How the ThreatConnect Research team used the Platform to investigate incidents, identify intelligence and conduct pertinent analysis regarding FANCY BEAR
Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, “Russian Cyber Operations on Steroids“, “Can a BEAR Fit Down a Rabbit Hole?“, and “Belling the BEAR“.
After the citizen journalist site Bellingcat provided us information that identified targeted Russian advanced persistent threat (APT) activity against them, there was a substantial amount of research we put into the technical analysis (domains, IP addresses, name servers, and registrants). We were unable to fit this into our initial Belling the Bear blog post, which focused more on the impact and implications of FANCY BEAR and CyberBerkut’s cyber operations and retaliatory efforts against Bellingcat.
This research represents a perfect example of how ThreatConnect can be used when investigating incidents to identify a significant amount of additional intelligence and conduct pertinent analysis that facilitates an organization’s cyber security efforts. Ultimately we were able to identify dozens of historical domains, IP addresses, and aliases that most likely are attributable to FANCY BEAR and clue us into some of their tactics, techniques, and procedures (TTPs).
When we took a closer look at the CATA501836 and Carbon2u name servers that were associated with the Bellingcat attack, we identified dozens of active domains that may be attributable to FANCY BEAR. Further, many of these domains spoof news, government, and technology organizations and could be used in current or future FANCY BEAR operations.
The Power of Passive
To start off, we decided to have some fun with the domains and IP addresses that were identified in the spearphishing efforts against Bellingcat. Our self-imposed challenge: identify as much FANCY BEAR infrastructure as possible based off of the email headers Bellingcat provided. Our approach: use the ThreatConnect platform and our passive DNS integration to identify co-located domains residing on IP addresses that most likely were used by FANCY BEAR. Following is the general methodology that we (attempted to) employ along with screenshot examples from the platform showing how the methodology was applied to a domain from the Bellingcat spearphishing activity, us-westmail-undeliversystem[.]com:
1) Identify when a given domain was registered and the email address that registered the domain. This determines a time frame in which to focus the investigation as well as a registration email address that can be used to pivot off of for future iterations of this research.
2) Identify the other domains that this email address registered. Keep track of these for future research. When an a registrant email address like this is attributable to a specific APT group, determining the other domains that they registered identifies other domains attributable to that APT group.
3) Using passive DNS, identify any known subdomains for the given initial domain. This may help identify mail servers or other subdomains that were not hosted on the same IPs as the given domain and can feed future iterations of this research.
4) Leverage passive DNS to identify IP addresses that hosted the given initial domain after it was registered by the adversary. Discovering the IP addresses that hosted the domain after it was registered by the adversary helps begin to identify those IPs that may be attributable to the adversary.
5) Using WHOIS and passive DNS, identify the subset of those IP addresses that are most likely dedicated to the adversary. This further narrows the list of IP addresses that may be attributable to the APT. Typically, this includes IP addresses that:
a) Are not parking lots where thousands of domains may be hosted before they are sold or used.
b) Are not sinkholes that essentially take over and host the malicious domain to prevent any traffic from reaching the intended destination.
c) Generally host a small number of domains.
d) Do not belong to specific hosting services or reverse proxies like CloudFlare that may seemingly co-locate a small number of unrelated domains with a single IP.
As is indicated in the screenshot below from our friends at DomainTools, the WHOIS information for a given IP may occasionally indicate whether it is dedicated infrastructure.
6) Using passive DNS, identify the other domains that were hosted at the same IP and at the same time as the initial domain. This identifies those domains that we co-located with the given domain at a dedicated IP, which allows us to attribute those domains to the APT. In the example below, the red boxes highlight the given domain, time frame, and dedicated IP, while the blue boxes are the newly identified domains that were co-located with the given domain.
7) Identify the email addresses that were used to register these domains. This can be used as additional fodder for future iterations.
8) Iterate the analysis using the newly identified domains from the initial registrant, co-located domains, and other registrants.
