Attribution of 2015-6 Phishing to APT28

In two influential articles in June 2016, immediately following the Crowdstrike announcement, SecureWorks (June 16 here and June 26 here) purported to connect the DNC hack to a 2015-6 phishing campaign which they attributed to APT28.  SecureWorks identified two malicious domains in their article. In today’s article, I’ll show that infrastructure from one domain are connected to domains identified as APT28 in early literature, while infrastructure from the other domain leads in an unexpected direction.

SecureWorks Phishing Examples

SecureWorks showed two examples of phishing emails in their June 26, 2016 article, both taken from 2015. A distinctive feature of this phishing campaign was the use of bitly links to further camouflage the typosquatting domain.

accoounts-google.com

Their first example was taken from phishtank.com incident reports 3160712 and 3160715, the first asking about a bitly link and the second from the expanded phrase which linked to accoounts-google.com, a malicious typosquatting domain.

The full syntax of the expressions is not shown in the SecureWorks figures, but, for completeness, is shown below. First, here is the expansion of Bitly 1PXQ8zP+ (presently marked by Bitly as malicious) and the full expression in phishtank.com incident 316-715:

The malicious address contained a webpage exactly emulating a Gmail log-in page at which the target would be invited to enter credentials, after which he would be transferred to his actual login page. Meanwhile, his emails would be harvested by the hackers more or less immediately without him knowing.

Phishtank incidents 3160712 and 3160715 were submitted by user aksana (metadata chopped off in the SecureWorks figure), who was, by coincidence or not, involved with InformNapalm, a Ukrainian hacking group followed by Dmitri Alperovitch of Crowdstrike.

googlesetting.com

Their second example used a different typosquatting domain (url.googlesetting.com) but otherwise nearly identical syntax to the unpacked Bitly expression shown above (url/continue=*&df=*&tel=1)

In this case, the first parameter in the expression (YZGlmZ…) is the unencrypted base64 expression for the gmail address of an attache in the Embassy of Italy in Australia.

Registrant Email Addresses

googlesetting.com

SecureWorks didn’t discuss how it attributed the SW-2015 phishing campaign to APT28. However, there is an obvious connection via registrant email for googlesetting.com, of which url.googlesetting.com is a subdomain. Its registrant, andre_roy@mail.com, is also registrant for numerous domains in the October 2014 PWC inventory of APT28 domains. This is nicely shown in the ThreatCrowd connections graph for url.googlesetting.com, shown below. The two domains, registrant email address are highlighted, as well as two IP addresses (58.158.177.102 and 37.221.165.244), which, for now, are Easter eggs. All the domains linked to andre_roy were previously identified as APT28. Seems pretty convincing.accoounts-google.com

However, registrant and registrant email address for the other phishing domain accoounts-google.com leads in a different and unexpected direction. A standard Whois lookup for  at whois.icann.org yielded registrant Gennadiy Borisov in Varna, Bulgaria, together with registrant email of yingw90@yahoo.com, screenshot reproduced below.

In the prior post on the Lurk Banking Gang, Gennadiy Borisov and yingw90@yahoo.com were registrar and registrant email of dozens, if not hundreds, of crimeware domains associated with the Angler exploit kit. (This unexpected appearance of yingw90 is the “Easter egg” promised in the preceding post).

In other words, one of the domains (accoounts-google.com) in the SW-2015 phishing campaign appears to connect just as strongly (registrar and registrant email) to the Angler malware group as the other domain  (url.googlesetting.com) connects to the APT28 malware group.

Discussion

APT28 (Fancy Bear) is characterized in computer security literature as a presumed unique hacking group which uses characteristic malware: Sofacy, Chopstick and Eviltoss (or variations thereof, with names varying in the literature). It is characterized by resourcefulness and ingenuity in developing zero-day exploits to deliver the malware. It is usually said to be narrowly focused on defence and government sectors. Two of its most popular delivery methods are a malicious attachment to a document delivered by email or a link to a malicious page of topical interest which downloads malware in the background.

