Reading Time: 17 minutes

Kelvin Security and Spectre, investigating possible relationships

Introduction

The Yarix Cyber Threat Intelligence Team (YCTI) has conducted an investigation that has discovered a possible relationship between the threat actor Kelvin Security with another threat actor called Spectre. This relations was identified through the discovery and analysis of an indicator found within an Italian governmental leak that was shared by a malicious actor. The following analysis attempts to identify links between both threat actors by reconstructing the last months of public activity of the Kelvin Security group.

Brief introduction of the KelvinSecurity group and Spectre

Kelvin Security is a threat actor (TA) who is believed to be active since 2013. The group has been targeting critical infrastructure, governmental targets as well as private companies. It is believed that Kelvin is composed of many members and the original funders might come from South America.[1] The group exploits web pages and vulnerabilities in exposed services as well as make use of stolen corporate credentials to extract large sets of internal data and selling them on Dark Web forums.[2] Only in the last three years, the group has attacked more than 300 organizations in more than 90 countries around the world. Notorious recent leaks and corporate credential selling released by Kelvin Security are BMW (2020), Walmart (2022), the Italian Ministry of Transport (2022) Vodafone Italia (2022), the German Institute of Global and Area Studies – GIGA – (2023).

Spectre is the owner of a data leak site called Intel Repository. The threat actor is specialized in sharing classified leaks related to governments and armed forces. It is believed that the threat actor has been active since 2020. Spectre describes itself as a data broker. One of the most famous leaks shared by Spectre is a set of files released in 2020 of a defense manufacturer called Havelsan containing NATO and Turkish military documents.[3] According to open source information, there is no evidence that the Threat Actor exploits vulnerabilities to obtain data, rather, the TA search for, buys and shares leaks. Currently, Spectre is the owner of the data leak site called Intel Repository and the Intel Exchange Telegram channel. In July 2023, Spectre acquired the Telegram channels originally used by the group Kelvin Security as a result of the group’s alleged retirement.

The official Telegram logos of Kelvin Security (on the left) and Intel Exchange (on the right)

 

The Italian Federal Police leak

The YCTI Team collaborates with national law enforcement organs by informing when relevant data leaks and indicators of compromise are identified in the cyber underground.

In this case, the investigation started at the end of April 2023, when evidence of a compromised Italian State Police e-mail account was circulating in specific Telegram channels. The selling of the access has been advertised through the Telegram channel called Classified documents sale by AIG. In the sample provided, the threat actor shared screens of a webmail inbox showing the account that has been allegedly compromised.

 

The sample from the Telegram channel Classified document sale by AIG.

Initially, the YCTI team found it suspicious that some of the images contained elements and words translated into Spanish. This aspect contributed to the idea that the images could have been somehow fabricated by a distracted non-Italian-speaking threat actor which might have misled Italian and Spanish words.

However, the proofs seemed to be legitimate as the e-mail contents describe official high-level institutional meetings between Italian and foreign leaders which actually took place during April 2023.[4]

The sample shared by the threat actor – e-mail describing the Visit of the Prime Minister of Ukraine April 26, 2023.

Official Statement of the Prime Minister of Ukraine visit to Italy (source: Ukraine government portal).

Unfortunately, further direct contact with the threat actor did not bring any useful indicator that would have clarified the context and legitimacy of the data provided. A few days later, the post was removed from the Telegram channel.

Later on, similar announcements announcing the sale of Italian Federal Police documents circulated within two different Telegram channels, the first one called Intel Repository and the second called Intel Exchange. While the first post published in June was deleted after two days and did not contain any useful indicators, the second message published in July contained a URL address leading to a set of proofs matching the ones already shared back in April 2023.

As it will become clearer later in the article, both June and July posts were published by the same Threat Actor called Spectre. While the first message was published on the official Intel Repository Telegram channel, the second was published on the former Kelvin Security channel which was acquired by Spectre in July 2023 and rebranded as Intel Exchange.

Evidences from the Telegram channel Spectre’s Intel Repository.

 

Evidences from the channel Intel Exchange (former Kelvin Security Telegram channel).

As a result of direct contact with Spectre, the administrator of the Intel Exchange Telegram channel, the YCTI Team was able to retrieve a noticeable amount of data which have been shared through a drive folder by the threat actor.