In all of the demonstrated steps above, we can leverage the ThreatConnect platform to identify additional intelligence associated with those indicators.
Applying the Methodology
Beginning with the 6 domains, 5 IP addresses, and 3 email registrants identified in the email headers that Bellingcat provided to us, we went through the above steps. Before we knew it, we had identified 32 email addresses and aliases, over 180 domains, and over 50 IP addresses that are most likely associated with FANCY BEAR operations. We also identified over 300 subdomains for the those 180+ domains, but did not iterate our analysis using those subdomains due to time constraints.
Using Maltego, we generated a link chart to display the associations between all of these entities and how they tied back to the Bellingcat incident. The image below shows a subsection of the link chart that includes some of the infrastructure identified in the Bellingcat spearphishing. Additionally, we have shared all of these indicators in the incident 20160907B: Tracing out FANCY BEAR Infrastructure from Bellingcat Input.
Most of the domains, IPs, and email addresses have previously been identified in industry reports on FANCY BEAR. However, there are several that have not been identified and may provide organizations with additional context for reviewing historical activity against their networks. Some notable finds from the identified domains – which is a subset of all FANCY BEAR activity – include the following:
- The domain registrations suggest that FANCY BEAR has sought to target or spoof several countries’ government, military, and Ministry of Foreign Affairs domains, including the US, Armenia, Albania, Poland, Afghanistan, Iraq, Chile, and Hungary, among others.
- Some of the registered domains spoof military exhibitions, such as sofexjordanx[.]com, sofexjordan2014[.]com, eurosatory2014[.]com, eurosatary[.]com, eurosator[.]com, counterterorexpo[.]com, natoexhibitionff14[.]com, militaryexponews[.]com, and evronaval[.]com.
- As previously identified, some of the FANCY BEAR domains spoof news organizations like vice-news[.]com (Vice), tolonevvs[.]com (Afghanistan’s Tolonews), novinitie[.]com and n0vinite[.]com (Bulgarian Novinite news).
- FANCY BEAR also registered several domains that spoof technology organizations like webmail-saic[.]com (SAIC), bostondyn[.]com (Boston Dynamics), and other ubiquitous organizations like Google, Adobe, and Microsoft.
- The mxx.davinci[.]ag and mxx.davinci[.]org[.]ua mail servers were hosted on the same 220.127.116.11 IP address as mail servers used in the Bellingcat attack. These email servers most likely were used to target or spoof DaVinci Analytic Group – a Ukrainian intelligence and consulting company that has previously blamed Russian intelligence for interfering in Ukrainian military contracts.
When reviewing DomainTool’s WHOIS information associated with the email addresses and fictitious personas that were used to register the domains, we identified the information in the table below. We found some trends in TTPs that these actors use to generate personas and register domains:
- In several instances, the registrant used a phone number with a “3” followed by a string of “1”s.
- Further demonstrating that the actors are not immune to operational security mistakes, one of the domains registered by mrgreedymaster@mail[.]com, exerclto[.]pt, used the name “Thomas Aksnes” — an earlier established alias — instead of “Josef Sauquet-Llonch” which was used for all the other mrgreedymaster@mail[.]com domains. Such mistakes can help organizations tie identified activity to malicious actors or groups.
- The actors tended to use personas based out of Europe with several claiming to be from The Netherlands, France, and Romania.
- Some of the personas used phone numbers for legitimate organizations including Avis rental car (8006333469), the New York Department of Taxation (5184852889), a Swedish regional council (480448382), a Crowne Plaza hotel (31205563000), a Mandarin Oriental hotel (60323808888), a Spanish vacation rental company (34933042660), and an online travel reservation website (3902678181). Given that many of these legitimate organizations are travel-related, the individuals behind the domain registrations may be using the numbers from their own travel experiences.