On the other hand, phishing (and credential theft through phishing) is one of the most common and commonplace forms of cybercrime and difficult to attribute. In late 2014, Google researchers examined thousands of phishing incidents, observing that credential theft was used to “send spam, to tap into the social connections of victims to compromise additional accounts or alternatively liquidate a victim’s financial assets”.  They reported that “phishing requests target victims’ email (35%) and banking institutions (21%) accounts, as well as their app stores and social networking credentials”. In the hijacking cases that they analyzed, they found that “most of the hijackers appear to originate from five main countries: China, Ivory Coast, Malaysia, Nigeria, and South Africa”. In late 2014, a computer security analyst, commenting on the Google article, showed examples of typical gmail phishing emails and webpages, noting that they had seen “400+ Google-related phishing URLs” in the previous week:

These just a few examples of the “look and feel” of some of the 400+ Google-related phishing URLs we’ve seen in the past seven days at Malcovery security. Most of them were seen many times each!

The phishing webpages in the 2015-2016 phishing campaign of interest to SecureWorks (the “SW Phishing Campaign”) were no better and no worse than others in the genre.

To my knowledge, there have been no reports of installation of distinctive APT28 malware on the targets of the 2015-2016 phishing campaign studied by SecureWorks (the “SW Campaign” for short). Instead, it was an entirely commonplace attempt to steal credentials, indistinguishable in structure from thousands of similar attempts to steal email, banking and other credentials. It specifically targeted Gmail credentials, which together with Yahoo and Microsoft credentials, are the most popular forms of credential theft. Such campaigns frequently use domain names which “spoof” or “typosquat” the legitimate names – there is nothing distinctive to APT28 or even Russia in that technique. It could be Nigerian or American, just as easily.

Attribution of the phishing campaign to APT28 was therefore done on the basis of infrastructure connections. But while there is an infrastructure association to APT28 but there is also an association to a prominent crimeware gang.

From this, I’m beginning to question how “APT28” is defined and attributed. On the one hand, one sees incidents in which Sofacy and Coreshell/X-Agent are dropped into computers using sophisticated zero-day exploits – these seem useful attributions. On the other hand, one sees incidents of commonplace credential phishing without accompanying Socacy, Coreshell malware, which are attributed by supposed chains of infrastructure e.g. registrant email address or common IP address going back to incidents as far back as 2014, not necessarily well documented.  As an outsider to these attribution arguments, this latter class of attribution seems to me to require lower confidence.  If information is contradictory, then I don’t see how much confidence can be attached at all.

 

 


26 Comments

  1. Sean Lamb
    Posted Mar 24, 2018 at 9:17 PM | Permalink | Reply

    Interesting, my view is that the view these phishing campaigns targeted accounts viewed of intelligence values may be a result of cherry-picking. From memory it results from a dataset of around 14000 bit.ly links supplied representing 3000 targets (presumably by law enforcement or intelligence) to a cyber-security firm.
    However, these phishing campaigns are going to be high volume and low success rate affairs. Suppose you successfully phish some who goes to the same church as Colin Powell, your next rounding of phishing is going to include all the email addresses in this person’s address-book. Then suppose Colin Powell is one of the few people tricked by the phish link. Then the next round of phishing is going to be highly enriched with military and political addresses from Colin Powell’s address book – it is going to LOOK like an intelligence campaign, particularly if the bit.ly links dataset is only a subset, but it isn’t.
    One caveat is that the phishing technique is fairly simple to copy – bit.ly links in base64 and variant account urls. Multiple actors could be using it.
    The other caveat – don’t assume the phishes have any connection to the Podesta emails ending up at Wikileaks. Leakers may have just waited for the first convenient phishing attempt to arrive and used that as a convenient cover to leak.

  2. AntonyIndia
    Posted Mar 24, 2018 at 10:11 PM | Permalink | Reply

    Secureworks quantifies their attribution as “moderate confidence”: they base it mostly on the nature of the targets attacked plus similar techniques being used.
    So if many black men were victims plus all shot than Secureworks is moderately certain this was done all by the same single perp – THE serial killer.
    I wouldn’t want Secureworks as judge or jury anywhere.

    • Posted Mar 25, 2018 at 1:06 PM | Permalink | Reply

      Antony, I believe you have identified the fundamental evidence of bias. To ignore that criminals take advantage of opportunities created by the presence of other suspects is a clear indication of non-professional crime analysis.

  3. David Blake
    Posted Mar 25, 2018 at 1:05 AM | Permalink | Reply

    dcleaks.com –> whois –> Shinjiru Technology

    shinjiru.com –> 185.148.146.211.