The shared folder contained an archive which was including a dump of around 600 megabytes of e-mails and attachments related to the Italian Federal Police account.

The screen of the drive folders containing the archive of the Italian Police e-mail dump

At this point, the YCTI Team shared the findings with the national law enforcement point of contact and continued the investigation using the available elements to gain more knowledge about the threat actor who shared the samples.

The analysis of the source of the page of the shared folder allowed the identification of an exposed e-mail address kelvin**@gmail[.]com.

Indicator of compromise (IoC) identified in the source page of the drive folder

Suspecting that the e-mail address was related to the threat actor Spectre, further research has been conducted to find any related service registered with the identified indicator.

Evidences from an e-mail address

Through OSINT techniques and the use of the YCTI internal platform, the YCTI team has been able to link the e-mail address to a specific username and Google ID. The e-mail address was correlated to a Gmail account registered with the username Mr чараўнік which translates from Belarusian to Mister Magician.

Gmail address: kelvin**@gmail.com

Username: Mr чараўнік

Google ID: 11*******

Following research on the username allowed the Team to find a match on one of the main former Kelvin Security channels (now called Intel Exchange) dated February 2, 2023.

Intel Exchange Telegram channel (former Kelvin Security Telegram channel)

The message was related to a conversation between the administrator of the Kelvin Security group (named PoC Exploiter) and one of the clients who was allegedly been scammed by the user Mr чараўнік (@XETZETA). The victim of the scam requested the admin the ban of the user Mr чараўнік. Interestingly, the admin of the Kelvin Security group affirmed that the scammer Mr чараўнік was part of the Kelvin Security staff.

Conversation posted on the former Kelvin Security Telegram channel – the user Intel Exchange was previously PoC Exploiter, the former Kelvin Security admin

The newly obtained evidence suggested that the user Mr чараўнік might have been part of the famous Kelvin Security Group. Therefore, the YCTI team conducted further research on the e-mail address trying to find services pointing to Kelvin Security and registering with the e-mail account.

Four results proved to be useful in linking the Gmail account of Mr чараўнік to the Kelvin Security group.

One of the accounts identified relates to a Github profile called kelvinsecurity and leads to a webpage where the user’s icon displays the icon of the group and the URL hxxp://www.ksecureteam.com/.

Github profile named kelvinSecTeam

The second result is related to the 2018 Wattpad leak and matches the username MilwormTech.

Wattpad user MilwormTech

In this case, indications of a possible relationship between the username MilwormTech and the Kelvin Security group can be found in an article describing an operation conducted by Kelvin Security where the personal information of Venezuelan President Nicolas Maduro was exposed.[5] The name Milw0rm is displayed in one of the notes that the group shares after compromising the organization.

Note shared by Kelvin Security Team

The YCTI Team is aware that this indication might be misleading as Milw0rm is a rather general username and recalls the name of a renowned website shut down in 2009. The site called Milw0rm specializes in sharing exploits and tutorials demonstrating how to take advantage of specific vulnerabilities. However, it seems that the website was not usually used for sharing leaks and was not active in 2016 – the date is shown in the note of the sample -. Therefore, Milw0rm might stand for the username of a threat actor collaborating with Kelvin Security.

A similar piece of intel seems to appear also when exploring the threat actor profile on the Cyber Shafarat intel website. In this case, the picture shows the same note including also the former Facebook profile likely related to the Kelvin Security group.

Source: hxxps://cybershafarat.com/tag/teamkelvinsecteam/

Following, a Duolingo profile associated with the e-mail address registered as AlgoritmoHacker was identified. Interestingly, the data linked to the Duolingo profile suggest that the user’s native language might be Spanish.

 

Evidence of the registered Duolingo account

Finally, it was possible to link the Gmail account with a user subscribed to Raidforums and called securityteam. Unfortunately, the YCTI team could not find any relevant additional information related to the Raidforums account.

Evidence of the Gmail account matching the username “securityteam” on Raidforums

Relations with Intel Exchange – Rebranding, partnership or just a casual collaboration?

All the pivoting around the e-mail address suggests that the e-mail indicator might be related to the Kelvin Security group. At this point, the YCTI Team noticed that it might be unusual for a threat actor to share samples contained in a drive folder that it does not personally own. In other words, if the e-mail is related to Kelvin Security and the URL address leading to the shared folder is shared by the admin of the Intel Exchange group, it might be possible that Spectre could be part of Kelvin Security or, at least, represents a very trustworthy party or collaborator.

