Do Unaware Malware Victims Exist? In Turkey They Do

Forget Wikileaks, this time Arsenal Consulting has something to say about Turkish people being hacked.

In an always online world, it might seem hard to believe that there are people in this day and age (most of whom live in Turkey, for now) who are incognizant of the fact that their machines have been infected with malware.

In other words, they have become unaware malware victims.

Recent reports published in the media have revealed that a good number of people whose machines have been hacked and then infected with malware aren’t even aware of the problem.

It is true that if one is not prepared enough or cautious enough, his/her machine could get infected with malware rather quickly.

Of course, all of this happens without the permission of the owner of the machine. A malware infected machine also points towards one other less subtle fact: someone had targeted the machine and then installed malware on it.

This particular group which has been mentioned in various news articles is a Turkey-based one and it has used clever techniques to quickly infect numerous machines with Turkish made trojans. The group has also made use of malware in order to target victims of their products. Most of the victims appear to be residing in Turkey.

According to a computer forensics and information security company, Arsenal Consulting, the targeted machines most likely belonged to high-profile officials who worked in the government.

Add to that the astronomical cost of the operation, it seems that the group had massive resources behind its back in order to carry out the attack.

Arsenal Consulting was also able to find out that some of the infected machines had a custom made malware on them. Moreover, it was also pointed out that the whole malware infrastructure was quite robust and clearly indicated that it was the work of a large hacking group rather than just a single individual banging the keys away from his/her room.

Mark Spencer, who works as a digital forensics at Arsenal Consulting, in an interview given to Motherboard, told a reporter that even against a single target, they found the attackers using multiple email addresses along with multiple remote access trojans, multiple command and control servers and multiple cellular services.

He also added that the infrastructure was obviously built and leveraged in a way to avoid single points of failure.

Since the malware attacks, it has also been uncovered that this attack originated from the same group of cyber criminals and hackers who targeted another individual by the name of Baris Pehlivan.

Baris Pehlivan worked as an investigative journalist for OdaTV and had to spend 19 months in prison after being accused of terrorism activities based on some documents that were found present on his computer.

Later, however, several forensics reports pointed out that the terrorism-related files that were found on Baris Pehlivan’s and his colleagues’ computer were actually planted by someone else.

Baris was the target of a malware attack back in 2011 and since then has been released from prison. Baris’s trial still continues and he is scheduled for an appearance in the court on February 15, 2017, for his hearing.

Readers should also know that apart from Baris and his colleagues, all other victims of the malware attacks that took place in 2011 remain unknown.

What happened to their names?

Apparently, their names and identities are still stuck in bureaucracy.

Mark Spencer, who works as a digital forensics expert at Arsenal Consulting, told reporters that the victims of the 2011 malware attacks, in all likelihood, will not find out if and when they were (or their machine were) infected with malware.

How To Learn The Malware Victims’ Names?

Got hacked, but don’t know when, how or even if. That’s the state of many journalists in Turkey.

According to a researcher, it is very difficult to dig up names of people who were affected by the malware attack that was carried out by the same group in 2011.

However, the researcher said, in order to know the names of the victims, one could utilize pieces of information collected from telcos, related hosting providers and internet service providers whose facilities and infrastructure was used to carry out the attack.

Of course, the primary problem is that no internet service provider or hosting company or even telcos would agree to cooperate in such a situation. In fact, most of these companies have already declined to help identify the victims.

The researcher is of the opinion that these companies are bounded by their terms of service and hence any cooperation in releasing the identities of victims would be considered as a violation of the privacy of their subscribers.

In order to release the data, it would require a court order to be issued in the origin country, that is Turkey. At least that was what a Motherboard reporter was told by Vodafone.

Given the atmosphere surrounding Turkey and all the political turmoil (along with other problems such as conflict with ISIS, Russian ambassador assassination and unrest in the Kurdish region) in the country, getting any entity to release data about the malware attacks that took place would be an impossible task, several reliable sources told a Motherboard reporter

Pinar Dogan who works as a lecturer in the public policy department at Harvard Kennedy School said that no court in Turkey was going to issue an order that might lead to evidence that may be embarrassing to the government.

On the other hand, investigative journalist Baris Pehlivan (a victim of a previous attack that was carried out in 2011), conjectures that the most likely targets of the malware attack were people who had high ranks working as politicians and military personnel.

Baris also suggested that the malware attacks might have also targeted a certain section of the people who worked in the media. In fact, he went one step further and said that the malware attacks could have also been aimed at the various NGOs (Non Governmental Organizations) who work in the country.

If The Victims Are Unidentified, How Did Anyone Know About The Situation In The First Place?

Simply put, it all started with Arsenal Consulting and a request sent to the company by Pehlivan’s attorney who wanted the computer forensics and information security service provider to study and analyze Pehlivan’s computer and come up with its findings, pro bono of course.

Needless to say, the people working at Arsenal Consulting were able to find relevant clues during their investigation and that led researchers to unearth a massive malware attack infrastructure that was used to infect computer machines of other victims too.

Critics have questioned whether the Gulen movement was involved in framing journalists.

It was also revealed that the malware attack targeted other prominent people apart from OdaTV investigative journalists.