    185.148.146.211. –> GeoIP –> Bulgaria –> BelCloud Hosting Corporation

    • David Blake
      Posted Mar 25, 2018 at 1:19 AM | Permalink | Reply

      One possibility is that dcleaks.com may have been sold/taken over by “the Bulgarian group”, after the US election to be turned into the phishing outfit it is now.

      Or it may have been under the same ownership all the time.

      The nameserver for dcleaks.com, ns1.piradius.net (owned by shinjiru) was last changed Tue, 22 Mar 2016 15:10:38 GMT

      Piradius.net seems to be exclusively hosting dodgy sites.

      See more stuff on my blog here: https://loadedforguccifer.wordpress.com/2018/02/10/dcleaky/

      • Steve McIntyre
        Posted Mar 25, 2018 at 10:05 AM | Permalink | Reply

        classic APT28 site adobeincorp.com (but probably non-Sofacy) turns up in riskiq.com search of
        130.255.184.196, one of the hardwired IP addresses in DNC XTunnel version
        https://community.riskiq.com/search/130.255.184.196

        It was originally connected to your favorite Nobby Beach, also connected to orderbox-dns

  4. Jaap Titulaer
    Posted Mar 25, 2018 at 3:27 AM | Permalink | Reply

    From this, I’m beginning to question how “APT28” is defined and attributed. On the one hand, one sees incidents in which Sofacy and Coreshell/X-Agent are dropped into computers using sophisticated zero-day exploits – these seem useful attributions. On the other hand, one sees incidents of commonplace credential phishing without accompanying Socacy, Coreshell malware, which are attributed by supposed chains of infrastructure e.g. registrant email address or common IP address going back to incidents as far back as 2014, not necessarily well documented. As an outsider to these attribution arguments, this latter class of attribution seems to me to require lower confidence. If information is contradictory, then I don’t see how much confidence can be attached at all.

    Agree & nice find 🙂

    Here is another example. Remember this article by Threat Connect?
    2016-06-17 Rebooting Watergate: Tapping into the Democratic National Committee

    On June 15, 2016 our partner, Crowdstrike, published a blog article detailing the breach of the Democratic National Committee (DNC) by two Russia-based threat groups, one of which is dubbed FANCY BEAR (also known as APT28 or Sofacy).

    In building upon Crowdstrike’s analysis, ThreatConnect researched and shared 20160614A: Russia-based groups compromise Democratic National Committee within the ThreatConnect Common Community. This incident includes the IP address 45.32.129[.]185 which Crowdstrike lists as a FANCY BEAR X-Tunnel implant Command and Control (C2) node.

    Using ThreatConnect’s Farsight passive DNS integration to review the resolution history for 45.32.129[.]185 we uncovered some additional domain resolutions. One of these domain resolutions is the suspicious domain misdepatrment[.]com (note the transposition of the “t” and the “r” in department).

    In reviewing the Domain Whois information, our DomainTools integration reveals that the domain was registered on March 22, 2016 by frank_merdeux@europe[.]com.

    The domain misdepatrment[.]com was registered on March 22, 2016. Farsight lists the earliest domain resolution as March 24, 2016. On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address 45.32.129[.]185 where it remains resolved at of the time of this writing.

    But there is an issue with this conclusion: 5.135.183.154 is indeed a parking server, but one for a dubious provider of bitcoin hosting, not APT28 / Fancy Bear.

    Just look at these reports on ThreatCrowd: https://www.threatcrowd.org/domain.php?domain=misdepatrment.com
    NameServer A8332F3A.BITCOIN-DNS.HOSTING
    Created & parked at 5.135.183.154 around 2016-03-25, moved to 45.32.129.185 in 2016 just before hack.

    Let’s check that parking server (5.135.183.154) using https://www.threatcrowd.org/ip.php?ip=5.135.183.154
    This is a typical parking server for newly created IP names, it has (had) loads of names, many of those suspicious and probably malicious.
    Clearly this is a parking server but not for some APT, but more for all kinds of cyber-criminal purposes.
    One of the related names for 5.135.183.154 is: NS2.DOMAINS4BITCOINS-PARKING.COM

    For reference below the details for the related X-Tunnel binary reported by CrowdStrike as having been found at the DNC.
    SHA-1: f09780ba9eb7f7426f93126bc198292f5106424b, SHA256: 4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976
    Compilation Timestamp 2016-04-25 10:58:38
    IP addresses: 45.32.129.185, 130.255.184.196, 176.31.112.10

    • Steve McIntyre
      Posted Mar 25, 2018 at 7:38 AM | Permalink | Reply

      The subsequent IP addresses for misdepatrment.com similarly host a zoo of crimeware. I’ve got notes in inventory on this.