The URL redirecting to the Italian Federal Police dump was only offered privately as a result of direct interaction with the Intel Exchange admin. In fact, the link posted on the intel repository website led only to the images and was only available for a limited time.

The announcement containing the URL redirecting to the image samples on the cached version of intelrepository.com

After attempting to find relations between the e-mail address and the Kelvin Security group, it was indeed interesting to find evidence linking Kelvin Security and Intel Exchange. The following evidence might suggest that Intel Exchange’s administrator has been dealing with Kelvin Security since at least 2020 which is believed to be the year in which the threat actor started its data brokerage activity.

As mentioned earlier, Spectre is a threat actor who sells confidential data related to governments and the military sector. The TA offers its latest leaks through a data leak site on the clear-web called Intelrepository. According to Who Is information, the domain was first registered in August 2020.

WhoIs Information regarding intelrepository.com website.

The website is divided into several sections. The leaks sections offer both paid and free leaks and it is possible to consult the samples or download the whole set of data by following the URLs available.

Intelrepository website

Among the data available, two links in particular stood out as both showed the same structure of the URL redirecting to the drive folder which contained the Italian Federal Police documents. Upon analyzing the source code of the drive folders containing the leaks, it was found that they all exposed the same e-mail allegedly related to Kelvin Security.

URL redirecting to drive folders available on Intel Repository exposing the e-mail address.

Further analysis on the history of the Intel Repository website shows the presence of URLs referring to a team called KelvinSecTeam.

Past links to leaks present on intelrepository website – Source: WayBackMachine, October 2020.

The presence of the Intel Repository admin was identified on several underground forums. The Threat Actor goes by the alias Spectre which is the same username used for the Telegram channel accounts and personal website.

It is possible to find Spectre’s accounts on many forums both Russian speaking such as XSS and Exploit as well as on more international forums such as the infamous BreachForums. The threat actor uses English as the main language of communication on both Russian-speaking forums, and BreachForums.

Evidence of Spectre’s account on BreachForums.

 

Spectre’s account on XSS

 

Spectre’s account on Exploit (currently banned, last visit December 2023).

Although no references or engagements between Spectre and Kelvin Security could be found on forums, the Exploit profile showed that one of Spectre’s followers is a threat actor called Adrastea. Adrastea became quite popular in 2022 after leaking the data of the European missiles manufacturer MBDA which exposed information related to NATO and the Italian Defense Ministry. Adrastea was also part of a partnership between the Threat Actor Ares and Kelvin Security back in 2023. The collaboration was officially announced and visible on Ares’s former data leak site.[6] Although no references to Intel Exchange are present, it is interesting to highlight a possible connection between different data brokers which might have had a common history of collaboration with the Kelvin Security group.

 

Evidence of Spectre’s follower Adrastea on Exploit forum and Adrastea profile on Exploit.

Image Source: CyFirma – Announcement of the partnership between Ares, Adrastea, KelvinSecurity and Ransomhouse.

By browsing the history of the posts published by Spectre it was possible to identify a thread announcing the restart of the operations of the threat actor and the relaunch of its website intelrepository.com on June 28, 2023.

Evidence of the reopening of the intelrepository.com project

The timing of the post coincides with two relevant events that are considered for linking Intel Exchange with a possible rebranding or partnership with Kelvin Security.

The first one is the final seizure of the domain breached[.]vc announced on June 23, 2023, after the arrest of the leader Conor Fitzpatrick (aka Pompompurin).[7]  The second one, coinciding with the retirement of Kelvin Security Group and the selling of their Telegram channel to Spectre, the admin of the intel sharing platform intelrepository.com.

Seizure of BreachForums

The arrest of Conor Fitzpatrick (aka Pompompurin and admin of BreachForums) on March 2023 was followed by numerous attempts to re-establish the original BreachForums by the second-in-charge-administrator Baphomet who, eventually, decided to shut down the project recognizing the danger of law enforcement who had access to Pompompurin resources. Also, many threat actors took the same decision and stopped their operations fearing that their operational security (opsec) could be ruined.

Therefore, when the new BreachForums reopened the doors with the help of the ShinyHunters hacker group, many threat actors resurrected and started to recruit again. One example is the infamous CyberNi****s group comprised of members such as IntelBroker which reformed the gang by gathering old fellows and recruiting new members.