Mark Spencer, the digital forensic expert at Arsenal Consulting, told a reporter at Motherboard that there were more, probably many more victims of the malware operation.

Spencer further added that his company had confirmed that about 406 emails were sent out by the malware attackers during the operation and there might be more victims but his company had managed to confirm only 406.

He also stated that only 18 emails were recovered from known victims, which as readers can probably imagine, is not a lot.

According to Mark Spencer (the forensics expert), the attackers who infect multiple machines with malware were fairly motivated.

And perhaps that is the reason why they utilized, in Spencer’s estimate, at least 12 command and control hostnames along with about three cellular services. The malware attackers also made use of physical attacks and a vast number of trojans.

To understand how these malware attackers operated, Spencer was of the opinion that one needed to look hard at the way they attacked Pehlivan and got him all caught up in a terrorism case.

Spencer explained that when the investigative journalist was the target, the malware attackers planted the documents on his computer’s hard drive. He said that the documents on which Pehlivan was held accountable were placed on his machine on a certain Friday night.

The fake documents, because of which Pehlivan was accused of being involved with terrorism activities against the state, were put on his computer by a person who was able to gain access to the newsroom.

That unknown someone then proceeded to remove the hard drive from Pehlivan’s computer and then copied the fake documents on the hard drive and then continued to reinstall the hard drive back into Pehlivan’s machine.

Coincidentally, or maybe not so coincidentally, the next Monday morning saw the Turkish National Police raid the newsroom and confiscate the investigative journalist’s personal computer.

What’s more interesting is that, since then, Spencer and his company, have also revealed that there was another attempt to plant documents into the journalist’s computer before the infiltration operation into the OdaTV office began.

The malware attackers tried to infect Baris’s machine with fake documents using methods such as malicious email attachments. Once the receiver of the email opens and saves the email attachment on his/her computer, the malware infects the system and executes whatever it is programmed to execute.

Moreover, the same group of malware attackers also tried to alter the documents on Pehlivan’s computer through the use of a USB drive which would have allowed the attackers to control his computer machine through remote means.

The number of malware attacks in Turkey is well over world-average.

Arsenal Consulting recently uploaded a document that should the exact email that was sent to Pehlivan’s computer by the malware attackers. The document, in the form of a pdf, showed that the email attachment was supposed to deploy a malicious Bandook remote access trojan which can be installed on any computer using Adobe Reader vulnerability.

The consulting company also found that Pehlivan’s computer machine was loaded with RATs (Remote Access Trojans). Remote Access Trojans are basically a form of malware that is specifically designed from the ground up to control a computer machine from a remote location that may be miles away physically speaking, in terms of distance.

Most Remote Access Trojans are used to spy on the host machine (in this case Pehlivan’s) but their most critical function is to snatch sensitive information that may be present on the host machine.

Remote Access Trojans can also help malware attackers download files directly from the infected host’s machine.

Arsenal Consulting were able to find several Remote Access Trojans among which the most notable ones were the Turkojan, Bandook, and a rare beta stage Ahtapot. Ahtapot is essentially a trojan which has been weirdly named after a Turkish word which means octopus.

Spencer and his colleagues also stated that this was the first time, the company had seen the beta stage Ahtapot in action out the wild.

Moreover, in order to go deeper into the mess that was Baris’s case, Spencer studied and analyzed the computer which belonged to another OdaTV journalist by the name of Muyesser Yildiz.

Malware attackers infect Yildiz’s computer with the aforementioned Remote Access Trojans and were able to control his computer from a remote location.

By now, it should become rather obvious that Baris’s computer wasn’t the only one that was infected with Remote Access Trojans or malware. There were probably many more machines which were infected with the malware that allowed malware attackers to gain access to the machine’s documents.

Spencers also figured out, through much research rather, that the malware attackers used similar email addresses along with Remote Access Trojans, cellular services, and servers to attack other people connected with the case as well.

With that said, the digital forensic expert still has not been able to unearth the names of all the victims who were affected by these malware attacks. In fact, he doesn’t even know the number of total victims whose machines were compromised.

As mentioned earlier, in order to find the number and the names of the victims, he needs supporting information from telcos, internet service providers and hosting companies that provided their services to the malware attackers.

Based on privacy grounds, all of the involved companies have declined to help Spencer in his quest to find out the identities and the number of affected victims.

Matt Peacock, who works as the group director of corporate affairs at Vodafone, in an interview given to Motherboard via email told the reporter that as he had previously explained to the forensic computer researchers at Arsenal, it was against the law in almost every country, and not just Turkey, to release or provide access to private data without lawful authority.

He also added that jurisdiction was determined by where the data was held and so if the data in question was held in Turkey, it would need to be a Turkish court that issued any necessary order.

Baris Pehlivan pointed out to the reporter from Motherboard that he along with his attorney tried to get court orders but weren’t able to get any positive results. He told the reporter that the court orders got mixed up and stuck in bureaucracy.

Claudio Guarnieri, a technologist at Amnesty International, told Motherboard that there were cases documented from Latin America, through Africa, Middle East, and Asia that followed a similar pattern.

He also stated that besides the possibility of framing, and reputational damage, knowing you were being watched forces you to conform out of fear and hacking into someone’s computer or phone was the most invasive control method the attacker could exercise on someone.


Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.