Thursday, 09 September 2021 11:15

Details of campaign that targeted Turkish journalists uncovered Featured

Details of campaign that targeted Turkish journalists uncovered Image by Here and now, unfortunately, ends my journey on Pixabay from Pixabay

A team at security shop SentinelLABS has released detailed research about a threat actor it has dubbed EGoManiac, which operated between 2010 and 2016 and messed with Turkish TV journalists at OdaTV in order to place incriminating documents and malware on their devices.

In the 30-page research post, Juan Andres Guerrero-Saade, the principal threat researcher at SentinelLABS, and Igor Tsemakhovich said the campaign was known as Octopus Brain and the research showed that it was connected to a toolkit called Rad which had been built in 2010 and used until 2015.

The two researchers said there were hardcoded email addresses in some Rad samples to which data from victims' machines was sent; one address had been mentioned in connection with a case against rogue members of the Turkish National Police and executives of a company known as Datalink Analiz. Rad was referred to as HORTUM in papers relating to this case.

Guerrero-Saade and Tsemakhovich said the SentinelLABS team had tracked the affairs of Datalink Analiz and this led to suspicion that EGoManiac used Remote Control System, software from the now defunct Italian infosec firm HackingTeam, for hacking purposes even in 2011.

Web Analytics
There are political aspects to the research as well, given that Guerrero-Saade cites a 2013 report on the use of RCS against a Turkish victim in the US.

A detailed, at times laborious, account of the background to this story has been written by the freelance American technology journalist Kim Zetter who was provided the SentinelLABS research before it was released to the public.

In that, Zetter states that Guerrero-Saade wanted to give the research to some other unnamed journalist in order to ensure wider coverage as she [Zetter] now publishes on her own blog on the site Substack. But that individual turned down the story and Zetter was given the 30-page document.

"What we refer to as EGoManiac is a cluster of two notable campaigns starting as early as 2010," the SentinelLABS report says. "The first campaign came to be known in research circles as ‘Octopus Brain’, based on the Turkish strings ‘Ahtapot’ and ‘Bejin’ left in the malware.

"This original campaign used a combination of publicly available RATs [remote access trojans] (including Turkojan and Bandook) as well as the closed-source Ahtapot, with delivery methods ranging from malicious documents to personal visits by the attackers."

Guerrero-Saade and Tsemakhovich says they initially became aware of the case from Turkish court documents about arrests of journalists at OdaTV.

"Much greater detail came to light thanks to the excellent work of the folks at Arsenal Consulting," they wrote.

"Their forensic investigation not only proved the presence of the malware and the physical interdiction of the victim systems, but also established the attacker’s access as the definitive source of the incriminating documents on those systems that were then used to justify arrests by the Turkish National Police.

"The journalists were ultimately acquitted by a court in 2017 – six years after the attacks."

The data stolen from the journalists at OdaTV was sent to the email address johndown at woxmail dot com, according to reports on Turkish websites in 2016. These reports were about a bid to prosecute rogue police members and executives of Datalink Analiz who were reportedly leaking information about active police operations.

Guerrero-Saade and Tsemakhovich wrote: "The leaks were reportedly used by FETO/Gülenist movement social media accounts to fuel conspiratorial elements in an ongoing power struggle within the country."

The Gülenist movement is a political/religious group led by a US-based Turkish Muslim leader Fethullah Gülen.

Guerrero-Saade and Tsemakhovich said SentinelLABS' research was informed by Zetter's investigation, during the course of which she had obtained a report written by a prosecutor handling the case. Zetter had also written about a woman who was hacked in the US in 2013, apparently with tools from HackingTeam's arsenal.

"The victim suspected that she was targeted by Gülenist elements that had infiltrated the Turkish government," Guerrero-Saade and Tsemakhovich said. "However, HackingTeam continued to assert that it only sells its tools to governments and did not confirm Turkey’s status as a customer.

"Now, in the aftermath of Phineas Fisher’s devastating hack-and-leak operation against HackingTeam, we can independently confirm that Turkey was in fact a customer of HackingTeam at the time – but who exactly was their customer in Turkey?"

Guerrero-Saade and Tsemakhovich admitted that part of the research was built on thin evidence. "The connection between the EGoManiac umbrella and this specific sub-cluster of Hacking Team RCS is built on the admittedly thin strand of the 'Datalink Analiz’ shell company," he wrote.

RCS was the main tool sold by HackingTeam, which was founded in 2003. It enabled the extraction of files from a targeted device, interception of emails and instant messaging, and also remote activation of the webcam and microphone on a device.

The company suffered a data breach in July 2015 and the use of RCS by repressive regimes around the world was confirmed. HackingTeam was forced to ask its customers to suspend the use of RCS after about 400GB of its data was leaked.

But samples of RCS were found in 2018, with a researcher at the Slovakian security firm ESET saying these had been noticed in 14 countries.

In conclusion, Guerrero-Saade and Tsemakhovich wrote: "The case of EGoManiac is far from straightforward. It involves difficult investigative connections that test the boundaries of our visibility, the efficacy of our research tools, and the limits of purely technical attribution.

"Beyond the technical exercise, it’s a profile of a threat actor willing to spy on both friend and foe and to use that access to malign and entrap journalists without compunction.

"While this particular intrusion set is outdated, the questions it raises speak to the friction between the unsupervised governmental use of malware and the integrity of public institutions, rule of law, and evidentiary standards. They are more relevant now than ever before."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News