OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services. (Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach. Known for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.” This is not the first time that OurMine has claimed responsibility for hacking high-profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2017-09-15 by Dell Cameron from
2017-09-04 by Graham Cluley from Graham Cluley Blog
2017-08-17 by Trend Micro from Trend Micro
2017-01-22 by Various from Wikipedia
Actor: OurMine
Names: OurMine, ATK 128, TAG-HA10
Country: Saudi Arabia
Motivation: Financial gain
First-seen: 2016
Description: OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services. (Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach. Known for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.” This is not the first time that OurMine has claimed responsibility for hacking high-profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.
Observed-sectors: Casinos and Gambling
Observed-sectors: High-Tech
Observed-sectors: Media
Observed-sectors: Telecommunications
Observed-countries: UK
Observed-countries: USA
Operations: 2016-10
Operations: BuzzFeed hacked by OurMine after it claimed to unmask one of its members https://www.theguardian.com/technology/2016/oct/05/buzzfeed-hack-ourmine-ahmad-makki-facebook-google
Operations: 2016-12
Operations: Breach of Netflix and Marvel Twitter accounts https://techcrunch.com/2016/12/21/ourmine-hacks-netflixs-u-s-twitter-account/
Operations: 2016-12
Operations: Breach of Nat Geo Photography’s Twitter account https://www.hackread.com/ourmine-hacks-nat-geo-photography-twitter-account/
Operations: 2017-01
Operations: Breach of several Twitter accounts affiliated with WWE, including those of WWE Universe, WWE NXT, wrestler and celebrity John Cena, WrestleMania, WWE Network and Summer Slam https://mashable.com/2017/01/29/wwe-accounts-twitter-hack-ourmine/
Operations: 2017-04
Operations: Breach of several Medium blogs https://fortune.com/2017/04/27/medium-ourmine-hack/
Operations: 2017-08
Operations: Game of Thrones secrets revealed as HBO Twitter accounts hacked https://www.theguardian.com/media/2017/aug/17/game-of-thrones-secrets-revealed-as-hbo-twitter-accounts-hacked
Operations: 2017-08
Operations: Breach of VEVO Vevo, the joint venture between Universal Music Group, Sony Music Entertainment, Abu Dhabi Media, Warner Music Group, and Alphabet Inc. (Google’s parent company), was just hacked. Roughly 3.12TB worth of internal files have been posted online, and a couple of the documents reviewed by Gizmodo appear sensitive. https://gizmodo.com/welp-vevo-just-got-hacked-1813390834
Operations: 2017-08
Operations: Breach of PlayStation social media accounts https://www.welivesecurity.com/2017/08/21/hackers-target-playstation/
Operations: 2017-08
Operations: Breach of Twitter accounts of FC Barcelona and Real Madrid https://www.welivesecurity.com/2017/08/28/hacking-group-spanish-giants/
Operations: 2017-09
Operations: Breach of DNS records of WikiLeaks https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/
Operations: 2020-01
Operations: OurMine crew hijacks social media accounts for the NFL, the 49ers, Cardinals, Bears, Bills, Broncos, Browns, Bucs, Cowboys, Colts, Chiefs, Eagles, Giants, Packers, Texans, and Vikings. https://www.zdnet.com/article/hackers-hijack-twitter-accounts-for-chicago-bears-and-green-bay-packers/
Operations: 2020-02
Operations: Breach of Facebook's Twitter, Instragram, Messenger's Twitter and Messenger's Instagram accounts https://www.zdnet.com/article/hackers-deface-facebooks-official-twitter-and-instagram-accounts/
Operations: 2020-02
Operations: Breach of the official Twitter accounts of FC Barcelona, the Olympics and the International Olympic Committee (IOC) https://www.welivesecurity.com/2020/02/17/fcbarcelona-twitter-account-hacked-again/
Information: https://en.wikipedia.org/wiki/OurMine
Last-card-change: 2021-12-09
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time. | T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time. | T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time. |