Posted
ThreatConnect Research reviews phishing activity targeting Bellingcat researcher Christo Grozev and identifies a series of ProtonMail-spoofing domains most likely associated with attacks on Russia focused researchers and journalists.
On July 24th, Bellingcat shared a phishing email from July 23rd that unsuccessfully targeted Christo Grozev, a Bellingcat contributor who focuses on Russia-related security threats and weaponization of information. Using ThreatConnect, our various integrations, and DomainTools’ capabilities, we researched the email and identified a series of ProtonMail-spoofing domains most likely associated with the phishing activity that targeted Bellingcat. This case study highlights the importance of reviewing hosting infrastructure, co-locations, name servers, and WHOIS creation timestamps for malicious domains that are privacy protected. In this case, we identified eleven domains registered since April 11, 2019 most likely associated with the actor behind this activity and possibly used in attacks against other Russia-focused researchers or journalists. These findings have been memorialized in ThreatConnect Incident 20190724A: ProtonMail Spoofed Domains Used in Phishing Against Russian-Focused Researchers.
We’ve been fortunate to previously work with Bellingcat on Fancy Bear activity targeting them following their MH-17 reporting beginning in 2015 and continuing on in to at least 2017. In this instance, we don’t know if Fancy Bear is behind this activity. The activity pattern observed in this incident suggests that may be the case, but that assessment is in no way definitive based on our current understanding of the activity as described below.
Phishing Targeting Bellingcat
The phishing email that targeted Bellingcat purported to be from ProtonMail’s support team and claimed that the target’s encryption keys and privacy may have been compromised. The “from” email addresses were most likely spoofed. The email header shows that the message was sent from legitimate Mail.de infrastructure and lists notifysendingservice@mail[.]uk as the return path email address. At this time, we do not know if this is an email address belonging to a legitimate service that the actor leveraged or an actor-controlled account. We have contacted Mail.de for additional information.
The email prompts the target to either change their password or generate new encryption keys at the provided links.
Those links are actually for the sites hxxp://mail[.]protonmail[.]sh/password and hxxp://mail[.]protonmail[.]sh/keys, respectively. We were unable to capture the password site live; however, the keys URL redirected to another domain — mailprotonmail[.]ch — as seen below in the Internet Archive. This site hosts a spoofed ProtonMail loading page that prompts the target to enable Javascript. We are still in the process of reviewing the Javascript files that this site attempts to load and will provide an update as we better understand them.
Hosting Infrastructure
From an infrastructure perspective, at this point we have identified two domains associated with this activity — protonmail[.]sh and mailprotonmail[.]ch. Reviewing the WHOIS for these domains in our DomainTools Spaces App, we can see that both of these sites were registered through Njalla, which provides anonymous domain registrations and protects users “from ferocious domain predators.”
Reviewing the hosting history for these domains using our Farsight DNSDB integration, we note that mailprotonmail[.]ch is hosted at 217.182.13[.]249.
This IP address has hosted only three domains in the last two months and all of them spoof ProtonMail. We can reasonably conclude that this IP most likely is exclusive to the actor behind the activity that targeted Bellingcat.
Iterating the previous research steps for these new domains — mailprotonmail[.]com and protonmail[.]systems — we see that these domains were also registered through Njalla. Additionally, the mailprotonmail[.]com domain was previously hosted at 193.33.61[.]199.
As with the 217.182.13[.]249 IP, reviewing passive DNS resolutions for 193.33.61[.]199 with our Farsight DNSDB integration, we see that it has recently hosted domains that all appear to spoof ProtonMail and again most likely is exclusive to the actor behind this activity. The additional co-located domains include protonmail[.]direct, my.secure-protonmail[.]com, and prtn[.]xyz.
Iterating again with these new domains, we see that protonmail[.]direct was also registered through Njalla while my.secure-protonmail[.]com and prtn[.]xyz were registered through Web4Africa. Notably, these domains were registered on April 11, 2019, suggesting that this campaign may date back much earlier than the recently-identified phishing email targeting Bellingcat.
