close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Let's Get Fancy

How the ThreatConnect Research team used the Platform to investigate incidents, identify intelligence and conduct pertinent analysis regarding FANCY BEAR

Read the full series of ThreatConnect posts following the DNC Breach: "Rebooting Watergate: Tapping into the Democratic National Committee", "Shiny Object? Guccifer 2.0 and the DNC Breach", "What's in a Name Server?", "Guccifer 2.0: the Man, the Myth, the Legend?", "Guccifer 2.0: All Roads Lead to Russia", "FANCY BEAR Has an (IT) Itch that They Can't Scratch", "Does a BEAR Leak in the Woods?", "Russian Cyber Operations on Steroids", "Can a BEAR Fit Down a Rabbit Hole?", and "Belling the BEAR".

 

Introduction

After the citizen journalist site Bellingcat provided us information that identified targeted Russian advanced persistent threat (APT) activity against them, there was a substantial amount of research we put into the technical analysis (domains, IP addresses, name servers, and registrants). We were unable to fit this into our initial Belling the Bear blog post, which focused more on the impact and implications of FANCY BEAR and CyberBerkut's cyber operations and retaliatory efforts against Bellingcat.

This research represents a perfect example of how ThreatConnect can be used when investigating incidents to identify a significant amount of additional intelligence and conduct pertinent analysis that facilitates an organization's cyber security efforts. Ultimately we were able to identify dozens of historical domains, IP addresses, and aliases that most likely are attributable to FANCY BEAR and clue us into some of their tactics, techniques, and procedures (TTPs).

 

fancy-bear-threatconnect

According to sources, a full size FANCY BEAR reaches an average weight of 400 lbs.

 

When we took a closer look at the CATA501836 and Carbon2u name servers that were associated with the Bellingcat attack, we identified dozens of active domains that may be attributable to FANCY BEAR. Further, many of these domains spoof news, government, and technology organizations and could be used in current or future FANCY BEAR operations.

The Power of Passive

To start off, we decided to have some fun with the domains and IP addresses that were identified in the spearphishing efforts against Bellingcat. Our self-imposed challenge: identify as much FANCY BEAR infrastructure as possible based off of the email headers Bellingcat provided. Our approach: use the ThreatConnect platform and our passive DNS integration to identify co-located domains residing on IP addresses that most likely were used by FANCY BEAR. Following is the general methodology that we (attempted to) employ along with screenshot examples from the platform showing how the methodology was applied to a domain from the Bellingcat spearphishing activity, us-westmail-undeliversystem[.]com:

1) Identify when a given domain was registered and the email address that registered the domain. This determines a time frame in which to focus the investigation as well as a registration email address that can be used to pivot off of for future iterations of this research.

investigate-incidents

 

us-westmail-undeliversystem-threatconnect

 

2) Identify the other domains that this email address registered. Keep track of these for future research. When an a registrant email address like this is attributable to a specific APT group, determining the other domains that they registered identifies other domains attributable to that APT group.


related-hosts-summary-threatconnect

 

3) Using passive DNS, identify any known subdomains for the given initial domain. This may help identify mail servers or other subdomains that were not hosted on the same IPs as the given domain and can feed future iterations of this research.

 

passive-dns-identify-domains

Using ThreatConnect's passive DNS integration to identify subdomains for a given domain.

 

4) Leverage passive DNS to identify IP addresses that hosted the given initial domain after it was registered by the adversary. Discovering the IP addresses that hosted the domain after it was registered by the adversary helps begin to identify those IPs that may be attributable to the adversary.

WHOIS-passive-dns-identify-ip-addresses

 

5) Using WHOIS and passive DNS, identify the subset of those IP addresses that are most likely dedicated to the adversary. This further narrows the list of IP addresses that may be attributable to the APT. Typically, this includes IP addresses that:

a) Are not parking lots where thousands of domains may be hosted before they are sold or used.

b) Are not sinkholes that essentially take over and host the malicious domain to prevent any traffic from reaching the intended destination.

c) Generally host a small number of domains.

d) Do not belong to specific hosting services or reverse proxies like CloudFlare that may seemingly co-locate a small number of unrelated domains with a single IP.

