ThreatConnect Research Roundup: Probable Sandworm Infrastructure

June 12 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

In this edition, we cover:

Roundup Highlight: Probable Sandworm Infrastructure

 

Sandworm Related Intelligence in ThreatConnect

 

 

Our highlight in this Roundup is Incident 20200529A: Network of Probable Sandworm Infrastructure. Sandworm, also known as Sandworm Team, Quedagh, and VOODOO BEAR, is a Russian threat actor group that has historically targeted energy, industrial, government, and media organizations in Ukraine.

ThreatConnect Research, in conjunction with industry colleagues, identified a network of probable Sandworm infrastructure dating back to at least 2018. NSA released a report on Sandworm activity on May 29 2020 that identified the domain hostapp.be (IPs: 95.216.13[.]196, 103.94.157[.]5). This domain was registered on December 24 2018 through Njalla. In reviewing historical registrations, we were only able to identify seven other domains that were registered on that date through Njalla. While we were unable to directly associate any of these domains to hostapp.be due to its lack of a creation timestamp, three of the other domains — fbapp[.]top, fbapp[.]info, fbapp[.]link — appeared notable and possibly related.

We reviewed the hosting history, subdomains, and co-locations for these additional domains and to-date have identified a network of 30 domains, 17 IPs, and hundreds of subdomains that we assess probably are related with largely historic Sandworm activity. Further indicative of the probable association to Sandworm, some of the identified domains, such as hostapp[.]art and hostapp[.]link, share strings with the domain identified in NSA’s report.

In reviewing subdomains for the identified domains, many subdomains strings were reused across the domains. Many Twitter, Google, and Facebook-related subdomains were identified. The following notable subdomain strings were also identified and possibly are indicative of operational targets, themes, or affected countries:

passport.abv.bg.*
passport.above.bg.*
mail.bg.*
accounts.ukr.net.*
mail.adm.khv.ru.*

It’s important to note that while the identified infrastructure is largely historic, at least two domains — userarea[.]click (46.4.10[.]58) and userarea[.]eu (185.226.67[.]190) — and/or their subdomains were actively resolving in May 2020. At this time, we do not have any additional insight into how or against whom this infrastructure has been operationalized.

Update 5/31/20

ThreatConnect Research identified another set of domains and IPs that are a part of this network of probable Sandworm infrastructure. The following domains were registered through Njalla at essentially the same time as userarea[.]click and userarea[.]eu and are currently hosted on dedicated servers:

userarea[.]top (194.117.236[.]33)
userarea[.]in (5.255.90[.]243)

Three other domains were registered through Njalla about two and a half hours later:

myaccount[.]click (185.76.68[.]70)
myaccount[.]one (92.62.139[.]114)
webcache[.]one (195.211.197[.]25)

Notably, four of these IP addresses were identified by GreyNoise as exploiting the Exim vulnerability CVE-2019-10149.

Update 6/3/20

Two other domains — userzone[.]one and userzone[.]eu — are associated with this network of infrastructure. These domains were registered through Njalla on November 13 2019, the same day as those in the previous update. These domains and/or their subdomains have been hosted on a dedicated server at 141.101.196[.]50.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.