A Song of Intel and Fancy

A case study tracking adversary infrastructure through SSL certificate use featuring Fancy Bear/APT28/Sofacy.

A long time ago, in a galaxy… No. Stop. We’re not doing that anymore. Instead, we’re pivoting to Game of Thrones, or A Song of Ice and Fire for you bookworms, because the fantastical realm provides great material we can relate to cybersecurity.

This research builds off our previous work using SSL certificates and splash pages to proactively identify Fancy Bear infrastructure. We identified a SSL certificate subject string that Fancy Bear has used consistently since 2016, which further illuminates their infrastructure and registration tactics. Our hope is that in addition to the indicators themselves, our readers will apply these techniques to their research on other adversaries.

We’ll walk through the process of how we conducted this research, which used ThreatConnect, Censys, Farsight Security Passive DNS, RiskIQ, and DomainTools. To date, this line of research has identified 47 IPs, 46 domains, 33 registrant email addresses, and 47 SSL certificates shared in ThreatConnect in Incident 20180209C: “C=GB, ST=London, L=London, O=Security, OU=IT” Certificate Infrastructure. It also underscores consistent Fancy Bear tactics including:

  • Use of small or boutique hosting service providers such as Domains4Bitcoins, ITitch, and NJALLA.
  • Minimizing the reuse of email addresses to register domains.
  • Regular use of email domains sapo[.]pt, mail[.]com, centrum[.]cz, and cock[.]li or privacy protection services.
  • Domain registration and SSL certificate creation times that are consistent with an actor operating in Moscow.

The Watchers in the Night

Everybody thinks they are House Stark material, but we would assert cybersecurity personnel are more like the sworn members of the Night’s Watch. You are the watchers on the firewall, the sword in the dark web, and the shield that guards the networks of your organization.

If we’re being honest, the ThreatConnect Research team and cyber threat intelligence analysts at large, are most like… wait for it… Samwell Tarly (none of us harbors the delusion of being Jon Snow). Tarly is dedicated to aggregating and analyzing intelligence on threats beyond the wall — the Night King and his White Walkers — to better understand how the Night’s Watch can react to them and proactively address them.



Looking for Adversary Infrastructure Using a Common SSL Certificate Subject String

In our recent efforts to proactively address Fancy Bear, we reviewed SSL certificate information in Censys for domains and IPs using a “Coming soon” splash page consistent with previously identified Fancy Bear infrastructure. We found the same subject field used repeatedly — “C=GB, ST=London, L=London, O=Security, OU=IT, CN=(domain name)” — as shown below for space-delivery[.]com and webversionact[.]org.


Censys SSL certificate information showing consistent use of subject string.


This subject line indicates a SSL certificate likely created using OpenSSL, where the creator assigns values for the country (C), state (ST), location (L), organization (O), organizational unit (OU), and common name (CN). It is important to note that the common name is intended to reflect the domain name where the SSL certificate is being used, but in our research we found several instances where this domain name was misspelled or altogether different from the domain where it was used. More on that later.


Radiating out: how common is that subject string?

Next, we needed to get an idea of how widely this string is used and what other infrastructure is using similar SSL certificates to gain insight into more possible Fancy Bear infrastructure. Again using Censys, we found 47 certificates that have the same SSL string. In Censys we also queried for IP addresses that host a server using a SSL certificate with that string. The latter provides a view of active infrastructure, while the former can be used to find both historical and active infrastructure.

Censys certificate search results for identified subject string.


Careful though: other individuals could easily use OpenSSL to create certificates with the same subject fields; this alone is not sufficient to identify Fancy Bear. Using ThreatConnect’s Analyze function we saw that at least 23 of the specified common names have been associated with Fancy Bear attacks. Many of the remaining domains have also been identified through our ongoing research into name servers that Fancy Bear uses. This increases our confidence in assessing that SSL certificates with that subject string probably are associated with Fancy Bear activity.


ThreatConnect Analyze results showing indicators that already have information in ThreatConnect.


Stitching together certificates, IP addresses, and the right domains

Censys SSL certificate information for 46ce0b05f302e0d855e9cc751100299345466581.


At least 39 of the certificates identified in the previous query are no longer in use, but we used RiskIQ to search for the SHA-1 hash and identified the IP addresses that previously hosted a server using that certificate. For example, searching for the previously used SSL certificate 46ce0b05f302e0d855e9cc751100299345466581, we saw that it was used at the IP


RiskIQ SSL certificate information for 46ce0b05f302e0d855e9cc751100299345466581.