First Date Seen
New York, NY
New York, NY
St. Louis, MO
New York, NY
Los Angeles, CA
Kuala Lampur, MY
Coincidentally, while we were getting ready to publish this research, Bellingcat contacted us on October 11, 2016 with yet another FANCY BEAR spearphish. Similar to their October 6 spearphish, this one used a series of shortened URLs that ultimately pointed to the domain id833[.]ga. However, using ThreatConnect’s email import function we can quickly identify that FANCY BEAR used the annaablony@mail[.]com registrant email address (bolded in the table above) to send the spearphishing message.
Leveraging a registrant email address to send a spearphishing message is definitely atypical and could be considered an operational security liability. To that end, considering that this email registrant first surfaced in September 2015, it shows the importance of such historical analysis as actors may pivot to previously used email addresses, domains, or IPs. Indicators from these spearphishing messages have been shared in incident 20161012B: Bellingcat Spearphishing Emails.
CATA501836 Name Server Research
After discovering the link between Bellingcat, FANCY BEAR, and the CATA501836 name server described in the previous post, we decided to use capabilities from our friends at DomainTools to take a look at the other 120 domains that use the cata501836.*.orderbox-dns[.]com name servers owned by the Romanian registrar THCServers. The table below, summarizes some of the most important information and suspicious domains that we were able to identify. Where possible, we leveraged ThreatConnect’s passive DNS integration to identify subdomains for the given domains. Please note, the presence of these domains on the same name server as DCLeaks and servicetransfermail[.]com does not concretely indicate a tie to Russian activity. However, as repeated use of smaller name servers is a Russian TTP, these domains merit additional scrutiny. These domains have been shared in incident 20160808E: CATA501836 Orderbox Name Server Domains.
ip 1 - address
Other domains of note at Previous IP
Syrian Human Rights Council
aljazeera-news[.]com unian-news[.]info mastconf[.]com
Afghanistan Ministry of Foreign Affairs
Microsoft One Drive
Hurriyet Daily News
Hurriyet Daily News
United Nations News Center
emailyandex[.]ru action-yandex[.]ru report-yandex[.]ru yandex-report[.]ru service-yandex[.]ru activity-yandex[.]ru settinqs-yandex[.]ru mail-service-yandex[.]ru int-live[.]com
drive-google[.]ga google-login[.]ml google-password[.]ml top-total[.]com drive-auth[.]com password-google[.]com account.password-google[.]com ftp.password-google[.]com redirect.screenameaol[.]com myaccountgoogle[.]ga markburgston[.]com
delivery-yandex[.]ru settinqs-yandex[.]ru yandex-site[.]com pasport-yandex[.]com gdforum[.]net gdforum[.]info
Hurriyet Daily News
Focusing on those domains that spoofed other organizations or were otherwise suspicious, we identified 23 domains that are currently hosted on dedicated servers at the given IP address. Domains hosted on dedicated IPs can be indicative of APT activity as they often use dedicated servers as a part of their operations. The domains on dedicated servers included domains spoofing Google, Microsoft, Yandex, and other general email services that could be used against a variety of targets. The Yandex spoofing domains specifically could be used to pursue Russian domestic targets.
At least three of the identified domains and/or subdomains hosted on dedicated servers spoof foreign countries’ government. The subdomains included webmail.afghanistanmfa[.]net, mail.kuwaitarmy[.]gov-kw[.]com, and mofa[.]farele[.]co and could be used against a variety of targets in the Middle East and South/Central Asia. The presence of these subdomains suggest that the actors behind them have operationalized them for use, possibly in phishing operations.
News and Current Event Sites
At least five of the domains — newsweekadvisor[.]com, syrianhrc[.]org, unrightswire[.]org, mail-hurriyet[.]com, and posta-hurriyet[.]com — spoof news organizations or websites like the Syrian Human Rights Committee and Turkey’s Hurriyet daily news. The use of domains targeting new or current event organizations is consistent with previous FANCY BEAR activity and are pertinent to countries currently important to Russian foreign affairs. We also identified two domains — aljazeera-news[.]com and unian-news[.]info — that were previously hosted on the same 104.237.194[.]102 IP address as syrianhrc[.]org. Two email related subdomains were also identified for unrightswire[.]org, indicating that the domain has most likely been operationalized in an operation involving an email transaction.