Example of recruiting post of a former hacking group active on BreachForums

Kelvin Security was one of the main participants of the former BreachForums, sharing high-level governmental/military and private company leaks and gaining a ton of attention from the media as well as law enforcement. The group was posting not only on BreachForums but also on Telegram. However, as soon as the new BreachForums was up and running and feeling reliable once again, many threat actors were hoping to see Kelvin Security back in business. This event did not happen as Kelvin Security seemed to have completely stopped its activities during the summer of 2023.

This aspect did not go unnoticed and users on BreachForums started to wonder if their personal anti-heroes would ever be back in business. In a thread posted on BreachForums in July 2023, a user asked for news regarding the destiny of several well-known members active before the arrest of BreachForums’ administrator Pompompurin. Following posts, confirmed that Kelvin Security was not active anymore on the former Twitter platform confirming the inactivity of the group.

Thread identified on BreachForums

Direct information gained through undercover engagements with users on the forum confirmed that Kelvin Security was still active and collaborating with other groups although the team decided to become “invisible” most likely to lower the attention from law enforcement agents and protect their opsec.

Retirement of the KelvinSecurity Group

During the time between the arrest of Pompompurin (March 2023) and the final seizure of BreachForums, (June 2023) the Kelvin Security administration tried different ways to find a new place to advertise their leaks before retiring for good. At first, the group, between the end of March and the beginning of April 2023, pushed for the promotion of the website called Zer0DaySellers where old and new leaks related to Kelvin Security operations were uploaded.

Promotion of the zer0dayselles website from Kelvin Security admin PoCExploiter.

Promotion of the leaksite Zer0daySellers between April and July 2023 on Kelvin Security Telegram channel

However, the project did not seem to be a viable long-term solution. Therefore Kelvin Security admins decided to try and manage all the business throughout their main Telegram channel.

 

KelvinSecurity Telegram channel rules

It soon became clear that the idea of managing the business only through the Telegram channel populated by an audience of around 7 thousand users could become somehow problematic. The large number of fake accounts and scammers populating Kelvin Security channels might have been a huge hassle to moderate.

This aspect was highlighted in a message posted on Telegram, where the group’s administrator declared the stop of the operations. The reasons behind this decision were described in one of the last messages posted on July 27, 2023, by the Kelvin Security admin.

The main points behind the retirement are:

• Issues moderating multiple Telegram groups and scammers;
• members of the organizations withdrawn to follow their independent projects.

Last message from the Kelvin Security administrator

As mentioned before, it seems no coincidence that the decision to stop the operations might be related to the final seizure of BreachForums by law enforcement. Kelvin Security lost a huge channel of communication represented by BreachForums and could not manage to moderate alone a huge crowd of users on its Telegram channels. Additionally, it is safe to assume that the group was concerned about the consequences of information that might be in the hands of law enforcement after the arrest of Pompompurin and the final seizure of BreachForums.

In this circumstance the admin of intelrepository.com, Spectre, was able to take advantage of the situation apparently buying Kelvin Security’s main channel of communications, thus becoming the new administrator.

Announcement of the sale of the group

July 29 – Transfer of ownership (29 July 2023 – post), edit of the name and profile picture of the channel

July 29, 2023  – First message from the new admin Spectre

From the end of July, the admin of the group became Spectre. However, apart from promoting the leaks available on the website Intel Repository, the threat actor seemed to have experienced the same issue as the former owners, thus being unable to manage the huge amount of users and spammers populating the channel. Also, the change of ownership brought confusion among the users as the Kelvin Security channel remained the same despite the change of the channel title and profile picture.

The arrest of a KelvinSecurity member

In an unexpected turn of events, on December 10, 2023, the Spanish Police announced the arrest of one of the alleged leaders of Kelvin Security in the Spanish city of Alicante. According to the official statement released by the Policía Nacional, the arrest involved one of the members described as the leader of the financial apparatus of the hacking group.[8]

Interestingly, despite Kelvin’s retirement in June/July 2023, the statement confirmed the fact that the group was still operating in the shadow as previously confirmed by the YCTI Team from information gathered undercover. Also, it was noted that the URL forwarding to the drive folders from which the e-mail has been identified became unreachable since December 2023 and the Gmail account and related services seemed to be put offline.

