Exclusive: Interview With Hacker YamaTough

Friday, January 13, 2012

Anthony M. Freed


Update: Symantec Hacked in 2006? Claim Raises More Questions

Symantec now claims that the company's own networks were in fact breached back in 2006, leading to the loss of proprietary product data: "...an investigation into the matter had revealed that the company's networks had indeed been compromised"...

*   *   *

Update:  Hacker to Release Symantec's PCAnywhere Source Code

"YamaTough, spokesperson for the hacktivist group “The Lords of Dharmaraja”, informed Infosec Island of plans to release source code for Symantec's PCAnywhere. The release is to be made prior to the threatened exposure of the full source code for the Norton antivirus..."

*   *   *

Update: “The Lords of Dharmaraja” claim to have released the source code for Symantec's Norton Utilities, as was threatened earlier in the day on Friday January 13, 2012.

The alleged data dump has not been officially confirmed, and company officials have not yet released a statement. Sources are working to confirm the validity of the claim.

On Saturday January 14, 2012, YamaTough posted a similar threat to release the source code for Symantec's antivirus product: "This coming Tuesday behold the full Norton Antivirus 1,7Gb src, the rest will follow," the hacktivist stated via Twitter.

More details will be provided as they become available.

*   *   *

YamaTough, the spokesperson for the hacktivist group “The Lords of Dharmaraja” who sent Infosec Island 68 sets of usernames and passwords for compromised US government networks, has provided our publication with a series of statements regarding the group's recent exploits.

As previously reported, the hacktivists are responsible for exposing parts of the source code for the 2006 version of Symantec's Norton antivirus product, as well as posting questionable documents online that showed that the United States-China Economic and Security Review Commission (USCC) was possibly breached.

The documents also contained possible evidence that several mobile device producers may have voluntarily provided product information to the Indian government for the development of backdoors that could be used for surveillance purposes in exchange for granting access to the Indian marketplace.

The hacktivist group maintains claims that the information was obtained from servers owned and operated by various ministries of the Indian government.

YamaTough indicated the group is in possession of data from several companies other than Symantec, and they have yet to decide whether or not they will make the information public, though they have stated that they may be inclined to do so.

Infosec Island has made all of the materials received and communications undertaken with YamaTough available to the proper authorities, and we are continuing to fully cooperate with law enforcement in their investigation.

The following is our best attempt to organize the statements YamaTough has provided in multiple communications with Infosec Island staff.

Some of the statements were made in direct response to the questions posed, while some were incidental to other conversations not formally organized as an interview, which Yamatough then referred Infosec Island to for clarification and inclusion in this exchange.

Our intention is to furnish as accurately as possible the full and unadulterated conversation while also attempting to provide some structure for the sake of clarity and flow.

The statements attributed to YamaTough are unedited, except for the appearance of the word "frak" because of our policy against graphic profanity, and the use of "[redacted]" where sensitive information is exposed.

Q: Can you confirm all the information you have provided was actually acquired from Indian government servers and not taken from US government servers by your team?

“no we did not frak with Us gov systems, we only do Indian since we are in opposition to indian gov not us   - we even want a pro us gov in here instead of thees bastedz who r in charge in here now. I confirm we found all the stuff at indian gov machines.”

Q: Which Indian government systems were hacked in order to acquire this information?

MEA.GOV.IN and all the intel wings in consulates worldwide were breached… the source of is mea.gov.in and their compromised vpn accounts by means of RAT through it we got inside the network to roll out...them crooks have source codes not only for Symantec products not limited to nav. There's much more for next releases including not only software but also stuff which was sniffed on by Military Intel just like we provided William Reinsch and Chuck Ditrich of us-lba.org etc etc.”

“shall I provide some technical data as of which accounts were compromised at indian mea? Ok, Just so we wont compromise all of our botnet, I shall provide only one which was the keystone to the whole drama.  http://rcilab.drdo.in/   Satheesh Reddy got infected with our custom dezigne RAT tool, from there it spread like a worm infecting pretty much the whole Indian governemt network including mea.gov.in nic.in etc.”

Q: How do you think the Indian government came into possession of the usernames and passwords for US government networks?

“By gaining access to the personal machines of these gov employees it was easy to obtain vpn accounts “l:p: to which most of them store as backup on their yahoo.com etc. accounts. So the deal is -   a gov employee is using his gov email which forwards sensitive info to free based emails where this info stored. Just in case they forget something - lame? you bet that's the reality. The RAT tool which was utilized can't be detected even with Kaspersky Pro Active Def - so it gives us an oportunity to do pretty much everything - those indian gov ppl - are ordinary people - they are using their own laptops at work and at home - watching porn, downloading mp3, etc. thus getting infected with a RAT by means of 0day. Those are details you dont need to know - this is general overview.”