Not all of the suspicious domains that we identified are currently active; however, some of the inactive domains have previously been hosted on IPs with other domains that spoof the same organization. For example, privacy-yandex[.]ru was previously hosted at 104.232.35[.]45 with several other Yandex-spoofing domains. This suggests the actors behind these domains leveraged a TTP that relied on spoofing the Russian email provider.
Carbon2u Name Server Research
We took a similar approach to analyzing the Carbon2u name server; however, we had to restrict our research as many more domains use the Carbon2u name servers compared to the CATA501836 name server. For this research, we used our partner DomainTool’s Iris to identify those domains that use the Carbon2u name server AND were registered using a mail.com, email.com, chewiemail.com, or europe.com email address as those are consistent with recently identified FANCY BEAR activity. Alone, this is not enough information to associate these domains with FANCY BEAR; however, at the very least they are suspicious and merit additional scrutiny.
The table below identifies those domains and other information associated with them such as whether they are active, how many domains are hosted on the same IP, the registrant, as well as other domains that email address registered that do not use Carbon2u name servers. These domains have been shared in incident 20160907A: Carbon2U Suspicious Domains.
Domains Hosted at IP
Other Domains Registered by Email Address
Saudi Arabia Government
London, ON Economic Development Corporation
US Southern Command
This research identified three domains and email registrants that we had associated with FANCY BEAR the in the above Power of Passive section. We also saw some other trends that correspond to previously identified FANCY BEAR TTPs:
- Domains that spoof government and military organizations such as 2us-south[.]com (US Southern Command) and qov.sa[.]com (Saudi Arabian Government).
- Domains that spoof technology and social media websites such as twitterservices[.]org, msrdr[.]com, and gmailservices[.]org.
- One of the registrants, op13@mail[.]com, previously registered the domain arablivenews[.]com. This domain is similar to other domains that FANCY BEAR has registered that spoof news and media organizations.
- Many of these suspicious domains are the only one, or one of few, hosted at their given IP address. Malicious actors, notably APT groups, often use dedicated servers and IP addresses for their domains during operations. While this is not necessarily indicative of malicious activity, it can help organizations prioritize domains for additional review.
It’s important to note that operationalizing intelligence like this never ends, it is a continuous process of folding new information in with the old. Even reviewing historical intelligence can re-open the cold cases and bring forth a renewed understanding and context of current activity. In this case, this process helped us gain a better understanding of FANCY BEAR. This research can help an organization identify significant amounts of tactical intelligence that informs defensive and incident response efforts. This potentially helps identify infrastructure that may be used against your organization before it is ever operationalized. Additionally, conducting these types of research into your organization’s adversaries can provide insight into the TTPs and capabilities that they may employ against your organization or others within your industry. The ThreatConnect platform can help organizations with this as it consolidates, aggregates, and analyzes disparate threat intelligence feeds, data sources, and capabilities.
It is important to note the wealth of information that can flow from just a few nascent data points. The domains, IPs, email addresses, and TTPs referenced in this blog post all came about from research into one small set of FANCY BEAR spearphishing emails. Conducting similar research into your organization’s adversaries can unlock new insights and orient your defenses against identified infrastructure and capabilities that ultimately increases those adversaries’ costs and risks in targeting your organization.
If done successfully over time, this type of research enables an organization’s day-to-day defenses while also potentially reaching a tipping point with respect to the adversary’s perceived risk. Denying the adversary any degree of success and punishing him for each intrusion attempt, through exposure and information sharing, presents the adversary with cost/benefit decision point. Within the game of intelligence gain/loss, any time you can force the adversary to step away from the battle, lick their wounds, and ultimately abandon operations against your organization because it’s no longer worth it, it is a win in our book.