In the 30-page research post, Juan Andres Guerrero-Saade, the principal threat researcher at SentinelLABS, and Igor Tsemakhovich said the campaign was known as Octopus Brain and the research showed that it was connected to a toolkit called Rad which had been built in 2010 and used until 2015.
The two researchers said there were hardcoded email addresses in some Rad samples to which data from victims' machines was sent; one address had been mentioned in connection with a case against rogue members of the Turkish National Police and executives of a company known as Datalink Analiz. Rad was referred to as HORTUM in papers relating to this case.
Guerrero-Saade and Tsemakhovich said the SentinelLABS team had tracked the affairs of Datalink Analiz and this led to suspicion that EGoManiac used Remote Control System, software from the now defunct Italian infosec firm HackingTeam, for hacking purposes even in 2011.
A detailed, at times laborious, account of the background to this story has been written by the freelance American technology journalist Kim Zetter who was provided the SentinelLABS research before it was released to the public.
In that, Zetter states that Guerrero-Saade wanted to give the research to some other unnamed journalist in order to ensure wider coverage as she [Zetter] now publishes on her own blog on the site Substack. But that individual turned down the story and Zetter was given the 30-page document.
"What we refer to as EGoManiac is a cluster of two notable campaigns starting as early as 2010," the SentinelLABS report says. "The first campaign came to be known in research circles as ‘Octopus Brain’, based on the Turkish strings ‘Ahtapot’ and ‘Bejin’ left in the malware.
"This original campaign used a combination of publicly available RATs [remote access trojans] (including Turkojan and Bandook) as well as the closed-source Ahtapot, with delivery methods ranging from malicious documents to personal visits by the attackers."
Guerrero-Saade and Tsemakhovich says they initially became aware of the case from Turkish court documents about arrests of journalists at OdaTV.
"Much greater detail came to light thanks to the excellent work of the folks at Arsenal Consulting," they wrote.
"Their forensic investigation not only proved the presence of the malware and the physical interdiction of the victim systems, but also established the attacker’s access as the definitive source of the incriminating documents on those systems that were then used to justify arrests by the Turkish National Police.
"The journalists were ultimately acquitted by a court in 2017 – six years after the attacks."
The data stolen from the journalists at OdaTV was sent to the email address johndown at woxmail dot com, according to reports on Turkish websites in 2016. These reports were about a bid to prosecute rogue police members and executives of Datalink Analiz who were reportedly leaking information about active police operations.
Guerrero-Saade and Tsemakhovich wrote: "The leaks were reportedly used by FETO/Gülenist movement social media accounts to fuel conspiratorial elements in an ongoing power struggle within the country."
The Gülenist movement is a political/religious group led by a US-based Turkish Muslim leader Fethullah Gülen.
Guerrero-Saade and Tsemakhovich said SentinelLABS' research was informed by Zetter's investigation, during the course of which she had obtained a report written by a prosecutor handling the case. Zetter had also written about a woman who was hacked in the US in 2013, apparently with tools from HackingTeam's arsenal.
"The victim suspected that she was targeted by Gülenist elements that had infiltrated the Turkish government," Guerrero-Saade and Tsemakhovich said. "However, HackingTeam continued to assert that it only sells its tools to governments and did not confirm Turkey’s status as a customer.
"Now, in the aftermath of Phineas Fisher’s devastating hack-and-leak operation against HackingTeam, we can independently confirm that Turkey was in fact a customer of HackingTeam at the time – but who exactly was their customer in Turkey?"
Guerrero-Saade and Tsemakhovich admitted that part of the research was built on thin evidence. "The connection between the EGoManiac umbrella and this specific sub-cluster of Hacking Team RCS is built on the admittedly thin strand of the 'Datalink Analiz’ shell company," he wrote.
RCS was the main tool sold by HackingTeam, which was founded in 2003. It enabled the extraction of files from a targeted device, interception of emails and instant messaging, and also remote activation of the webcam and microphone on a device.
The company suffered a data breach in July 2015 and the use of RCS by repressive regimes around the world was confirmed. HackingTeam was forced to ask its customers to suspend the use of RCS after about 400GB of its data was leaked.
But samples of RCS were found in 2018, with a researcher at the Slovakian security firm ESET saying these had been noticed in 14 countries.
In conclusion, Guerrero-Saade and Tsemakhovich wrote: "The case of EGoManiac is far from straightforward. It involves difficult investigative connections that test the boundaries of our visibility, the efficacy of our research tools, and the limits of purely technical attribution.
"Beyond the technical exercise, it’s a profile of a threat actor willing to spy on both friend and foe and to use that access to malign and entrap journalists without compunction.
"While this particular intrusion set is outdated, the questions it raises speak to the friction between the unsupervised governmental use of malware and the integrity of public institutions, rule of law, and evidentiary standards. They are more relevant now than ever before."