“What is the most important that DRDO is the one who's in charge of the whole SURveillance network and our raw data (edited for you) states that they are also monitoring personal information of ordinary people so the ambition here is to create more powerfull stuff than
[redacted] operates - India is a powerfull country and they got the potential by being a BRIC project.”

“They target
[redacted] and [redacted] system by gaining access to personal relationship of citizen with the government. we made a screenshot of a random account so you wont verify them yaself since it's illegal [redacted] [redacted]  And one random pdf document from Military wing in Paris - to tell them that nomatter what they did we are still in - it's fresh 03th of this month.”

“An example of the government "bot" also utilized in this hack -  this one just to illustrate synchronization of Indian military gov emails with the free webbased accounts : [redacted]  PASS: [redacted] [redacted]   Screenshot of "bot's" yahoo account including the arrached passport which is indicated on the screenshot email message”

Q: How would you characterize the data you have in your possession?

“As of companies there's a dozen. As of Sym there's a lot of code but I want you to ask them to comment on that file list we provided on pastebin why wont they publicly say what that is? and if it is a match let them publicly admit that the whole code is in posession (I think they wont anyway) LEt them crossmatch the pack. Me and my fellas are stil negotiating whether to do an actual pub and when and do it only to SYm or to other companies also. We are hesitating because we see that everybody's stuck with Symantec but noone actually said anything about outsourcing and we see how governments covers up the USCC story, none of them crooks got to a point of admitting that there''s problem with Indian spying on federal government of USA.”

“on MOD machines stored source codes for ALL SYM shit, ALL APPLE shit includin IOS source, to name a few also many many transmission logs apparently gotten to them over the backdoors in mobile phones. We just grabbed what we saw and post it, there's gigs of stuff in dere including transmissions with Chinese NORINCO executived about purchasing technology from Raytheon etc etc etc”

Q:  What was the level of security practiced by the Indian Government?  Did you use exploits against the servers? Did you break in using APT style attacks via social networking or email?  Was it easy or could anyone have done it?

“trojan horse developed by my team being undetected by any of the avp sftwr and 0day exploit to infect the whole gov like a worm, check it out I gave you samples of the infected government officials and commmanders....”

Q: What have been the repercussions from the Indian Government? Have they tightened up security?

“all they did changed passwords for vpn account - our trojans are still keyloging the new ones. The way they operate is so dumb - what they did they've taken the leaked documents - took the griefs - located where it did come from - called that office or embassy or whatever and they changed passwords - lame. They seem like smart ones only  on paper and the way they pretend to look like badass institutions and system like US wanabees. Theres nothing really extraordinary or awesome in their networks. Some of them are old as crap”

As soon as we r over with the blockade we experience from Indian and US LE and Intel, since the issue not really in Symantec but In fact that India is spying on USCHINA ECON SEC commission (example William Reinsch Larry Wartzel, Dan Slane, Michael Dannis etc emails) we think since they are former [redacted] US and India block our mirrors and we have many of our brothers now under search and ceizure warrants pending Symantec is not a big deal they just happened to sign an agreement with Indian MI thats all the deal is what kind of stuff we;ve owneed by owneeing MEA servers...we expect to publish by 10th -16th this month.”

Q: Did you find data carefully archived or was it residing on end users' computers?

“some data is cryptoarchived - software used is designed by personell programmers - they do no imply public soft like truecrypt bestcrypt diskcrypt and such.  what's astounding is that the programme is so diverse and dispersed all over the world that there's no such thing as centralized governance of the system - spread and therefore weak - humans/employees make mistakes and some  do not use crypto at all even have weak passwords to their email accounts located in gov domain - they think that if they use gov vpn to download email password doesnt matter at all. they way they store info on public free webmails as backup.”

Q: Can you tell how and to whom intelligence is distributed? What is the structure of Indian cyber espionage operations?  Do they have a dedicated team of cyber spies? Do they contract the work out to hackers?

“Both are same questions so later”

Q: Is the material you see focused on gathering Intel about China?

“Worldwide - different departments do have sublayers one of them was china - result uscc case - by the way you only seen uscc emails which were in the document ? did you get the whole archive of uscc emails with attachment? Looks like it is going public so we have to start working on a more complex article until the uscc commissioners made the news and shit about PRC - people republic of china intercepeted communications,,, since its time for presidential elections in us things can get nasty coz of this…”

Q: Can you detect any signs that India is working with Russia to engage in cyber espionage against the US?