Reviewing this IP address in ThreatConnect using our integration with Farsight DNSDB, we saw that this IP address hosted the domain remsupport[.]org. This is a notable finding as well because the domain does not correspond to the ecitcom[.]net that was specified in the common name field in the certificate subject, so we took an extra step to make sure we matched up the right certificate to the right domain.


ThreatConnect’s Farsight Security Passive DNS integration results for


Conducting this same process for all of the SSL certificates, we came up with the following list sorted by the SSL certificate’s create date/time:

SSL Certificate SHA-1IP Hosting CertificateSSL Certificate Create Date/TimeDomain Hosted At IP or Common Name in SSL Certificate
62e1045ae816b5f44cb43ab52ecb8e4534b6314787.121.52.162 2/20/18 12:19webversionact[.]org
1e185ee8ac3c3eafcc2b4d842ed5711b9c62a305151.80.74.1702/8/18 7:57mdcrewonline[.]com
43df735cfea482ffc27252ae08c94f359c499f69151.80.74.1671/31/18 11:52cdnverify[.]net
9d73605a130c377909fe463bc68ac83f73c04a46146.185.253.1311/23/18 11:28nomartung[.]org
fcc696070de34157a02c46aa765c3c7969677fea179.43.160.18412/21/17 15:55europehistoricalmuseum[.]com
126e9d0cf80badf7810859fc116267d40ed1c58b92.222.136.10512/21/17 8:34supservermgr[.]com
9153efa5001c67fdce4bb861f8758cd90b07290189.34.111.16010/30/17 13:44satellitedeluxpanorama[.]com
739e8cc0519aeeb8dd1417e45f9577bd394684f0185.216.35.2610/30/17 10:41webviewres[.]net

10/30/17 9:43vermasterss[.]com
89bba1abb0078ffab8dbf2cfa85697b147d8223d89.37.226.10510/27/17 7:46funnymems[.]com
3f17cbb5792e6b9ff8607b23bbc8ad40c735819c185.86.148.5710/20/17 10:21space-delivery[.]com
6860d7aabef2f2382476d9a350c225956bf351c723.227.196.2110/17/17 8:51travelbern[.]com
b86f517d347e53b3b7116682d7f36a3b77fa8bdf10/16/17 8:41space-delivery[.]com
46330eac674b27a4f34ba6864a74bfef59998e5c146.185.253.13210/4/17 11:46myinvestgroup[.]com
551a8e0b504fa19e643dae39002bd0b91a5cfa7e176.223.111.1010/2/17 14:29nanetsdeb[.]com
2a71f7ed0de7b89f4a10d329227898edcd3af6ce87.120.37.259/29/17 13:52nanetsdeb[.]com
b99346a7f7809578330e4763329209c2381d2f95176.223.165.2179/29/17 11:48fastphotobucket[.]com
ea3198f2ef8685a6f8a1303a55fdb7062a6f30b0185.86.148.2127/12/17 13:05rapidfileuploader[.]org
b64268d418592d481e13ed6aa4dc233b9dbd486d7/7/17 7:39viters[.]org
9aa7508f1be201120511b1a4bc91e653c82df92489.33.246.1176/28/17 12:57mvtband[.]net
d514a2a79a0e1a046846963797319fe8e00cdbeb89.44.103.184/13/17 7:43spelns[.]com
2e53a96a63c8cc17f2824bcdf7c93d64dad4517095.215.45.434/3/17 13:14wmdmediacodecs[.]com
b07d766664cfa183dba3ee32ab35ed32c7f501c295.215.47.2263/29/17 10:09acrobatportable[.]com
f9abac0f831e9ea43727a02810ebd6969e8e5951173.243.112.2022/3/17 9:06lgemon[.]org
37ab57a30ffd3826a24acd2b3b596d7bf160960c91.108.68.1711/31/17 8:41lowprt[.]org
1f2a652a68f9ae6a241aed55d80597222d6c2b21103.41.177.441/13/17 9:16evbrax[.]org
bd4255444ba646796c16e967ec0aa1dd95a7a0f2195.12.50.1631/13/17 7:22wsusconnect[.]com
09ab2ae3ff9f175c18786656194a81be5d6ff73289.42.212.14112/21/16 9:35gtranm[.]com
010e271b2c860caba78475f02edcd30d7a896383146.0.43.9812/15/16 9:57reportscanprotecting[.]org
513587ce94be7d70b1f6661f22758ec6fd591d11185.156.173.7011/30/16 8:03runvercheck[.]com
8dc11f57d69a5583b196c28a9cf816e10a3fa32795.215.47.16211/30/16 7:47noticermk[.]com
46ce0b05f302e0d855e9cc751100299345466581191.101.31.9611/30/16 7:35remsupport[.]org
edb4339cdfa0b43d8ef5fb49cc9fdcbbbf2208be86.105.1.12111/25/16 7:30globaltechresearch[.]org
0153d822178cd0f0725a9a1438d5b2a49edfe71a87.236.215.13411/17/16 6:09
d1a1d61806513cde9b2f8d817a55cc16384f490f89.45.67.2611/11/16 9:35applecloudupdate[.]com
9d54194ba9140c148b8b3eb900dfb7b11ec155e286.105.1.1311/10/16 8:00joshel[.]com
9baf76a0a3a4ce78d3c2ce04e64cae0ea604c7aa89.45.67.2010/31/16 9:20akamaisoftupdate[.]com
7dcf45941d734b4c42c9a1f90d57e1c816610dff62.113.232.19710/26/16 7:57ppcodecs[.]com

