Posted
*This post can also be found on the Fidelis blog, ThreatGeek.*
FANCY BEAR Has an (IT) Itch that They Can’t Scratch
ThreatConnect and Fidelis team up to explore the Democratic Congressional Campaign Committee (DCCC) compromise
Following news reports that the Democratic Congressional Campaign Committee (DCCC) was breached via a spoofed donation website, the ThreatConnect Research team and Fidelis Cybersecurity teamed up to collaborate and take a look at the associated domain to ferret out additional details on the activity.
The initial indications from the DCCC breach suggest FANCY BEAR pawprints based on the following:
- First, the registrant – fisterboks@email[.]com – behind the spoofed domain secure.actblues[.]com has registered three other domains, all of which have been linked to FANCY BEAR by German Intelligence (BfV).
- Second, the timing is consistent with an adversary reacting to heightened focus after the DNC breach was announced.
- Third, the two name servers used by fisterboks@email[.]com to register four suspicious domains are the same ones used by frank_merdeux@europe[.]com, the registrant of misdepatrment[.]com, a spoofed domain that previously resolved to a FANCY BEAR command and control IP address used in the DNC breach.
- Finally, a pattern exists where the actor is creating fictitious registrant email addresses by leveraging free webmail providers, such as 1&1’s Mail.com or Chewie Mail, to register faux domains which contain minor character transpositions or modified spellings. Additionally, the actor is favoring registrars and hosting providers that seemingly provide anonymity by accepting bitcoin for payment.
The following would strengthen our assessment of FANCY BEAR’s involvement:
- Additional information indicating if the actblues[.]com domain was used to compromise the DCCC. At this point, we don’t know whether the domain was used for socially engineered phishing emails, serving up malware, or stealing user credentials.
- If malware is involved with this compromise, having a sample or information on the malware would help us identify whether it is consistent with other tools used by FANCY BEAR.
- If there is any other infrastructure involved with this compromise beyond the actblues[.]com domain and IP, identifying links between registration and hosting information for that infrastructure and known FANCY BEAR infrastructure could augment the confidence in our assessment.
Spoofed DCCC Domain Identified
Both of our companies respectively researched the domain secure.actblues[.]com, which spoofs the DCCC’s legitimate donation site secure.actblue[.]com. FANCY BEAR actors previously used the same technique with the domain misdepatrment[.]com, which spoofed the legitimate domain belonging to MIS Department, a Democratic National Committee IT contractor. The actblues[.]com domain, which is hosted on a Netherlands IP Address 191.101.31[.]112 (Host1Plus, a division of Digital Energy Technologies Ltd.), was registered using a privacy protection service through the I.T. Itch registrar.
After reviewing the Start of Authority (SOA) record for actblues[.]com we were able to identify the email address fisterboks@email[.]com originally registered the domain.
This fisterboks@email[.]com email address has previously registered three other domains, intelsupportcenter[.]com (hosted on a dedicated server at 81.95.7[.]11), intelsupportcenter[.]net (not active), and fastcontech[.]com, all of which have been attributed to FANCY BEAR activity in an official German Intelligence (BfV) report Cyber Brief Nr. 01/2016. It should also be noted that fastcontech[.]com is hosted at the same ISP as one of the IP’s listed by Crowdstrike for FANCY BEAR (185.86.148[.]227).
Perfect Timing
Upon further review of the actblues[.]com domain using the ThreatConnect Farsight Passive DNS integration, we were able to identify the date and time when the domain first resolved.
The actblues[.]com domain was initially registered on June 14th and resolved to the 191.101.31[.]112 IP shortly thereafter. This indicates that the domain was operationalized in less than a day. Stepping out and looking at additional context related to the DNC activity, we identified that CrowdStrike’s initial report on the DNC hack was also published on June 14th. This suggests that, after being outed, FANCY BEAR actors shifted their operation immediately to another target that might allow them to continue collection against Democratic figures involved in the U.S. election.
Peripheral Associations
The surrounding infrastructure around the secure[.]actblues[.]com host in the 191.101.31.0/24 network merited a closer look. In one example, we identified that the suspicious domain geopoliticsmonitor[.]com resolved to IP Address 191.101.31[.]116. According to DomainTools, the WHOIS information for geopoliticsmonitor[.]com lists boltini_sandy@post[.]com as the domain registrant and I.T. Itch as providing administrative and name services.
This domain appears to be a spoof of the legitimate domain geopoliticalmonitor.com. Geopolitical Monitor lists itself as a Canadian “international intelligence publication and consultancy”. This aligns with the suspicious domain stratforglobal[.]net, which uses the the Xtra Orbit name services (xtraorbit[.]com / xo.*.orderbox-dns.com) and registrant idolbreaker@mail[.]com detailed in our previous blog. Stratfor lists itself as a “geopolitical intelligence firm that provides strategic analysis and forecasting to individuals and organizations around the world.” Targeting of either of these organizations and or their customers might yield strategic insights or facilitate secondary operations.