Creation Timestamp Pivoting
At this point, we’ve exhausted what we can identify from hosting IPs and domain co-locations. Unfortunately, in this case, we don’t have any registrant email domains from WHOIS or start of authority (SOA) records to build out our understanding of this actor’s infrastructure. However, we have a technique that sometimes proves useful for researching such domains — creation timestamp pivoting. This method helps identify other domains that were registered through the same reseller at the same time as the domain in question.
The idea here is that actors will sometimes register groups of domains at a single time. Doing so cuts down on the number of transactions they have to perform and the amount of time they spend procuring infrastructure. Even when using privacy protection services, WHOIS name server and creation timestamp information can often be used to find other domains that may be associated with those you’re researching.
To do this research, we’ll use a DomainTools Iris or Reverse WHOIS query to search for domains that use the name server of the site we’re investigating AND have the same creation timestamp string down to the hour. We then review the WHOIS for the returned domains and identify those that were registered in close temporal proximity to the one we started with. Let’s use the previously identified mailprotonmail[.]com as an example.
In the WHOIS for mailprotonmail[.]com, we see that it was registered at 6:10 UTC on June 27, 2019 through Njalla. An Iris query to pivot on these characteristics would look like the following:
Ultimately, four additional domains are returned. Looking at the WHOIS for these results, we see that two of the additional domains — prtn[.]app and the previously identified protonmail[.]sh — were registered within about 30 seconds of mailprotonmail[.]com.
Iterating through this methodology for the other previously identified domains, we can determine that the following additional infrastructure is most likely associated with the actor we’re investigating:
- protonmail[.]gmbh
- prtn[.]app
- protonmail[.]team
- protonmail[.]support
It’s important to note that this method is not without caveats:
- Boutique is Best – Generally, this methodology only works for smaller name servers or registrars. The more widely used a name server or registrar, the more results will show up for the given time you’re investigating.
- Domain Creations on Intervals – In some cases, the reseller or registrar may not immediately register a domain for a customer and instead create groups of domains from multiple customers at a specified interval.
- Lack of Results – Sometimes, the creation timestamp information may not be indexed by the capability you’re using, so the lack of additional domains in reverse WHOIS queries does not preclude the actual existence of other, related domains.
- No Rule of Thumb – There is not a hard and fast rule for how close in temporal proximity domains have to be to be deemed “related.” In this case, we saw domains that were registered seconds apart and up to a minute and a half apart. It’s going to vary between resellers.
- Coincidence – Two domains registered by different actors could be registered through the same reseller at the same or close to the same time.
- Probability – Results from this research should always be considered within the larger context of the activity you’re investigating. In this case, all the additional domains spoof ProtonMail. Similar consistencies or lack thereof should be considered when applying probabilistic language to your resulting analysis.
Conclusion
In terms of attribution, based on our current understanding of the activity, we cannot assess who is behind this activity with a reasonable level of confidence. Fancy Bear has previously targeted Bellingcat and used the Njalla and Web4Africa resellers to procure infrastructure; however, none of those characteristics are exclusive to Fancy Bear. So, the shoe fits, but it probably fits others too. Additional information on the Javascript hosted at the aforementioned sites, other targets of this campaign, the extent of the campaign, and the landing pages for other links in the phishing emails could help us better assess who is behind this activity.
At this point, we don’t know if, how, or against whom all of the additional domains from this research have been used. Journalism and think tank organizations — particularly those that investigate Russia-related issues — whose contributors or employees use ProtonMail should review previous emails and monitor for future emails containing links to this infrastructure. Additionally, several of the identified domains have not been hosted to date, and could be used in future operations. Monitoring for passive DNS resolutions for these domains or new subdomains may help identify if or when they are operationalized.
Identified Domains and IPs:
protonmail[.]sh
mail[.]protonmail[.]sh
mailprotonmail[.]ch
mailprotonmail[.]com
protonmail[.]direct
protonmail[.]gmbh
protonmail[.]systems
prtn[.]app
protonmail[.]team
protonmail[.]support
user[.]protonmail[.]support
prtn[.]xyz
secure-protonmail[.]com
my[.]secure-protonmail[.]com
217.182.13[.]249
193.33.61[.]199