KDMS - Crawl out from under the rocks

  1. Identification of several potential members of KDMS Team, a pro-Palestinian group that conducted DNS-hijacking attacks and defacements against AVG, LeaseWeb, Avira, and WhatsApp, also Rapid7.
  3. (@KDMSTeam), was identified to be active on Twitter for less than one day (as of 8 October).  Of particular interest were several accounts that @KDMSTeam was following.  There were 16 Twitter accounts that KDMS Team was following as of 8 October 2013:
  5.  @wassemashraf (Wassem Ashraf) has been on twitter for 383 days and tweeted only twice.  Last tweet was 323 days ago
  7. @abuwessam90 (Omar Ashraf; possibly related to, or same as, Wassem Ashraf) has been on twitter for 144 days and has tweeted only once.  Last tweet was 143 days ago.  Confirmed to be closely associated with (if not related to) Wassem Ashraf.
  9. @123storm123 (Storm) has been on twitter for 1182d and has tweeted only once.  Last tweet was 1181 days ago (asking @w3bd3vil how to load server.exe into an xls).
  11. @HassanAboAbed (Hassan Abuabed) has been on twitter 1150d and has tweeted only once. Last tweet was 156 days ago
  13. @white_2_2 (M4St3r M1ND), a highly suspected user behind #KDMSTeam.  
  15. The letters in KDMS Team stands for the initials for the names/usernames of the team members:
  16. Kolmtk (u0@hotmail.com)
  17. Dod (eil@hotmail.com)
  18. M4st3r (w.9@hotmail.com)
  19. S4w (jd@hotmail.com)
  21. @white_2_2 (M4St3r M1ND) is likely one of the key actors behind KDMS Team
  23. Because of KDMS Team’s relatively new presence on Twitter, it is highly suspicious that it knows about, and follows, accounts that have not been active or tweeted for 6 months to over 3 years.  
  25. the same individual or group established all four accounts based off the similar list of followers and followees of the four accounts.
  27. As of 9 October, KDMS Team had over 1650 followers and itself was following only eight accounts instead of 16 as the day prior.  None of the four accounts listed above were followed by KDMS as of 9 October, which was indicative of possible deception by the group to mask or hide their association with these members.
  29. As of 11 October, #KDMSTeam was following 0 accounts.  this can be seen as a method deception and plausible deniability by members of KDMSTeam.  
  31. There was one Twitter handle of interest that was being followed by KDMS Team (as of 9 October)
  33. @jstmohand (Mohanad), has been on twitter 887 days and has tweeted 5950 times.  Last tweet was 9 October 2013.
  35. Additionally, there is handle with a similar name that also follows @wassemashraf, @mohnadk (Mohannad CoooL).
  37. KDMS Team has two affiliated Facebook pages, one being a Community Page, the other labeled as a “Video Game” page.  
  39. High-fidelity match for Wassem Ashraf’s Facebook page to the Twitter account above
  41. Wassem Ashraf: www.facebook.com/WASSEM.ASHRAF.AGAH
  42. Omar Ashraf: www.facebook.com/abo.wessam.90 (coincidence that one of the twitter accounts was @abuwessam90, no?)
  43. Firas Abu Azab: www.facebook.com/firaz.abuazab
  46. There is also a Facebook associate/follower of Wassem, Mohanad Abudalfa, which is currently only a first-name match for @jstmohand (Mohanad):
  48.  “people who Like KDMS Team” populated an extensive listed of Facebook members.  Within the list, only one individual, Firas Abu Azab (Abo Omr), was listed as being “From” or “Lives In” Gaza (Palestine).  No other members within the first 10 pages (120 results) indicated as being from or living in any Palestinian territory other than Firas Abu Azab. Firas posted few references and updates to KDMS Team’s recent activities and attacks, further suggesting some level of involvement or affiliation to the group (at least more so than other members that simply “Like” KDMS Team).
  50. Firas indicated in the “About” page the following information:
  52. Current Residence:  Gaza, Palestine
  53. Address: Khan Younis near the Nasser Hospital (Palestine)
  54. DoB: July 16, 1984
  55. Family Members: Sameh Abu Azab (Nephew), Hasan Abu Azab (Cousin), Waseem Mahmoud (Cousin)
  57. The following are suspects as being involved with, or members of, or closely associated to members of KDMS Team:
  58. @wassemashraf (wassem ashraf)
  59. @abuwessam90 (Omar Ashraf).  
  60. @white_2_2 (M4St3r M1ND)
  61. @mohnadk (Mohannad CoooL)
  62. @jstmohand (possibly Mohanad Abudalfa, unconfirmed)
  63. Firas Abu Azab