10/24/16 8:22appservicegroup[.]com
c201e616fe90ae2592c34de03611748510aba143179.43.128.759/13/16 5:33dateosx[.]com
f6ac5bd6aa52d96d8d413157fbfd1a6be7f65cb786.105.18.1469/9/16 13:27dowssys[.]com
5be56e0660a001a12c8ef250ff86369c50ca73a887.236.215.218/18/16 12:32microsoftstoreservice[.]com
ea8e4e7882a116ed43db4e5218efb2fd3ba2d116191.96.249.317/20/16 6:56microsoftdccenter[.]com
c3b7df9d2a4eb05d399c336eec4c6ff0688596bd95.215.44.2477/12/16 6:12mvsband[.]com
c5ec8bb4bb5842930da935e13b9bee604e3b618295.215.44.2407/8/16 7:54dvsservice[.]com
f65d9f8f385cf384cee24a6d04df600d575dd5f651.254.76.547/8/16 7:09akamaitechupdate[.]com
7d5eaecc2c6865a1f846d03b6d3e0b649a36c2c1185.86.148.146/1/16 7:35


Once that we had a list of the domains, we further enriched this information by identifying the WHOIS information for these domains. Doing so provided historical information on how these domains were registered.



Gathering Intelligence: Layering on WHOIS Data

To do so, we used some capabilities and integrations from our friends at DomainTools. Specifically, we were looking to identify registrant email addresses, name servers/hosting providers, and creation timestamps. We started by doing a DomainTools Iris search for the domains listed above.

DomainTools Iris search for identified domains.


This provided the current WHOIS information for those domains. However, some of the domains have been taken over since they were operational or the WHOIS has otherwise changed since it was registered for use in operations. For any domains where we thought this was the case, we reviewed the WHOIS history in our DomainTools Spaces app to identify the original registration information that corresponds to the timeframe in which the domain was operational.

ThreatConnect’s DomainTools Spaces App WHOIS history for adobeupdatetechnology[.]com.


Ultimately, we identified the below registration information for these domains.


DomainOriginal RegistrantOriginal Nameserver Create DateCreate Time
webversionact[.]orgPrivate registrationNS-CANADA.TOPDNS.COM2/14/187:44:16
nomartung[.]orgPrivate registrationNS-CANADA.TOPDNS.COM1/17/183:10:21
supservermgr[.]comPrivate registrationNS-CANADA.TOPDNS.COM12/21/177:58:00
europehistoricalmuseum[.]comPrivate registrationns1.bulletdns.net10/26/172:22:36
webviewres[.]netPrivate registrationns1.njal.la10/25/178:23:14
funnymems[.]comPrivate registrationns1.njal.la10/24/1711:11:37
satellitedeluxpanorama[.]comPrivate registration ns1.njal.la10/20/1711:25:22
fastphotobucket[.]comPrivate registration1-you.njalla.no9/28/1714:13:26
rapidfileuploader[.]orgPrivate registrationNS-CANADA.TOPDNS.COM7/11/1713:27:47
viters[.]orgPrivate registration ns1.nemohosts.com7/6/1713:08:10
mvtband[.]netPrivate registrationstvl113289.earth.obox-dns.com6/27/178:57:22
spelns[.]comPrivate registrationns1.nemohosts.com3/22/1718:28:42
microsoftdccenter[.]comPrivate registrationns1.ititch.com7/20/1612:51:42


We have shared this information, including the domains, IPs, and email addresses, with our Common Community in Incident 20180209C: “C=GB, ST=London, L=London, O=Security, OU=IT” Certificate Infrastructure.