As is indicated in the screenshot below from our friends at DomainTools, the WHOIS information for a given IP may occasionally indicate whether it is dedicated infrastructure.

 

domaintools-co-located

 

6) Using passive DNS, identify the other domains that were hosted at the same IP and at the same time as the initial domain. This identifies those domains that we co-located with the given domain at a dedicated IP, which allows us to attribute those domains to the APT. In the example below, the red boxes highlight the given domain, time frame, and dedicated IP, while the blue boxes are the newly identified domains that were co-located with the given domain.

 

identified-hosting-domains-us-westmail-undeliverysystem

The blue highlights those domains that were hosted at the same 46.183.217.194 IP during the same timeframe as us-westmail-undeliversystem[.]com.

7) Identify the email addresses that were used to register these domains. This can be used as additional fodder for future iterations.

8) Iterate the analysis using the newly identified domains from the initial registrant, co-located domains, and other registrants.

In all of the demonstrated steps above, we can leverage the ThreatConnect platform to identify additional intelligence associated with those indicators.

 

Applying the Methodology

Beginning with the 6 domains, 5 IP addresses, and 3 email registrants identified in the email headers that Bellingcat provided to us, we went through the above steps. Before we knew it, we had identified 32 email addresses and aliases, over 180 domains, and over 50 IP addresses that are most likely associated with FANCY BEAR operations. We also identified over 300 subdomains for the those 180+ domains, but did not iterate our analysis using those subdomains due to time constraints.

Using Maltego, we generated a link chart to display the associations between all of these entities and how they tied back to the Bellingcat incident. The image below shows a subsection of the link chart that includes some of the infrastructure identified in the Bellingcat spearphishing. Additionally, we have shared all of these indicators in the incident 20160907B: Tracing out FANCY BEAR Infrastructure from Bellingcat Input.

 

fancy-bear-spearphishing-email-relationship-graph

This image shows the relationships between the domains, IP addresses, and registrant email addresses that we were able to identify by tracing out infrastructure from the FANCY BEAR spearphishing emails provided by Bellingcat.

To view the full image, download here.

Most of the domains, IPs, and email addresses have previously been identified in industry reports on FANCY BEAR. However, there are several that have not been identified and may provide organizations with additional context for reviewing historical activity against their networks. Some notable finds from the identified domains - which is a subset of all FANCY BEAR activity - include the following:

  • The domain registrations suggest that FANCY BEAR has sought to target or spoof several countries' government, military, and Ministry of Foreign Affairs domains, including the US, Armenia, Albania, Poland, Afghanistan, Iraq, Chile, and Hungary, among others.
  • Some of the registered domains spoof military exhibitions, such as sofexjordanx[.]com, sofexjordan2014[.]com, eurosatory2014[.]com, eurosatary[.]com, eurosator[.]com,  counterterorexpo[.]com, natoexhibitionff14[.]com, militaryexponews[.]com, and evronaval[.]com.
  • As previously identified, some of the FANCY BEAR domains spoof news organizations like vice-news[.]com (Vice), tolonevvs[.]com (Afghanistan's Tolonews), novinitie[.]com and n0vinite[.]com (Bulgarian Novinite news).
  • FANCY BEAR also registered several domains that spoof technology organizations like webmail-saic[.]com (SAIC), bostondyn[.]com (Boston Dynamics), and other ubiquitous organizations like Google, Adobe, and Microsoft.
  • The mxx.davinci[.]ag and mxx.davinci[.]org[.]ua mail servers were hosted on the same 46.22.208.204 IP address as mail servers used in the Bellingcat attack. These email servers most likely were used to target or spoof DaVinci Analytic Group - a Ukrainian intelligence and consulting company that has previously blamed Russian intelligence for interfering in Ukrainian military contracts.

Reviewing Registrants

When reviewing DomainTool's WHOIS information associated with the email addresses and fictitious personas that were used to register the domains, we identified the information in the table below. We found some trends in TTPs that these actors use to generate personas and register domains:

  • In several instances, the registrant used a phone number with a "3" followed by a string of "1"s.
  • Further demonstrating that the actors are not immune to operational security mistakes, one of the domains registered by mrgreedymaster@mail[.]com, exerclto[.]pt, used the name "Thomas Aksnes" -- an earlier established alias -- instead of "Josef Sauquet-Llonch" which was used for all the other mrgreedymaster@mail[.]com domains. Such mistakes can help organizations tie identified activity to malicious actors or groups.
  • The actors tended to use personas based out of Europe with several claiming to be from The Netherlands, France, and Romania.
  • Some of the personas used phone numbers for legitimate organizations including Avis rental car (8006333469), the New York Department of Taxation (5184852889), a Swedish regional council (480448382), a Crowne Plaza hotel (31205563000), a Mandarin Oriental hotel (60323808888), a Spanish vacation rental company (34933042660), and an online travel reservation website (3902678181). Given that many of these legitimate organizations are travel-related, the individuals behind the domain registrations may be using the numbers from their own travel experiences.

Email Address

Name 1

Name 2

Phone 1

Phone 2

First Date Seen

Location

Zip 1

cffaccll@mail.com

Ron Sun

+1.14252740657

12/17/14

Vatican, WV

98083

newSmithJOHNSON@mail.com

John Alony

John Kelly

+1.16462134010

+1.1789784532

7/21/15

New York, NY

10010

myprimaryreger@gmail.com

John Lenon

+1.18006333469

3/4/15

New York, NY

2133434

cffaccll@aol.co.uk

Helen Robin

+1.2157028273

12/8/14

St. Louis, MO

63132

theforeignnews@gmail.com

Adam Abbe

+1.5184852889

5/22/15

New York, NY

10005

lucas.ellery@yahoo.com

Lucas Jones

+1.6540232

9/20/13

Los Angeles, CA

90026

peter-nolan@gmx.com

Peter Nolan

+1.8884656937

12/23/13

London, England

SE12PY

billwhite81@mail.com

Bill

+31.1111111111

3/25/14

Amsterdam, NL

12100

billwite81@mail.com

Bill White

+31.311111111111

3/28/14

Amsterdam, NL

12100

rvanholsted@yahoo.com

Robin Holsted

+31.31205563000

+31.205563000

5/6/14

Amsterdam, NL

1083AB

farelldaniel1981@gmail.com

Dani Farell

+31.32131400

8/16/13

Dronten, NL

8251

pauljonny@mail.com

Paul Johns

+33.31111111111

12/23/13

Paris, France

000121

morar.adam@mail.com

Kent Ostin

+33.311111111111

11/10/14

Paris, France

12134

mladniko@mail.com

Nikolay Mladenov

+33.311111111111

1/23/14

Paris, France

12100

blabrousse@yahoo.com

Bruno Labrousse

+33.33311111111

+33.1111111111

5/8/13

Paris, France

75010

MrGreedymaster@mail.com

Josep Sauquet-Llonch

Thomas Aksnes

+34.933042660

+349.33042660

10/28/13

Barcelona, ES

08450

mika.hanaluinen@mail.com

nordelivery@gmail.com

Mika Hanaluinen

+358.0931010023

2/18/15

Helsinki, FI

05503

nikodima@mail.com

Nikolay Dmitrov

+359.111111111

+359.311111111111

2/24/14

Sofia, BG

12100

emmer.brown@mail.com

Emmer Brown

+36.311111111111

9/30/14

Budapesht, HU

245121

marcelle.lind@mail.com

Douglas Washington

+370.311111111111

9/2/14

Vinus, LT

14356

cuccaromanlio@aol.com

Manlio Cuccaro

+39.02678181

+39.3902678181

11/21/13

Marco, Italy

72020

annaablony@mail.com

Anna Ablony

+39.113902876543

+39.6462134010

9/14/15

Milan, Italy

015007

netesku@aol.com

Mihay Netesku

+40.311111111111

4/24/14

Bucharest, RO

12100

s.simonis@mail.com

Shemar Simonis

+40.311111111111

9/25/14

Bucharest, RO

12100

tombro82@mail.com

Tom Brown

+40.4437654055

8/26/14

Bucharest, RO

12300

aksnes.thomas@yahoo.com

Thomas Aksnes

+46.480448382

+46.480448312

10/22/13

Vaxjo, Sweeden

35321

andre_roy@mail.com

Andre Roy

+490.61750

+33.7763157

2/7/14

Paris, France

75017

cowrob@mail.com

Robert Cowling

+541.9871

+44.2831923

6/18/14

London, England

SE3721

xklocko@mail.com

Javonte Waltner

+60.0763667595

11/25/14

Franeckiside, MY

53682

fradmantisun@mail.com

Frad Mantisun

+60.60323808888

12/7/15

Kuala Lampur, MY

50088

qupton@mail.com

Pierre Batz

+60.840131875944

12/10/14

Funkview, MY

75984

Coincidentally, while we were getting ready to publish this research, Bellingcat contacted us on October 11, 2016 with yet another FANCY BEAR spearphish. Similar to their October 6 spearphish, this one used a series of shortened URLs that ultimately pointed to the domain id833[.]ga. However, using ThreatConnect's email import function we can quickly identify that FANCY BEAR used the annaablony@mail[.]com registrant email address (bolded in the table above) to send the spearphishing message.

fancy-bear-used-spearphishing-email

Leveraging a registrant email address to send a spearphishing message is definitely atypical and could be considered an operational security liability. To that end, considering that this email registrant first surfaced in September 2015, it shows the importance of such historical analysis as actors may pivot to previously used email addresses, domains, or IPs. Indicators from these spearphishing messages have been shared in incident 20161012B: Bellingcat Spearphishing Emails.

CATA501836 Name Server Research

After discovering the link between Bellingcat, FANCY BEAR, and the CATA501836 name server described in the previous post, we decided to use capabilities from our friends at DomainTools to take a look at the other 120 domains that use the cata501836.*.orderbox-dns[.]com name servers owned by the Romanian registrar THCServers. The table below, summarizes some of the most important information and suspicious domains that we were able to identify. Where possible, we leveraged ThreatConnect's passive DNS integration to identify subdomains for the given domains. Please note, the presence of these domains on the same name server as DCLeaks and servicetransfermail[.]com does not concretely indicate a tie to Russian activity. However, as repeated use of smaller name servers is a Russian TTP, these domains merit additional scrutiny. These domains have been shared in incident 20160808E: CATA501836 Orderbox Name Server Domains.

domain

Possibly Spoofs

Registrant

Is Active?

ip 1 - address

Dedicated IP?

Notable Subdomains

Previous IP

Other domains of note at Previous IP

office365-microsoft[.]com

Microsoft

maxvalentine@tutanota[.]com

Yes

94.102.53.179

Yes

103.253.27.196

syrianhrc[.]org

Syrian Human Rights Council

syrianhrc@yahoo[.]com

Yes

193.29.187.236

Yes

104.237.194.102

aljazeera-news[.]com unian-news[.]info mastconf[.]com

farele[.]co

wiliamvagner@mail[.]com

Yes

185.86.148.53

Yes

mofa.farele[.]co

185.117.72.232

yandex-control[.]ru

Yandex

Yes

185.117.72.253

Yes

185.117.72.253

pentestinglab[.]com

dernyalzongy@gmail[.]com

Yes

176.123.29.71

Yes

66.155.9.238

accountgooogle[.]com

Google

jessicanails@mail[.]com

Yes

5.56.133.53

Yes

accounts-gooogl[.]com

Google

seysaliman@mail[.]com

Yes

81.95.7.41

Yes

accountsgooglemail[.]com

Google

pprrttnndd@gmail[.]com

Yes

95.153.31.53

Yes

afghanistanmfa[.]net

Afghanistan Ministry of Foreign Affairs

afmfaf@mail[.]com

Yes

76.74.177.212

Yes

webmail.afghanistanmfa[.]net

akragames[.]net

contact@privacyprotect[.]org

Yes

5.254.86.148

Yes

pus.akragames[.]net

cloudmicrosoft365[.]com

Microsoft

maxvadison@mail[.]com

Yes

185.61.151.144

Yes

cryptogo[.]net

mkraslin@tutanota[.]com

Yes

185.82.200.207

Yes

dcleaks[.]com

contact@privacyprotect[.]org

Yes

111.90.158.105

Yes

gooogle-login[.]com

Google

popollololnm@mail[.]com

Yes

5.56.133.53

Yes

gov-kw[.]com

Kuwait Government

master[.]traveler@mail[.]com

Yes

185.82.202.251

Yes

mail.kuwaitarmy.gov-kw[.]com

live-settings[.]com

Microsoft

baumghartner@mail[.]com

Yes

185.82.202.194

Yes

login-one[.]com

Microsoft One Drive

mansferdin@mail[.]com

Yes

89.33.246.69

Yes

mail-hurriyet[.]com

Hurriyet Daily News

alexmad@mail[.]com

Yes

131.72.139.114

Yes

mailtransferservice[.]com

Email Services

bellamoore1@mail[.]com

Yes

46.22.208.204

Yes

newsweekadviser[.]com

Newsweek

bred23823@aol[.]com

Yes

191.96.66.125

Yes

posta-hurriyet[.]com

Hurriyet Daily News

azim[.]n@gmx[.]de

Yes

80.82.79.14

Yes

smtprelayhost[.]com

Email Services

abre01@inet[.]ua

Yes

95.153.32.52

Yes

unrightswire[.]org

United Nations News Center

n[.]humandick@mail[.]com

Yes

158.69.11.111

Yes

mx.unrightswire[.]org mail.unrightswire[.]org

privacy-yandex[.]ru

Yandex

No

NA

NA

104.232.35.45

emailyandex[.]ru action-yandex[.]ru report-yandex[.]ru yandex-report[.]ru service-yandex[.]ru activity-yandex[.]ru settinqs-yandex[.]ru mail-service-yandex[.]ru int-live[.]com

mailsettings-yandex[.]ru

Yandex

No

NA

NA

185.117.72.253

yandex-report[.]ru yandex-control[.]ru

e-mail-supports[.]com

Email Services

distardrupp@gmail[.]com

No

NA

NA

198.105.125.254

team-google[.]com

accounts-qooqle[.]com

Google

annaablony@mail[.]com

No

NA

NA

31.31.204.60

google-password[.]com

Google

john89@inet[.]ua

No

NA

NA

accounts.google-password.com

80.255.12.232

drive-google[.]ga google-login[.]ml google-password[.]ml top-total[.]com drive-auth[.]com password-google[.]com account.password-google[.]com ftp.password-google[.]com redirect.screenameaol[.]com myaccountgoogle[.]ga markburgston[.]com

service-yandex[.]ru

Yandex

No

NA

NA

80.255.3.118

delivery-yandex[.]ru settinqs-yandex[.]ru yandex-site[.]com pasport-yandex[.]com gdforum[.]net gdforum[.]info

google-passwd[.]com

Google

alexwhite0790@gmail[.]com

No

NA

NA

hurriyet[.]org[.]uk

Hurriyet Daily News

No

NA

NA

Focusing on those domains that spoofed other organizations or were otherwise suspicious, we identified 23 domains that are currently hosted on dedicated servers at the given IP address. Domains hosted on dedicated IPs can be indicative of APT activity as they often use dedicated servers as a part of their operations. The domains on dedicated servers included domains spoofing Google, Microsoft, Yandex, and other general email services that could be used against a variety of targets. The Yandex spoofing domains specifically could be used to pursue Russian domestic targets.

Foreign Governments

At least three of the identified domains and/or subdomains hosted on dedicated servers spoof foreign countries' government. The subdomains included webmail.afghanistanmfa[.]net, mail.kuwaitarmy[.]gov-kw[.]com, and mofa[.]farele[.]co and could be used against a variety of targets in the Middle East and South/Central Asia. The presence of these subdomains suggest that the actors behind them have operationalized them for use, possibly in phishing operations.

News and Current Event Sites

At least five of the domains -- newsweekadvisor[.]com, syrianhrc[.]org, unrightswire[.]org, mail-hurriyet[.]com, and posta-hurriyet[.]com -- spoof news organizations or websites like the Syrian Human Rights Committee and Turkey's Hurriyet daily news. The use of domains targeting new or current event organizations is consistent with previous FANCY BEAR activity and are pertinent to countries currently important to Russian foreign affairs. We also identified two domains -- aljazeera-news[.]com and unian-news[.]info -- that were previously hosted on the same 104.237.194[.]102 IP address as syrianhrc[.]org. Two email related subdomains were also identified for unrightswire[.]org, indicating that the domain has most likely been operationalized in an operation involving an email transaction.

Inactive Domains

Not all of the suspicious domains that we identified are currently active; however, some of the inactive domains have previously been hosted on IPs with other domains that spoof the same organization. For example, privacy-yandex[.]ru was previously hosted at 104.232.35[.]45 with several other Yandex-spoofing domains. This suggests the actors behind these domains leveraged a TTP that relied on spoofing the Russian email provider.

Carbon2u Name Server Research

We took a similar approach to analyzing the Carbon2u name server; however, we had to restrict our research as many more domains use the Carbon2u name servers compared to the CATA501836 name server. For this research, we used our partner DomainTool's Iris to identify those domains that use the Carbon2u name server AND were registered using a mail.com, email.com, chewiemail.com, or europe.com email address as those are consistent with recently identified FANCY BEAR activity. Alone, this is not enough information to associate these domains with FANCY BEAR; however, at the very least they are suspicious and merit additional scrutiny.

The table below identifies those domains and other information associated with them such as whether they are active, how many domains are hosted on the same IP, the registrant, as well as other domains that email address registered that do not use Carbon2u name servers. These domains have been shared in incident 20160907A: Carbon2U Suspicious Domains.

Domain

Possibly Spoofs

Is Active?