“BRIC has develloped as a counter us intelligence unit widespread .... an example I show you some of the data which we have published on our google+ account prior to the Symantec release - in addition I ad an update on this operation - India has hundreds of separated data intercept programs Rinoa is just a mobile device stuff,   there are others which are targeted at gathering information on everysingle person in countries like USA and UK as sample I provide some of the stuff they got... unfortunatelly i can not give you raw data since it will compromise our operation and it is too large and gibberish.”

Q: What are your motivations for releasing this information?

Our goal is [Sunil] Bharti Mittal go off politacl arena and stop manipulating our government,” India bought the right to spy on people worldwide by getting src from all major sft mnfctrs wegot many things to say so ...”

“yes you are welcom and tell the everyone that my team is pro US we fight for rights in our contry we are not intentionaly harm US companies (sometimes we do hack into since our botnet is worldwide) but we do not steal credit cards and make money of it and we do not do banks etc. Our mission - exposure of the corruption. We wanna appologize for harm taken by the Symantec USCC and others,,, but without them being involved things which do occure in our state would never be covered and taken to the public, sometimes you have to sacrifice in order to achieve...and we do not approve sharing personal data and source codes with foreign governments. We want free and nice India and not police state, so ask ?, let feds ask also, and we have questions to symantec (for now) later we shall ask other companies involved which we have come to posesses data of.”

YamaTough also posted the following statements, among others, in comment threads on related articles at Infosec Island:

In regards to the breach of US government systems:

  • 1-11-2012: “Who wants symantec story as of now ? Who cares about symantec as of now? You guys should care not about one corp entity but the whole homeland security and why foreign entity should know how much tax you pay and what clarity are your contact lenses”

In regards to authenticity of previously leaked documents:

  • 1-12-2012: “it would be stupid thinking that involved party admits to authenticity of the documents - they had hard time admitting to Paris leak, now they state that office Singh doesnt exist =) They will deny it anyway. Let's make USA decide what's authentic and what is not. We have still 1000 "leak" missles to launch at Indian government to prove otherwise. No matter how they deny it - there are independent parties who will get to a point where lying turns into "harakiri"”

During the course of drafting this article, YamaTough threatened the imminent release of source code for Symantec's Norton Utilities product in an Infosec Island article comment thread:

  • 1-13-2012: "Today we release Norton Utilities to accompany Symantec lawsuit. Goodluck Mr.Gross with ya crusade =) Stay tuned for a link. Link will get published on our twitter, not here - of all respect to infosec staff."

YamaTough also posted a statement on Twitter:

  • " Stay tuned it's almost uploaded. It's Friday the 13th for Symantec, we wonder what's comming for the next Halloween =[]   "

The reference to "Mr. Gross" is related to a class action lawsuit filed in the United States District Court, Northern District of California, San Jose Division - the jurisdiction where Symantec is headquartered.

The suit, filed by Washington state resident James Gross on January 10, 2012, alleges Symantec has employed the use of "scareware" - free computer diagnostic scanning services - to induce consumers to purchase the company's products by reporting the presence of malware or other infections on the users' computer.

A copy of the filing can be found here:

Infosec Island will follow up on these events as information becomes available. Stay tuned…

Possibly Related Articles:
Information Security
Apple Government Symantec Scareware Espionage Network Security USCC Nokia Hacktivist National Security Surveillance Lawsuit Law Enforcement Source Code United States India The Lords of Dharmaraja YamaTough RINOA SUR RIM Gross v Symantec
Post Rating I Like this!
Bobby Mann This makes me laugh, and really shows the type of people we are dealing with. First, if these idiots had bothered to check the source code (and yes I downloaded the 120mb .rar last night before it was pulled, they would see that this too is a vey old version of the product (circa 2005 - and a good chunk of it with code as far back as 1997-2000). Once again with this "prized" theft, the vast majority of the code has been discontinued or obsolete based on hardware changes (64bit, etc.), computing advancements in OS's (kernel driver, memory management, file system changes, etc.), and acquisitions - remember Symantec acquired PCtools - there was a reason. Unfortunetely for them and the person who initiated the lawsuit, is no usable code in this release that could in any way affect the outcome of this frivolous lawsuit. While it is concerning HOW and WHERE (still not convinced of the source claimed) the code was obtained, thankfully it's nothing that should pose a threat to Symantec or Symantec's users.
Bobby Mann One thing that I will mention is that there are telltale signs in every source code tree constructed that indicate origin, access, etc. I will leave it at that. But this is not from the Indian Government.
David Noergaard Bobby Mann, I have never heard of this. Can you elaborate?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.