      Following subseuqnt history of actblues.com, another contemporary site, is similarly interesting.

      • Sean Lamb
        Posted Mar 25, 2018 at 7:07 PM | Permalink | Reply

        Beware of tunnel vision. Crimeware will just go to cheap readily available IP addresses, as will anyone who just wants a very temporary parking spot for a domain. You are zeroing down on crimeware because that is all that gets reported.

        Phishing is high volume, low success. MIS department is a small firm just of IT professionals. Even IT professionals can very occasionally fall for a phish, but it is only going to be very occasionally. What we are seeing is a very percentage of MIS or ex-MIS employees seemingly being fooled by very straightforward phishes

        Wikileaks have always said these were leaks, misdepatrment.com could just be a way for someone to appear to lose their credentials so they can leak without being caught. It might not be impossible to find out what misdepartment.com change password page looks like, but the best placed persons to do it would be MIS or ex-MIS department employees.

        • Steve McIntyre
          Posted Mar 25, 2018 at 10:12 PM | Permalink

          It might not be impossible to find out what misdepartment.com change password page looks like,

          I have copy of it from archive.org.

        • Sean Lamb
          Posted Mar 26, 2018 at 12:10 AM | Permalink

          OK, but the firm is tiny

          http://web.archive.org/web/20150906065827/http://www.misdepartment.com/staff

          Remember you not just have to grab credentials, you have to grab credentials of someone with worthwhile privileges.

          “Enter your The MIS Department, Inc. username.” this isn’t going to be for any normal DNC user. All I am saying is you should consider the possibility that someone faked a break-in in order to leak. And yes, ignore the reported malware, I am sure it was genuinely found, just not related to DNC emails.

        • Sean Lamb
          Posted Mar 26, 2018 at 12:19 AM | Permalink

          Just for interest, after June 2016 the website pulled its staff profiles page – so we can’t work out who might have got the chop.

        • Steve McIntyre
          Posted Mar 26, 2018 at 9:22 AM | Permalink

          MIS-operated helpdesk active in DNC Wikileaks archive right up to the end on May 25, 2016.

          it’s not just the Staff profiles page – it’s every page in the MIS website. At almost exactly the same time as CrowdStrike moves in on DNC and makes announcement of “Russians”, Rajeev Chopra seems to have gone on a walkabout and MIS appears to go out of business. Chopra was big Bernie supporter, as were MIS. Lots of motive and opportunity for email hack ~May 25.

          and yet, I’ve never seen a single interview of anyone with MIS. Wonder if FBI or Mueller ever talked to them.

    • Steve McIntyre
      Posted Mar 25, 2018 at 8:13 AM | Permalink | Reply

      I had looked at 5.135.183.154 at threatcrowd. The connections graph looks clean/ I completely missed its role as an incubator site. I looked at the connections graph for one of the other incubated sites, semi at random, but its name, windowsdefenderupdater.com, is reminiscent of a canonical “APT28” site. In its future is malware site 209.99.40.223 – also in the future of misdepatrment after 45.32.129.185.

      Here is connection graph of 209.99.40.223 – bristling with crimeware.

      Reminder to self: show relationship to 176.31.112.10.

      • Jaap Titulaer
        Posted Mar 25, 2018 at 1:01 PM | Permalink | Reply

        Aye, and look not just at the chart look at the very long list at the righthand side.
        Or look via RiskIQ at formerly associated IP names, ie previously parked domains.
        Just a glimpse at the long list of names should suffice. Many or most can only have been used for all kinds off malicious purposes…

  5. Posted Mar 27, 2018 at 4:36 AM | Permalink | Reply

    Reblogged this on I Didn't Ask To Be a Blog.

  6. AntonyIndia
    Posted Apr 1, 2018 at 12:57 AM | Permalink | Reply

    On August 2nd 2016 Microsoft filed a case against “Strontium’s” (= ) use of spoofed domain names – a legal tool to combat this practice
    Examples above like http://www.windowsdefenderupdater.com or windowspatchmanager.com give them a legal foot hold.
    https://noticeofpleadings.com/strontium/files/cmplt.pdf

    “Eventually, Microsoft used the lawsuit as a tool to create sinkhole domains, allowing the company’s Digital Crimes Unit to actively monitor the malware infrastructures and identify potential victims.”

