in Britain, Greece, Romania, Australia or Transnistria. We achieved a certain amount of success via weaknesses in the Bucharest node but we cannot be sure that what we have gained is exactly what the IWSH wished for us to gain. We know that del Toro has existed in cellular networks throughout his adult life (he is 58 years old) and we are also aware from open communications between del Toro and one of his legal representatives that saving football from the mafia is not the primary strategy of the network. We are in the territory of doubled and trebled games here and we suggest that state actors explore these areas. We repeatedly find ourselves unable to confirm the exact infection chains with IWSH and we frequently feel that we are being led by the nose up cul-de-sacs where del Toro wishes us to be.

Whereas some hacker groups demand publicity of the individuals involved, the IWSH regards itself as a security network – we can only hazard a guess at the total number of operatives in the network, for example. For most cyber networks at least some nicknames are determined from hacking sites and conferences, but not so with the IWSH. The identities of the individual IWSH actors are extremely well protected. There may indeed be some breaches that are linked to IWSH but are never so attributed – football espionage is a growth sector due to the sheer volume of the betting markets on major games. We suspect that IWSH uses Bitcoin and other cryptocurrencies to further layer disguises on their operation as well as seeking out webhosting providers that allow heightened levels of privacy for clients. We suspect that IWSH pay a premium for such anonymity. But, beyond this, just a couple of proxy nodes markedly increase security for hacking groups and the IWSH is probably using many more than two nodes.

In the period since 2010, certain intelligence services have taken a keen interest in the IWSH. Issues relating to espionage must be addressed at higher political levels than the police. Actors like IWSH benefit from the lack of co-operation between different security and enforcement agencies and time delays so created are exploited by nimble operators like IWSH. Normal cybercriminals avoid publicity and suspend operations if detected whereas IWSH don’t even break stride – it is almost as if they gain energy from being detected. Some have even projected that such detections are part of the deeper IWSH strategy.

Protecting yourself against an aggressive attacker like IWSH is a major challenge. They are able to run campaigns over decades and the lack of focus on making any profit from their activities shields them from prying eyes. Furthermore, del Toro is a market analyst and exports market trading tactics to IWSH strategy – so just as historical information is only of value fractally in assessing a current and/or future market price, historical attack strategies are rarely repeated as the IWSH develop unique strategies for each and every new campaign, sometimes even delaying such campaigns until a robust strategy has been energised. Security is evidently more critical thinking than critical timing.

The majority of the campaigns undertaken by the IWSH would be of interest to intelligence services globally. Investigations by police lead nowhere as espionage can only be addressed at state level as communications between different law enforcement bodies are rarely optimal. And the IWSH repeatedly push hard against the surfaces and boundaries that the state has attempted to set.

Where the IWSH differ from many hacking entities is in their utilisation of WiFi Penetration Tools (PTs). Although some of these packages are top down and malicious to ensnare gullible hackers, IWSH appear to be able to counterfeit the code and re-energise as a proprietary tool. The key aspect of PTs is that by hacking WiFi connections with AirSnort, Aircrack, Kismet, Cain and Abel, CommView and WireShark, the IWSH are able to crack keys and decrypt, undertake network detection (including hidden networks), password and packet sniffing. In particular, Cain and Abel allows IWSH to recover passwords by sniffing the network, cracking encryption passwords using brute-force, cryptoanalysis attacks, dictionary and other more obtuse (and unknown) tactics. Cain and Abel might also recover wireless network keys by analysing routing protocols.

Although outside the remit of this report, we should also bring your attention to a structural weakness exploited repeatedly by IWSH. Most of their targets are geographically on the move throughout their lives and the architectural weaknesses in infrastructure within certain territories allow hackers to enter domains more easily. Everybody needs to address this issue, which we will cover in a future consultancy.

And do not even consider that the maintenance of a network air gap will keep you safe.

Another tactic that has revealed much to IWSH is the employment of shotgun microphones at live sporting events. We have seen evidences that IWSH have recorded communications between referees and their junior officials and, more pertinently, with the Premier League Match Centre (which is not even supposed to exist). More alarmingly, these microphones have been aimed at Directors’ Boxes and VIP enclosures with outcomes that can only be guessed at.

In conclusion, the IWSH claim to utilise Divine Skein in their attacks – these attacks are coordinated from multiple loci and successful defence must be absolute as these hackers only need one attack to succeed to achieve full intrusion. Even when protected by minimising attack surfaces, creating corporate VPN, limiting number of domain names, two-step registration, careful vetting of outsourced services and educating people in security at all levels in the hierarchy, any failure, weakness, loophole will be exploited ruthlessly.