In reviewing the peripheral networks associated with FANCY BEAR infrastructure, we saw correlation to the following hosts identified in PricewaterhouseCoopers’s Sofacy II- Same Sofacy, Different Day:
- globalnewsweekly[.]com
- osce-oscc[.]org
- enisa-europa[.]com
- enisa-europa[.]org
- militaryobserver[.]net
As well as other suspicious domains such as:
- academl[.]com – spoofing Blackwater’s new company name.
- tolonevvs[.]com – spoofing an Afghanistan news outlet.
- eurosatory-2014[.]com – spoofing Eurosatory, a yearly military defense conference.
- check-italia[.]ml – spoofing an organization associated with Italy’s Ministry of Economic Development.
The Name Server Connections
The fisterboks@email[.]com surfaced in our previous post on FANCY BEAR’s use of a bitcoin name server. At the time, we were interested in the two domains intelsupportcenter[.]com and intelsupportcenter[.]net because they looked like domain spoofs of the Intel Corporation, not necessarily because they were registered by fisterboks@email[.]com.
The name services in question – .bitcoin-dns[.]hosting – were also used by misdepatrment[.]com, a spoofed domain (of the legitimate misdepartment.com) that resolved to a FANCY BEAR command and control IP address used in the DNC breach. The same name servers have been used by other FANCY BEAR-linked domains as well as a long list of other suspicious domains that have not been attributed to any particular threat actor.
The domains actblues[.]com and fastcontech[.]com – the two fisterboks@email[.]com domains we identified from the SOA records – were registered through a different name server called I.T. Itch. fastcontech[.]com was also identified in the German Intelligence report on FANCY BEAR and is hosted on a dedicated server at the 185.61.149[.]198 IP address.
When we looked to see who else was using the I.T. Itch name server, we found httpconnectsys[.]com. This domain is notable as the SOA record indicates that it was initially registered by frank_merdeux@europe[.]com, the same email address that was used to register the misdepatrment[.]com domain. At the time of this writing, we have not identified any other name servers used by either registrant.
I.T. Itch Registrar
I.T. Itch (ititch[.]com) bills itself as an anonymous web hosting, bitcoin hosting, private domain registration company with a “100% non-compliance rate” aiming to help entities maintain an anonymous digital presence. The company allegedly accomplishes this by “actively ignoring and impeding digital data requests and take-down notices“. Websites on the company’s infrastructure purportedly leverage “web servers located in secret locations on three different continents,” further protecting customers’ private information and freedom of speech, essentially making the site owners anonymous.
Naturally, this promise of anonymity is attractive to cyber threat actors. However, it is this proclivity for anonymous infrastructure, coupled with available SOA records, that led the ThreatConnect Research team to identify additional APT-related infrastructure using I.T. Itch name servers, despite the use of Privacy Protect services to mask registrant data.
Scrutinizing Additional Suspicious Domains on I.T. Itch Name Server
We took a look at all of the domains that were registered this year that currently use the same name server (ititch[.]com) as actblues[.]com. From there, we attempted to identify those domains that were hosted on dedicated servers and stood out the most with respect to their name, and potentially what domains or topics they spoofed. Malicious actors from a variety of APT groups will often host their malicious domains on dedicated IP addresses. While this is NOT indicative of malicious activity, it can help us prioritize domains for additional review.
It is important to note that name server co-location does not definitively associate suspicious domains with previous malicious activity. Furthermore, we cannot immediately confirm that the domains listed below are hosting malware or are otherwise attributable to malicious APT activity; however, they deserve additional scrutiny due to the patterns identified above, and the fact that they were registered using a service like I.T. Itch.
This is an initial review of the 1,000+ domains registered this year that use the name server. A more thorough review of the domains may help identify additional, suspicious domains. The table below captures those that stood out the most to us based on our initial review. The table details the domain, registrant email addresses, registration date, hosting IP, and the number of domains hosted at that IP.