Assessing Tactics

There are Fancy Bear tactics that we can glean and proactively exploit to identify their activity going forward in addition to monitoring for new domains/IPs that use the aforementioned SSL certificate subject string.

Hosting Service Providers/Name Servers
The domains’ original name servers helps identify the hosting service providers that the actors used to procure the infrastructure. These include several providers that we’ve previously called out, such as Domains4Bitcoins, ITitch, Nemohosts, Carbon2u and NJALLA. We can proactively monitor for newly registered domains using these name servers and with other consistencies to Fancy Bear to potentially identify their infrastructure before it is used in operations.

Email Addresses

We used DomainTools Reverse WHOIS to search for any additional domains registered using the email addresses above. As it turns out, only one of the email addresses — iflatley@openmailbox[.]org — registered a second domain (rndversion[.]net). This minimal reuse of email addresses suggests an operational security (opsec) effort to deter efforts to trace out their infrastructure based on known registrants.

DomainTools Reverse WHOIS results for iflatley@openmailbox[.]org.


While some of the domains were registered using privacy protection services, for those that aren’t we see the consistent use of sapo[.]pt, cock[.]li, centrum[.]cz, and mail[.]com. For those email domains that are less common, like cock[.]li, we can create a Track in ThreatConnect that will alert us to any new domains registered using that email domain.


Creating a Track in ThreatConnect.

Opsec Mistakes

When reviewing the SSL certificates, we identified several possible opsec mistakes that would either arouse suspicion or allow defenders to trace out some of their infrastructure. As we mentioned earlier, the common name in the SSL certificate field is intended to correspond to the domain name where it is being used; however, for ten of the identified certificates, that wasn’t the case. In some cases, the domain name was misspelled, like the below certificate for cdnverify[.]net. This mistake would be a red flag for defenders looking to verify the legitimacy of encountered domains based on their SSL certificate.

Censys SSL certificate information for 43df735cfea482ffc27252ae08c94f359c499f69.


In other certificates, a completely different common name was used, as was the case for the aforementioned ecitcom[.]net. It turns out that ecitcom[.]net was the specified common name for five of the certificates listed above. When we search Censys for other certificates using that common name, we find four more certificates that were created from February 2016 to September 2016. This helps us identify the additional infrastructure 51.254.158[.]57, dowstem[.]com,,, and Researchers can exploit mistakes like these to expand their understanding of adversary infrastructure.


Creation Timestamps

Finally, we can make use of the creation timestamps for the identified certificates and domains. As the chart below shows, a large majority of the certificates and domains were registered between 0600 and 1400 GMT. This is consistent with a 0900 to 1700 standard work day in Moscow. While not definitive — other countries in the Middle East, Eastern Europe, and Western Africa are in the same timezone — in conjunction with the previous associations to Fancy Bear this finding increases our confidence in the attribution to Fancy Bear.


Chart showing the number of domains and SSL certificates that were created by hour relative to Moscow’s time zone (MSK).


The registration and certificate creation times is of limited use to identify additional Fancy Bear domains proactively – especially for a single indicator – but the consistency of the data set over time has value for defenders and researchers.


Conclusion: To the Citadel!

We are sometimes asked why we share out these findings publicly, the argument being that we are revealing research methodologies that Fancy Bear can now incorporate into their opsec and avoid in future operations. That’s a fair concern, but in response we argue that by publicizing these findings and methodologies, we are hoping to show our readers ways to research not only Fancy Bear, but the other Night Kings that keep them up at night.


Additionally, as we’ve stated before, in publicly outing or sharing these indicators and tactics, organizations can ultimately increase the actors’ costs and push them to spend more time and resources on procuring infrastructure. The more this is done, the better. Eventually, you might get to the point where you become a factor in the actor’s decision making or cost benefit analysis.

Samwell Tarley’s main source of intelligence, Castle Black’s library, ultimately proves to be insufficient for determining how to best the Night King. He then travels to the Citadel, a huge library of intelligence consolidated from a variety of sources, in hopes of garnering knowledge that will help defend the realm. For threat intelligence researchers and cybersecurity personnel, ThreatConnect acts as a metaphorical Citadel, consolidating, aggregating, and analyzing intelligence from a range of internal and external sources. However, whereas the maesters at the Citadel seem unencumbered by what happens outside of Oldtown, ThreatConnect gives users the ability to actually act on the intelligence they receive and integrate with the defensive tools they have in place to mitigate their threats. If you want to learn more, check out our platform.


ThreatConnect Dashboard showing users recent intelligence from our Citadel on Fancy Bear.

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.