Recently, Spectre put on sale two of the Kelvin Security channels acquired during the summer of 2023. This aspect might be relevant as could signify that the threat actor might want to cut all the connections linking to Kelvin Security as a reaction to the arrest of the alleged member of Kelvin Security back in December 2023.

Announcement of the arrest of alleged member of Kelvin Security (Source: Official account of the Spanish Policia Nacional on Telegram)

Announcement of the sale of the Telegram groups published by Spectre

Conclusions

The degree of relations between Spectre and Kelvin Security remains unclear. Considering the previous analysis, it is possible to draw a few hypotheses. Spectre seems to represent a data broker who tries to expand its business by sharing governmental and military leaks through different channels of communication. Considering the presence of many leaks posted on the main website Intel Repository which were pointing at Kelvin Security, Spectre might have established a fruitful collaboration as a data broker with Kelvin Security since at least 2020.

Regarding the purchase of Kelvin’s Telegram channels, it is also possible to assume that, if Spectre was somehow engaged on a deeper level of collaboration with Kelvin Security, then the threat actor would have wanted to maintain a presence on the cyber underground keeping the original channels of communications alive on behalf of Kelvin Security waiting for calmer times for the group to come back into business officially. This hypothesis is supported by the fact that the group was indeed still active at least until November 2023 despite their retirement and waiting for the perfect time to make their comeback.[1]

Finally, a remote hypothesis is assuming that Spectre has always been an alias of a member of Kelvin Security which is used as a backup cyber persona whenever necessary.

The YCTI Team will monitor possible developments and will conduct further investigations whenever relevant elements arise.

 

References:

[1] The Spanish Police’s official statement on the arrest of the alleged Kelvin Security member confirms that the latest group’s malicious activity was detected in November 2023 against a company of the energy sector. Therefore, the group has been continuing to operate even after the alleged retirement in June/July 2023.

[1] Medium, Venezuelan president’s personally identifiable information available for sale, Medium, oct 29,2018, available at: https://medium.com/beyond-the-perimeter/venezuelan-presidents-personally-identifiable-information-available-for-sale-e315ed9575e0

[2] Bleeping Computer, Kelvin Security hacking group leader arrested in Spain, December 11, 2023, available at: https://www.bleepingcomputer.com/news/security/kelvin-security-hacking-group-leader-arrested-in-spain/

[3] Cyble, Alleged Sensitive documents of NATO and TURKEY leaked: Case of Cyber Hacktivism or Cyber Espionage?, October 20, 2020, available at: https://cyble.com/blog/alleged-sensitive-documents-of-nato-and-turkey-leaked-case-of-cyber-hacktivism-or-cyber-espionage/

[4] Ukraine Government Portal – Official Website, Prime Minister of Ukraine met with President of Italy, available at: https://www.kmu.gov.ua/en/news/premier-ministr-ukrainy-proviv-zustrich-iz-prezydentom-italii

[5] Medium, Venezuelan president’s personally identifiable information available for sale, Octobr 29, 2018, available at: https://medium.com/beyond-the-perimeter/venezuelan-presidents-personally-identifiable-information-available-for-sale-e315ed9575e0

[6] CyFirma, ARES Leaks – Emerging Cyber Crime Cartel, 7 April, 2023, available at: https://www.cyfirma.com/outofband/ares-leaks-emerging-cyber-crime-cartel/

[7] Bleeping Computer, FBI seizes BreachForums after arresting its owner Pompompurin in March, 23 June 2023, available at: https://www.bleepingcomputer.com/news/security/fbi-seizes-breachforums-after-arresting-its-owner-pompompurin-in-march/

[8] Ministerio del Interior, La Policía Nacional detiene al líder del aparato financiero de uno de los grupos hacktivistas más importantes del mundo, December 11, 2023, available at: https://www.interior.gob.es/opencms/gl/detalle/articulo/La-Policia-Nacional-detiene-al-lider-del-aparato-financiero-de-uno-de-los-grupos-hacktivistas-mas-importantes-del-mundo/

 

Author:

Samuele De Tomas Colatin is a member of the Yarix Cyber Threat Intelligence Team. Previously, he worked as a researcher at the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. He is currently trying to find a balance between updating MISP and living his private life. Spoiler: he has not succeeded yet.