Two men arrested for impersonating DHS employees. Lets unravel some infrastructure.

threat
screenshot of a law enforcement social media page

Research by Silent Push research team

On Wednesday two men were arrested who are alleged to have been impersonating Federal agents. 5 witnesses have given evidence that the men pretended to work for several agencies, with the Department Of Homeland Security being one of them.

According to the affidavit that initially sounds bad but not on the very high end of what bad could be.

At this point one may mistakenly think these guys were just trying to sound sophisticated or a “Walter Mitty” type of episode that got out of hand. However the allegations quickly escalate into very concerning territory.

“Specifically, TAHERZADEH has provided members of the United States Secret Service (USSS) and an employee of DHS with, among other things, rent-free apartments (with a total yearly rent of over $40,000 per apartment), iPhones, surveillance systems, a drone, a flat screen television, a case for storing an assault rifle, a generator, and law enforcement paraphernalia. TAHERZADEH also offered these individuals use of, what TAHERZADEH represented to be “official government vehicles.” In addition, TAHERZADEH offered to purchase a $2,000 assault rifle for a United Secret Service Agent assigned to the First Lady’s protective detail. As of April 4, 2022, as a result of this conduct, four members of the Secret Service were placed on administrative leave pending further investigation.”

A harsh job interview

Then they are alleged to actually try to recruit someone to work for them under the guise of being deputized by the DHS. According to the affidavit “As part of the “recruitment process” TAHERZADEH and ALI required that the “applicant” be shot with an Airsoft rifle to evaluate their pain tolerance and reaction. Subsequent to being shot, the applicant was informed that their hiring was in process. The applicant was also assigned to conduct research on an individual that provided support to the Department of Defense and intelligence community.”

This ongoing sharade only got uncovered when a United States Postal Inspector was investigating an assault at the apartment complex where the suspects lived. They were witnesses to the assault but their questioning made the inspector suspicious and they called in the FBI.

The Set Up.

So what were they doing? Looking into the affidavit they were using an email address with the domain name ussp[.]us. Let’s use this as a starting point and map out their infrastructure and timings.

They have a corporate LInkedin page set up for this company.

And a Cruchbase profile

Their registered address is 949 1ST St SE APT 509 Washington, DC, 20003-4737 United States. Their website is no longer fully functional but we can still see the urls that were hosted there using archive.org.

Examples of the urls on the ussp[.]us website
Example of one of the web pages of ussp[.]us
Instagram Page of USSP

Front

The court documents suggest they were providing apartments rent free to a number of people in the apartment building who have now been suspended from their public service jobs. The implication is that the suspects were taking advantage of these people for nefarious purposes such as espionage. If we look at their infrastructure is there anything we can tell.

Whois Records

We found a number of domains for this group. The first being ussp[.]us but also a number fo others on the same custom name server “a1.ussp.us”, “a2.ussp.us”.

For this primary domain the admin is listed as “INFORMATION SYSTEMS”



If we check out the other domains on these name servers.

Let’s get a better look
The same organization had quite a few ‘special police’ themed domains on the go since 2020. The costs of this are beginning to mount up.

What are special police officers?

https://mpdc.dc.gov/service/security-snapshot-updates-security-personnel

This is perhaps the more interesting question about this story. The companies that these suspects had set up were branded as if they provide security contracting as special police officers for the District Of Columbia. These appear to be a special type of private security contractors who are licensed to make arrests within the area they cover. We don’t know if the people in question were licensed or not but all of these domains they were operating are around that theme. Is this a case of delusional security guards pretending they were something “cooler”, or is this something more nefarious as some people are suggesting.

Prior Behavior

The suspects in this case seem to have an ongoing track record of irresponsible behavior and would not seem to be ideal candidates for any real undercover work or espionage activity, but we’ll see what gets revealed in court.

https://www.dailymail.co.uk/news/article-10696133/How-fake-DHS-agents-spent-18-MONTHS-trying-infiltrate-Secret-Service-Jill-Bidens-detail.html?s=09

Why these Subdomains?

One question that would be good to have the answer to is why do certain subdomains exist for this organization. People are assuming the company is a complete front but what if it had contracts and what were they for?

www.downloads.ussp./us

TXT Records

We can tell from their TXT records that they had a logmein account as well as Google search console and Office 365 for the main domain ussp./us.

uspolice./us also had a verification TXT record for Microsoft. So this may also have been one of their email domains.

Certificates

The main domain had some certificates for cpanel and others.

date": 20220330,
        "domain": "ussp.us",
        "domains": [
          "a1.ussp.us",
          "cpanel.a1.ussp.us",
          "cpcalendars.a1.ussp.us",
          "cpcontacts.a1.ussp.us",
          "mail.a1.ussp.us",
          "webmail.a1.ussp.us",
          "whm.a1.ussp.us",
          "www.a1.ussp.us"
"host": "a1.ussp.us",
        "issuer": "cPanel, Inc. Certification Authority",
        "not_after": "2022-06-28T23:59:59",
        "not_before": "2022-03-30T00:00:00",
"cPanel, Inc. Certification Authority",
          "COMODO RSA Certification Authority"
        ],
        "date": 20211208,
        "domain": "ussp.us",
        "domains": [
          "cpanel.east.ussp.us",
          "cpcalendars.east.ussp.us",
          "cpcontacts.east.ussp.us",
          "east.ussp.us",
          "mail.east.ussp.us",
          "webmail.east.ussp.us",
          "whm.east.ussp.us",
          "www.east.ussp.us"
host": "cpanel.east.ussp.us",
        "issuer": "cPanel, Inc. Certification Authority",
        "not_after": "2022-03-08T23:59:59",
        "not_before": "2021-12-08T00:00:00",

Observed Infrastructure List (IOC would be an inappropriate term). All sourced from the Silent Push Platform

a1.ussp./us

a2.ussp./us

adfs.ussp./us

autodiscover.dcspecialpolice./com

autodiscover.specialpoliceunit./us

autodiscover.uspolice./us

autodiscover.ussp./us

cpanel.dcspecialpolice./com

cpanel.specialpoliceunit./us

cpanel.uspolice./us

cpanel.ussp./us

cpcalendars.uspolice./us

cpcontacts.uspolice./us

dc.ussp./us

dc1.ussp./us

dc3.ussp./us

dcspecialpolice./com

dhs.ussp./us

downloads.ussp./us

east.ussp./us

iris.ussp./us

mail.dcspecialpolice./com

mail.specialpoliceunit./us

mail.uspolice./us

mail.ussp./us

portal.ussp./us

siu.ussp./us

software.ussp./us

sou.ussp./us

specialpoliceunit./us

staging.ussp./us

t01.ussp./us

t25.ussp./us

uspolice./us

ussp./us

webdisk.dcspecialpolice./com

webdisk.specialpoliceunit./us

webdisk.uspolice./us

webdisk.ussp./us

webmail.dcspecialpolice./com

webmail.specialpoliceunit./us

webmail.uspolice./us

www.dcspecialpolice./com

www.dhs.ussp./us

www.downloads.ussp./us

www.software.ussp./us

www.specialpoliceunit./us

www.staging.ussp./us

www.uspolice./us

www.ussp./us

207.246.76./18

149.28.97./223

108.61.75./41

108.61.207./59

50.210.156./201

50.210.156./205

149.28.107./179

50.210.156./199

50.210.156./202

50.210.156./203

50.210.156./204

50.210.156./200

104.216.25./71

85.208.116./104