ThreatConnect Reviews Potential Fancy Bear Activity Targeting the French Election Runoff
In the run up to the French election runoff between Emmanuel Macron and Marine Le Pen, ThreatConnect reviews intelligence suggesting domains spoofing Macron’s En-Marche.fr website are associated with Russian cyber activity.
Pour lire ce blog en français, cliquez ici.
In the wake of a Trend Micro report identifying Fancy Bear phishing efforts against French presidential candidate Emmanuel Macron, we identified additional indicators and notable intelligence associated with reported activity. The identified activity has several consistencies with previously identified Fancy Bear tactics; however, we lack information on the phishing messages, other attack vectors, credential harvesting pages, and any malware used in this campaign that would give us greater confidence in attributing these to Fancy Bear or another adversary. Likewise, it bears mentioning that given the degree of attention paid to these attack patterns, it is possible another adversary is using the same techniques.
If Fancy Bear is sniffing around Macron’s campaign, we would expect them to try additional avenues to gain access even if operations leveraging the spoofed domains identified in this report were unsuccessful. These avenues could include other political organizations associated with the campaign, or third party or contracted organizations that enable its daily operations. Fancy Bear leveraged a similar tactic in targeting the Democratic National Committee (via their IT contractors) and Democratic Congressional Campaign Committee (via their donation website) in their active measures efforts against the US Democratic Party.
Scene Setter: The Significance of the French Election
Following Russia’s active measures campaign against the 2016 US election that compromised and leaked information from the Democratic Party, many, including ourselves and the US Intelligence Community assessed such efforts would likely continue. Even though the ultimate impact of Russia’s activity on the election results is up for debate, the outcome was consistent with Russia’s goals and the consequences would not disincentivize future campaigns. The next juicy target? The French election, now proceeding to a runoff between centrist candidate Emmanuel Macron and right-wing populist Marine Le Pen.
Similar to Donald Trump during the 2016 campaign, French Presidential candidate Le Pen has publicly espoused a positive view of Russian activities (such as the annexation of Crimea) and Russian President Vladimir Putin. Additionally, Le Pen’s more nationalistic approach to foreign policy and antagonistic views towards the EU suit Russian objectives of weakening the cohesion of multi-national organizations like the EU that have sought to discourage Russian aggression by imposing sanctions, and instead deal with each country individually. Conversely, Macron has been critical of Russian activities and is expected to support existing policies.
As a result, we would expect any Russian active measures campaigns to target Macron’s campaign while conversely supporting Le Pen’s. Indeed, Macron’s aides blame Russia for hacking attempts targeting his campaign and disinformation conducted via Kremlin-backed media outlets.
And So it Begins…
Trend Micro recently identified Pawn Storm, aka Fancy Bear, likely used the spoofed domain onedrive-en-marche[.]fr to target Macron’s campaign. The Macron campaign confirmed the attempted intrusions, but said they had all been thwarted (hopefully they’re all using two-factor authentication!). The use of a spoofed domain is certainly in Fancy Bear’s wheelhouse and a tactic they use frequently, but we decided to pour into the domain a bit more using the ThreatConnect platform to identify whether we could identify any additional intelligence. Spoiler alert: we did, otherwise this wouldn’t be a very interesting blog.
Identifying Additional Domains Based on the Registrant
ThreatConnect WHOIS integration information on onedrive-en-marche[.]fr.
We started by importing the onedrive-en-marche[.]fr domain as an indicator. Using ThreatConnect’s WHOIS integration, we identified that the domain was registered using the email address johnpinch@mail[.]com. The mail[.]com is notable as Fancy Bear has previously used this email domain, and others provided by 1&1 such as europe[.]com, to register domains used in operations. While not definitive of a Fancy Bear association, it is a notable consistency with their previous tactics.
ThreatConnect Tracks results for johnpinch@mail[.]com
Using ThreatConnect’s Tracks function, which leverages DomainTools' data to identify and track domains registered with a given email address, we identify that the johnpinch@mail[.]com email address has also been used to register three other domains -- accounts-office[.]fr, portal-office[.]fr, and mail-en-marche[.]fr. The latter also spoofs Macron’s en-marche.fr domain and could be leveraged in operations against his campaign.
Dedicated Servers and a Curious Overlap
After identifying these additional domains, we used ThreatConnect’s various integrations and some capabilities from our friends at DomainTools to review the hosting history for these domains. In total, we were able to identify about ten additional indicators for this activity, including the subdomain mail.onedrive-en-marche[.]fr that is hosted at 80.82.69[.]134. These indicators have been shared in Incident: 20170424C: Domains Spoofing En-marche.fr Likely Used in Fancy Bear Phishing.
DomainTools WHOIS information on mail-en-marche[.]fr.
Notably, we identified that all of the domains that johnpinch@mail[.]com registered are hosted on dedicated servers. The use of a dedicated server is often indicative of a domain that has been operationalized. Using dedicated servers, while costing more monetarily, also gives malicious actors more control over how their infrastructure is administered.