    From personal experience with Microsoft update & patch policies and practices I must say life is still frustrating for legal users. Four BSODs last week on a Windows 10 based server due to this – in 2018, not 1998. Many will forgo these “patches” therefore.

  7. Posted Apr 11, 2018 at 12:44 PM | Permalink | Reply

    Why is this topic on CLIMATE audit?

    • Posted Apr 11, 2018 at 2:56 PM | Permalink | Reply

      Hans, your question is broad but I take it to mean why does this blog stray from focusing posting exclusively on climate science related papers. To this I offer the following:

      1) Climate Audit is an amazing free to user establishment created by its proprietor after his retirement from surely equal level workload for pay. If one cannot have independence to focus their time as they please what is the point of retirement?

      2) However, whereas Climate Audit is an amazing archival resource with historical value, and is the product of contributors as well as the proprietor, is there not some higher public obligation for the preservation of its content as well as its brand?

      3) What are the options available to the proprietor of such a blog should they desire the continuation or at least preservation of their blog?

      4) If the proprietor decides to utilize the blog for investigations unrelated to climate but of other items of his interest should the followers who are not interested in those topics protest? If so, should the protest be a simple non-participation or and announcement of displeasure or active disruption? I don’t know, especially if one has been a decades-long active contributor.

      Hans, thank you for your years of contribution going back to the early years to present. And I apologize for weighing my interest in Steve’s off-topic posts more than to the obligation of putting pressure for the preservation of the Climate Audit brand, which you are a part.

      • Posted Apr 11, 2018 at 3:44 PM | Permalink | Reply

        Ron I do not endorse what is happening in the brands name. Steve, I think you better should have bought a new domainname for non climate related topics. My five cents…

        • MarkR
          Posted Apr 15, 2018 at 7:27 PM | Permalink

          Is the brand Steve McIntyre or Climate Audit, or both?

    • AntonyIndia
      Posted Apr 15, 2018 at 10:36 PM | Permalink | Reply

      Because it is Steve McIn’s site and is more “climate AUDIT.
      He also audited “NFL Officials Over-Inflated Patriot Balls” before https://climateaudit.org/2015/06/28/the-referees-over-inflated-patriot-balls/

      Also some mayor developments go fast, like the sudden post-HRC Russiaphobia of US deep state, or even faster: the chemical attack narratives in the UK and Syria recently. Too fast to set up new sites for every Audit.

      Those who warn about a climate Armageddon in a few decades should be concerned even more about a nuclear Armageddon in a few days (Syria).

      • Posted Apr 19, 2018 at 1:58 PM | Permalink | Reply

        “Is the brand Steve McIntyre or Climate Audit, or both?”

        Steve definitely owns it and is a major part, but the brand was also built by the quality of contributors.

        Newsaudit.org is taken by a cyber-squatter but many other variations are available for as little as 2 bucks, like newsaudit.today.

  8. Taylor Pohlman
    Posted Apr 23, 2018 at 10:54 AM | Permalink | Reply

    Steve, now that the DNC has sued the GOP, the Trump campaign and others for this hack, does this analysis take on new life? I would think it would be in the defendants’ interest to get to the bottom if what actually happened, given that plaintiffs are likely just accepting CloudStrike’s conclustion on their face? What do you think? Are you going to be an expert witness?

  9. Frank
    Posted Apr 23, 2018 at 11:47 PM | Permalink | Reply

    Steve: FWIW, someone named Sara Carter is reporting that the House Intelligence Committee has identified James Clapper as the source of the leak to CNN about Comey’s briefing Trump on the Steele Dossier. Others are repeating her claims. The story has reached Breitbart and the Washington Times, but not the MSM. Clapper became a consultant for CNN after he left government.

    http://www.thegatewaypundit.com/2018/03/sara-carter-james-clapper-allegedly-leaked-information-trumps-classified-briefing-phony-dossier-cnn/

    You wrote about this subject here:

    https://climateaudit.org/2017/07/11/comeys-mishandling-of-classified-information/

    Respectfully, Frank

    • mrmethane
      Posted Apr 24, 2018 at 2:40 AM | Permalink | Reply

      All over Fox News Channel. Sara Carter should get a Pulitzer. Pencilneck Adam Schiff seems to have an informal CNN slot.

Post a Comment

Required fields are marked *

*
*

%d bloggers like this: