Stepping to FANCY BEAR (or how to efficiently validate and enrich a jumbled list of indicators)
Over the last few weeks the U.S. government released two reports on Russian hacking and influence operations related to the U.S. election. Most notably, the unclassified version of the Intelligence Community Assessment (ICA) “Assessing Russian Activities and Intentions in Recent US Elections” released on January 6, mirrored assessments we have made over the last seven months in our blog series on FANCY BEAR, their operations, faketivists, and motivations. For more details that support those assessments, collect them all: “Rebooting Watergate: Tapping into the Democratic National Committee”, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, “Russian Cyber Operations on Steroids“, “Can a BEAR Fit Down a Rabbit Hole?“, “Belling the BEAR“, “Let’s Get Fancy”, and “Hacktivists vs. Faketivists: Fancy Bears in Disguise.”
The other report, the Joint Analysis Report (JAR) on GRIZZLY STEPPE released in late December, detailed indicators for a variety of Russian actors — including over 870 IP addresses — to enable network defenders to identify activity emanating from those actors. The JAR has been disparaged for its lack of specificity and inclusion of TOR and VPS IP addresses that aren’t necessarily indicative of malicious activity. We agree, the amount of context included with the indicators leaves much to be desired. If only there were a way to efficiently figure out which of those 870 IP addresses we should care about and what else they might be related to…
One plucky member of our Research Team volunteered to wade through the noise, assuring the boss this wasn’t going to be a massive time suck. Sure enough, we had results validating and extending the JAR’s finding by the end of the day. Using the ThreatConnect platform, we honed in on the 37 indicators most likely tied to FANCY BEAR and uncovered over 100 additional indicators by enriching those from the JAR and then pivoting from them using a combination of passive DNS, WHOIS, and our understanding of the ways FANCY BEAR tends to set up infrastructure.
We’re pretty committed to creating enriched indicators like these: context is key to enable defenders and researchers to make sense of threat data and turn it into actionable intelligence. We also think it’s important to share our methodology so others may check our work and improve upon it. There’s still meat left on the bone of the JAR – we’re just focusing on FANCY BEAR here. We make it easy for your plucky users to investigate adversaries through enrichment and pivoting, so feel free to try your hand on some of the others in ThreatConnect.
Where do we Steppe in?
One of the GRIZZLY STEPPE JAR’s shortcomings is the indicators don’t appear to be broken down by an adversary or actor. We threw all 870 IPs into ThreatConnect’s Analyze function to determine whether any of the indicators in the JAR were already in ThreatConnect, and potentially with which adversary they were associated.
ThreatConnect already knew about hundreds of indicators, many of which were identified as TOR nodes while others were associated to adversaries and incidents such as BlackEnergy, Zeus, FANCY BEAR, COZY BEAR, and the SBOE attacks. We’re zooming in on FANCY BEAR, since we’ve spent quite some time looking at how this threat actor stands up infrastructure.
When we reviewed the results from Analyze, we identified an interesting trend. All of the IP addresses ThreatConnect already knew were associated with FANCY BEAR were in the first 80 IPs included in the GRIZZLY STEPPE JAR. Since the indicators were not sorted numerically, it’s possible sections of indicators in the JAR were copied straight out of a database and are related based on their associated adversary.
With that in mind, we concentrated our research efforts on the first 80 IPs to focus on those that were potentially FANCY BEAR. Simply assuming that all of those IPs were associated with FANCY BEAR would have been an analytic leap, so we reviewed them, their domain hosting history, and the corresponding WHOIS registration information to determine those that likely were associated with FANCY BEAR. From there, we employed methodologies similar to those described in Let’s Get Fancy to identify additional indicators and context that go beyond what was included with the GRIZZLY STEPPE JAR.
We broke down our search into the following categories: IPs already associated with FANCY BEAR, those that hosted domains already associated with FANCY BEAR, those that hosted domains with registration consistencies to previous FANCY BEAR domains, and then new indicators we identified from pivoting off of fresh information. The methodologies used in each section are similar, but tweaked based on our starting knowledge base.
Guilt By Association
The first iteration of our research involved identifying and delving into those IPs within the JAR’s subset that had hosted domains already associated with FANCY BEAR and thus bear their scarlet letter.
- First, using the first 80 IPs in the JAR, we leveraged ThreatConnect’s Farsight DNSDB integration for passive DNS information to identify the domains that were hosted at those IPs.
- Then using ThreatConnect’s Analyze function, we reviewed these hosted domains to identify those that were already associated with FANCY BEAR from previous incidents and research.
- For those IPs that tested positive for FANCY BEAR domains, we then used hosting history, our WHOIS integration, capabilities from our friends at DomainTools, and open source information to identify whether those IPs were dedicated to a single user.
- Finally, for any IPs that appeared to be dedicated, we identified other domains that were co-located at the IP during the same timeframe as its FANCY BEAR-associated domains.
For example, the 185.100.84[.]254 IP address hosted the spoofed domain thehufflngtonpost[.]com from X to Y timeframe. We previously assessed this domain likely was associated with FANCY BEAR based on the domain registrant (mattew.barnes@aol[.]com) and use of a Domains4Bitcoins name server.
WHOIS information for the 185.100.84[.]254 IP does not indicate whether the IP is shared infrastructure in use by multiple customers or dedicated to a single user. However, based on the hosting history from our Farsight DNSDB integration, we see only four domains have been hosted at the IP in the last two years, so we can conclude this is most likely dedicated infrastructure.
From our Farsight DNSDB integration, we can see that thehufflngtonpost[.]com domain was hosted at the 18.104.22.168 IP from November 11, 2015 to November 9, 2016. During this timeframe, two other domains — trend-news[.]org and virusdefender[.]org — were co-located at this IP.
Using this process, ThreatConnect identified approximately 25 domains we assess most likely are FANCY BEAR domains because they are hosted at dedicated IPs identified in the GRIZZLY STEPPE JAR, and co-located with previously-identified FANCY BEAR domains.
We Want More Fancy
This was a good start. However, for 54 of the 80 IPs we were not able to identify hosted domains already associated to FANCY BEAR. For these IPs we undertook a different process to identify those that hosted domains with registration consistencies to FANCY BEAR.
- We first identified all of the domains that were hosted at those IPs using our Farsight DNSDB integration.
- Then, we leveraged ThreatConnect’s WHOIS integration to identify FANCY BEAR consistencies in registration information for those domains. Notably, we looked for domains that were registered using 1&1 webmail email domains and small/boutique name servers identified in several of our recent assessments (What’s in a Name Server?, FANCY BEAR Has an (IT) Itch that They Can’t Scratch, and Let’s Get Fancy).
- From there, we looked for any additional domains that we could associate to FANCY BEAR based on the registration information to identify other domains their registrants had procured, the IPs where those domains were hosted, and any domains co-located at those IPs.
For example, we took a look at the IP 185.82.202[.]45 included in the GRIZZLY STEPPE JAR, and were unable to identify any domains already associated with FANCY BEAR.
Using some capabilities from DomainTools, along with ThreatConnect’s WHOIS integration, we reviewed the hosted domains at the 185.82.202[.]45 IP, including mxfeed[.]org, to identify any consistencies with FANCY BEAR domain registration tactics.
Looking at the WHOIS for mxfeed[.]org, we see that the domain was registered using the email address strumm@europemail[.]com and uses the name server ab332f3a.bitcoin-dns[.]hosting. That email domain and name server are consistent with previously-identified FANCY BEAR registration tactics. Based on these findings, we can assess that mxfeed[.]org and strumm@europemail[.]com probably are associated with FANCY BEAR activity.
We love finding probable FANCY BEAR registrant email addresses when tracing out infrastructure because it opens our research up to new IPs, domains, and other registrants. Using open source and start of authority (SOA) records we were able to identify that strumm@europemail[.]com had registered at least two other domains — servicedipct[.]com and amxserviceactive[.]com — that use the ITitch.com name servers that have also hosted concentrations of FANCY BEAR domains.
Importing these domains into the platform, we again used our Farsight DNSDB integration to identify the IPs where these domains were hosted and potentially associate those IPs with FANCY BEAR activity as well.
In this instance, we didn’t identify any additional domains that were co-located with servicedipct[.]com at the 185.61.149[.]80 IP, but in some cases we were able to find additional domains that we could associate with FANCY BEAR based on co-locations with the registrant’s domains.
Findings and Enriched Indicators
In total, we were able to associate 43 of the first 80 IP addresses included in the GRIZZLY STEPPE JAR with FANCY BEAR. It is important to note that nine of the IP addresses in those first 80 were associated with BlackEnergy malware or other campaigns that had no clear association to FANCY BEAR, while we didn’t find any associated actor or campaign or actor for the remaining IPs. Using the ThreatConnect platform, those 43 IPs lead us to an additional 122 indicators, 100 of which had not been associated with FANCY BEAR in our platform. These new indicators included 68 domains, 17 IPs, and 15 email registrants, all with varying degrees of association to FANCY BEAR.
One of the big issues with the GRIZZLY STEPPE JAR, and to a larger extent many intelligence feeds, is that they don’t provide the appropriate context identifying the provenance, confidence, or associated adversaries for the supplied indicators. This leaves defenders playing a guessing game trying to determine whether network activity that hit on those indicators is actually malicious and merits further investigation, or can be dismissed with minimal risk. For threat intelligence researchers, this ambiguity can result in pertinent indicators being left undiscovered and adversaries flying under the radar.
Enriched indicators mitigate these shortcomings by providing relevant context showing the source, how the indicator was identified, the associated adversaries, how the indicator is associated with those adversaries, and the confidence in the indicator. Such detail enables defenders and researchers to quickly identify the relevance of an indicator, understand the adversary behind the activity, and identify additional indicators that may inform incident response efforts. Below is a sample of the enriched indicators and their descriptions that ThreatConnect identified through this research and shared within the platform. The entire list of indicators have been shared with Common Community in Incident 20170106A: Fancy Bear Indicators Identified from Research into USG JAR on GRIZZLY STEPPE.
|57567547454[.]com||Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28 registrant at the 22.214.171.124 IP address.|
|185.86.148[.]191||IP address hosts/hosted the domain amxserviceactive.com registered by probable Fancy Bear/Sofacy/APT28 registrant firstname.lastname@example.org.|
|104.207.130[.]126||IP address identified in USG JAR report on GRIZZLY STEPPE hosting Fancy Bear/Sofacy/APT28 domain(s).|
|passport-i[.]com[.]ua||Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28 registrant at the 126.96.36.199 IP address.|
|gesund-punkt[.]com||Domain colocated with domain registered by probable Fancy Bear/Sofacy/APT28 registrant at the 188.8.131.52 IP address.|
|34564414564[.]com||Domain registered by probable Fancy Bear/Sofacy/APT28 registrant email@example.com.|
|amxserviceactive[.]com||Domain registered by probable Fancy Bear/Sofacy/APT28 registrant firstname.lastname@example.org.|
|193.169.244[.]215||IP address hosts/hosted domains registered by probable Fancy Bear/Sofacy/APT28 registrant email@example.com.|
|130.255.189[.]50||IP address hosts/hosted the domain exua.email registered by probable Fancy Bear/Sofacy/APT28 registrant firstname.lastname@example.org.|
|185.61.149[.]80||IP address hosts/hosted the domain servicedipct.com registered by probable Fancy Bear/Sofacy/APT28 registrant email@example.com.|
|151.80.220[.]34||IP address identified in USG JAR report on GRIZZLY STEPPE likely hosting Fancy Bear/Sofacy/APT28 domain(s).|
|2136214[.]tk||Most likely Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and colocated with previously-identified Fancy Bear domain.|
|denyacc[.]com||Possible Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE.|
|top-total[.]com||Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and registered using a name server consistent with previous Fancy Bear registrations.|
|ciscohelpcenter[.]com||Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and registered using an email address domain and name server consistent with previous Fancy Bear registrations.|
|computers0ft[.]com||Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE and registered using an email address domain consistent with previous Fancy Bear registrations.|
|bbc-press[.]org||Probable Fancy Bear/Sofacy/APT28 domain hosted at IP identified in USG JAR report on GRIZZLY STEPPE.|
|lary@asia[.]com||Probable Fancy Bear/Sofacy/APT28 email registrant that registered a domain hosted at an IP identified in USG JAR report on GRIZZLY STEPPE.|
The GRIZZLY STEPPE JAR may have been appropriately-criticized by the individuals that it meant to inform, but its shortcomings don’t mean that it is entirely useless. When the U.S. government gives you indicators, extract every bit of intelligence out of those indicators and use it to your advantage. ThreatConnect enables organizations to do just that by providing a cybersecurity platform that can be used to research, enrich, understand, and memorialize cyber threat intelligence. In this instance, we were able to significantly augment the context for some of the indicators included in the JAR and trace out from those indicators to provide enriched indicators for FANCY BEAR that would have otherwise gone undiscovered by taking the JAR at face value.