Domain | Registrant Email | create date | Hosting IP | Number of Domains at IP |
actblues[.]com | contact@privacyprotect[.]org | 6/14/16 | 191.101.31.112 | 1 |
appclientsupport[.]ca | 2/22/16 | 195.62.53.44 | 1 | |
appleappcache[.]com | contact@privacyprotect[.]org | 5/26/16 | 185.24.233.114 | 1 |
appleauthservice[.]com | contact@privacyprotect[.]org | 5/12/16 | 185.106.122.100 | 1 |
applerefund[.]com | larry19ct@gmail[.]com | 5/9/16 | 198.50.218.231 | 1 |
archivenow[.]org | contact@privacyprotect[.]org | 6/24/16 | 91.216.245.38 | 1 |
bbcupdatenews[.]com | contact@privacyprotect[.]org | 6/26/16 | 185.106.122.35 | 1 |
bit-co[.]org | contact@privacyprotect[.]org | 5/7/16 | 141.105.67.90 | 1 |
bitsdelivery[.]com | bastien[.]prignon@mail[.]com | 7/9/16 | 217.23.2.148 | 1 |
buy0day[.]com | 0dayshop@ruggedinbox[.]com | 1/29/16 | 91.235.142.58 | 1 |
dynamicnewsfeeds[.]com | contact@privacyprotect[.]org | 5/7/16 | 185.61.138.58 | 1 |
ebiqiuty[.]com | contact@privacyprotect[.]org | 6/14/16 | 185.61.149.44 | 1 |
eigsecure[.]com | contact@privacyprotect[.]org | 7/24/16 | 94.102.53.142 | 1 |
facebook-profiles[.]com | contact@privacyprotect[.]org | 2/9/16 | 87.120.37.93 | 1 |
great-support[.]com | contact@privacyprotect[.]org | 5/26/16 | 185.86.151.35 | 1 |
hackborders[.]net | 7anoncats@yopmail[.]com | 5/31/16 | 91.121.146.56 | 1 |
login-hosts[.]com | 12ez@freshs[.]co[.]uk | 2/23/16 | 76.74.177.251 | 1 |
logmein-careservice[.]com | sslajot@mail[.]ru | 6/10/16 | 45.32.227.21 | 1 |
new-ru[.]org | contact@privacyprotect[.]org | 7/21/16 | 46.148.17.227 | 1 |
passwordreset[.]co | yosha@openmailbox[.]org | 4/16/16 | 5.100.155.82 | 1 |
securityresearch[.]cc | contact@privacyprotect[.]org | 2/21/16 | 5.100.155.91 | 1 |
symantecupdates[.]com | contact@privacyprotect[.]org | 5/3/16 | 185.24.233.122 | 1 |
socialmedia-lab[.]com | contact@privacyprotect[.]org | 6/13/16 | 185.86.148.88 | 2 |
vortex-sandbox-microsoft[.]com | contact@privacyprotect[.]org | 4/7/16 | 5.63.153.177 | 2 |
mofa-uae[.]com | contact@privacyprotect[.]org | 2/11/16 | 185.61.138.53 | 3 |
social-microsoft[.]com | contact@privacyprotect[.]org | 5/5/16 | 194.58.111.54 | 5 |
vpssecurehost[.]com | contact@privacyprotect[.]org | 5/27/16 | 103.195.184.126 | 6 |
As we highlighted above, the suspicious domains are not immediately attributable to any malicious activity; however, their nature and use of these name servers suggest that they merit additional review. Some of the more suspicious domains from the above list are:
Ebiqiuty[.]com – This domain appears to spoof the legitimate domain ebiquity[.]com which belongs to Ebiquity — a company that specializes in marketing analytics for customers around the world. This domain is also notable because it was registered the same day as actblues[.]com. Malicious actors will occasionally register multiple domains at a time to reduce the number of registrar transactions they have to be involved with. This domain currently redirects to Ebiquity’s legitimate site; however, we have yet to confirm whether it is in fact owned by Ebiquity. No available registration or hosting information indicates that Ebiquity registered this domain.
Bbcupdatenews[.]com – This domain spoofs the BBC News website. Spoofing news and media domains like this one is a common tactic for FANCY BEAR.
Symantecupdates[.]com – This domain stands out as it clearly spoofs anti-virus company Symantec. Further review of this domain identifies that it was previously registered using the email address li2384826402@yahoo[.]com, which was used to register domains used in the Anthem and OPM attacks.
Social-microsoft[.]com – The other domains hosted at the same IP also spoof technology-related services, including proxysys-config[.]com, system-proxy[.]info, and telemetry-akadns[.]net.
Conclusion
Actblues[.]com’s intended target, SOA record, registrant, and name server information probably point toward an association with recent Russian FANCY BEAR activity. The registration of the actblues[.]com domain on the same date FANCY BEAR’s compromise of the DNC was publicly reported further suggests that the group may be attempting to maintain access to systems used by those in the U.S. Democratic Party. Finally, these efforts would certainly be consistent with Russia’s recent activity targeting the DNC and their historic use of spoofed domains. If Russia is, in fact, responsible for the spoofed actblues[.]com domain and leveraging it against the DCCC, the question that naturally follows is…when does Guccifer 2.0 show up to take credit?