IP Address

Domains Hosted at IP

Registrant

Other Domains Registered by Email Address

msrdr[.]com

Microsoft

Active

101.99.75.14

7

amanda[.]kruetner@mail[.]com

com-ar-en-us[.]com

com-io-en-us[.]com

com-oa-en-us[.]com

imgsrvrer[.]com

mgrsr[.]com

nrgrsrvrer[.]com

msrwr[.]com

Microsoft

Active

101.99.75.14

7

amanda[.]kruetner@mail[.]com

driversupdate[.]info

Active

46.19.138.66

2

francinepfeffer@chewiemail[.]com

generalsecuritycorp[.]org

Active

95.215.44.229

1

jada[.]okeefe15@mail[.]com

reservecorpind[.]com

Active

95.215.45.254

1

jada[.]okeefe15@mail[.]com

qov[.]sa[.]com

Saudi Arabia Government

Active

89.43.60.206

1

jameel[.]khalif@mail[.]com

appexrv[.]com

Apex RVs

Active

81.95.7.11

1

kellen[.]green82@mail[.]com

upmonserv[.]net

appexsrv[.]net

Apex RVs

Active

95.183.50.23

1

kellen[.]green82@mail[.]com

ledc-agency[.]com

London, ON Economic Development Corporation

Active

192.254.79.90

1

ledc-agency@mail[.]com

umizg[.]org

Active

131.72.136.139

1

nordelivery@gmail[.]com

accounts-googlc[.]com

myaccountgoogle[.]com

rsshotmail[.]com

yepost[.]com

yuotubc[.]com

Youtube

Active

185.82.202.126

2

mika[.]hanaluinen@mail[.]com

facebookservices[.]org

Facebook

Active

194.68.212.50

4

nordelivery@gmail[.]com

arablivenews[.]com

gsec[.]in

fbarticles[.]com

Facebook

Active

194.68.212.50

4

mika[.]hanaluinen@mail[.]com

gmailservices[.]org

Google

Active

194.68.212.50

4

op13@mail[.]com

twiterservices[.]org

Twitter

Active

194.68.212.50

4

op13@mail[.]com

directjav[.]com

Active

193.109.68.87

308

op13@mail[.]com

zone-anims[.]com

drivers-update[.]info

Active

87.236.215.102

1

op13@mail[.]com

cymite[.]com

Active

192.3.24.143

1

pabloivild@mail[.]com

2us-south[.]com

US Southern Command

Active

87.121.52.109

1

rippin[.]olivia@mail[.]com

online[.]no[.]com

Telenor

Not Active

tabitha[.]macejkovic@mail[.]com

g00qle[.]com

telenor.no[.]com

vatlcan[.]com

arghpxdge01-airgas[.]com

Not Active

zula09@chewiemail[.]com

akamaisoft[.]com

evolution-labs[.]net

Not Active

cffaccll@mail[.]com

qov[.]af

Afghanistan Government

Not Active

leesa92@chewiemail[.]com

This research identified three domains and email registrants that we had associated with FANCY BEAR the in the above Power of Passive section. We also saw some other trends that correspond to previously identified FANCY BEAR TTPs:

  • Domains that spoof government and military organizations such as 2us-south[.]com (US Southern Command) and qov.sa[.]com (Saudi Arabian Government).
  • Domains that spoof technology and social media websites such as twitterservices[.]org, msrdr[.]com, and gmailservices[.]org.
  • One of the registrants, op13@mail[.]com, previously registered the domain arablivenews[.]com. This domain is similar to other domains that FANCY BEAR has registered that spoof news and media organizations.
  • Many of these suspicious domains are the only one, or one of few, hosted at their given IP address. Malicious actors, notably APT groups, often use dedicated servers and IP addresses for their domains during operations. While this is not necessarily indicative of malicious activity, it can help organizations prioritize domains for additional review.

Conclusions

It's important to note that operationalizing intelligence like this never ends, it is a continuous process of folding new information in with the old. Even reviewing historical intelligence can re-open the cold cases and bring forth a renewed understanding and context of current activity. In this case, this process helped us gain a better understanding of FANCY BEAR. This research can help an organization identify significant amounts of tactical intelligence that informs defensive and incident response efforts. This potentially helps identify infrastructure that may be used against your organization before it is ever operationalized. Additionally, conducting these types of research into your organization's adversaries can provide insight into the TTPs and capabilities that they may employ against your organization or others within your industry. The ThreatConnect platform can help organizations with this as it consolidates, aggregates, and analyzes disparate threat intelligence feeds, data sources, and capabilities.

It is important to note the wealth of information that can flow from just a few nascent data points. The domains, IPs, email addresses, and TTPs referenced in this blog post all came about from research into one small set of FANCY BEAR spearphishing emails.  Conducting similar research into your organization's adversaries can unlock new insights and orient your defenses against identified infrastructure and capabilities that ultimately increases those adversaries' costs and risks in targeting your organization.

If done successfully over time, this type of research enables an organization's day-to-day defenses while also potentially reaching a tipping point with respect to the adversary's perceived risk. Denying the adversary any degree of success and punishing him for each intrusion attempt, through exposure and information sharing, presents the adversary with cost/benefit decision point. Within the game of intelligence gain/loss, any time you can force the adversary to step away from the battle, lick their wounds, and ultimately abandon operations against your organization because it's no longer worth it, it is a win in our book.

ABOUT THE AUTHOR

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.