ThreatConnect's Farsight DNSDB integration information on portal-office[.]fr.
Taking a closer look at the IPs hosting these domains using our Farsight DNSDB integration we identified that the portal-office[.]fr domain is hosted at the IP 194.187.249[.]135.
ThreatConnect entry on 194.187.249[.]135 IP address.
Reviewing the entry for this IP, it turns out the 194.187.249[.]135 IP address was identified in the December 2016 Department of Homeland Security Grizzly Steppe Joint Analysis Report (JAR) on Russian cyber activity. No additional notable context was included with the IP address in the JAR; however, additional research indicates this IP was previously a Tor exit node. Reviewing the hosting information for this IP, the portal-office[.]fr domain is the only one that shows up, suggesting this IP may currently be dedicated to the actor behind it.
From Tor to Moar!
The overlap with an IP address in the Grizzly Steppe JAR merited some additional research. Based on information from collector.torproject.org and check.torproject.org, the 194.187.249[.]135 IP address most likely last operated as a Tor exit node around October 12 2016 and is currently not an exit node.
Last identified date and time for the designation of 194.187.249[.]135 as a Tor exit node, according to collector.torproject.org.
But the use of an IP address that was previously acting as a Tor exit node got us wondering “why?”. Ostensibly, malicious actors would be cognizant of the Grizzly Steppe JAR and would seek to avoid any indicators contained therein to help ensure their operations would be successful. So as best as we can think of, there are three plausible scenarios that could explain this:
- Muddying attribution: The actors behind the portal-office[.]fr, and transitively the spoofed en-marche.fr domains, intentionally chose an IP address previously identified as a Tor node to mitigate attribution efforts. In doing so, attribution assessments predicated on the IP would have to address scrutiny that multiple actors could have been using the IP.
- Deliberate transition: The actors maintained control of the IP while it operated as a Tor exit node and later when it hosted portal-office[.]fr. In this scenario, the actors intentionally transitioned the infrastructure from being an exit node to hosting infrastructure. This scenario begs additional questions, such as why the actors were operating a Tor exit node in the first place, whether they were using it, whether they were collecting from it, and why they repurposed it for hosting operational infrastructure.
- Random chance: The actors did not choose the IP address or chose a random IP address. In this scenario, it amounts to a coincidence that the 194.187.249[.]135 was previously a Tor exit node.
Identifying Other Possible Domains Spoofing en-marche.fr
Using DomainTools’ Iris, we examined other recent registrations that had consistencies with the spoofed en-marche.fr domains. We looked for domains registered since March 1, 2017 that contained the string “marche,” and used one of a selection of 1&1 email domains that Fancy Bear has shown a tendency to use, including mail[.]com, email[.]com, and europe[.]com. This identified a new domain, en-marche[.]co, that was registered using the email address amarocarrion@mail[.]com on April 12, 2017. This domain is currently hosted at a Cloudflare IP, which masks where the domain is hosted, but a trusted partner identified that this domain is ultimately hosted at the IP 193.29.187[.]40.
DomainTools IP information for 193.29.187[.]40 showing it is owned by THCservers.
Reviewing DomainTools IP information for 193.29.187[.]40, we see that the IP is owned by the registration and hosting service THCservers. We’ve previously identified Fancy Bear’s penchant to use THCservers, notably for the faketivist website dcleaks[.]com. It’s plausible that Fancy Bear would also obtain IP hosting infrastructure from this company they have a tendency to use. Investigating the historic WHOIS information for the en-marche[.]co domain, we identify another consistency with Fancy Bear registration and hosting tactics.
DomainTools WHOIS information for en-marche[.]co showing the use of Monovm name servers.
This domain initially used monovm[.]com name servers when it was registered on April 13, 2017. We do not know to what extent, if any, this domain is used maliciously, but the Monovm registrar and name servers have previously been used for domains like securityprotectingcorp[.]com identified in Fancy Bear attacks. While not definitive, this is another consistency with previously-identified Fancy Bear tactics and further suggests they are actively targeting the Macron campaign.
There are consistencies in the reported activity against Macron and Fancy Bear’s previously identified registration and hosting tactics, including the use of the mail.com email address to register domains as well as use of dedicated infrastructure. Additionally, the victimology and motivation - targeting the presidential candidate that Russia ostensibly would like to lose - is consistent with Russia’s previous active measures campaigns conducted during the 2016 US election. However, that being said, without additional information on the specific phishing messages employed in this campaign against Macron, we cannot currently definitively confirm Trend Micro’s assessment that Fancy Bear aka Pawn Storm is behind this activity.
Other organizations closely involved with Macron’s political party, En Marche!, need to be cognizant of the threat that Russian cyber activity poses. Notably, organizations with access to or that interact with En Marche’s computers, networks, or websites should operate under a heightened level of awareness and thoroughly scrutinize any potential attacks consistent with Fancy Bear or higher-level Russian cyber operations.