Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity
by Threat Researcher Joe Slowik, in conjunction with Black Lotus Labs from Lumen Monday, December 14th, 2020 Originally published at www.domaintools.com/resources/blog
Introduction
Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes.
The above theory is supported by historical incidents linked to geopolitical tensions:
Tensions in the Arabian/Persian Gulf region leading to multiple rounds of wiper malware as well as providing possible “cover” for the 2017 Triton/TRISIS incident.
Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date.
Initial Discovery: Caucasus Conflict
With the above thesis in mind, DomainTools researchers examined technical artifacts emerging around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region. While investigating, researchers discovered the following malicious document file on a commercial multi-scanner service:
Masquerading as a news article covering details about the Caucasus conflict, the document contains a reference to an external site to fetch additional material to the victim’s computer:
In this specific case, the document attempts to communicate to the domain “msofficeupdate[.]org”:
Overall, the document appears focused on the Armenian-Azerbaijani conflict with dedicated network infrastructure enabling the attack sequence. While we could stop and view this item in isolation, further analysis reveals even more interesting elements.
Identifying Items for Pivoting
Both the document and the domain contain items of interest for further analysis and pivoting. Reviewing lessons from a previous DomainTools blog, we can examine the technical indicators related to this campaign as composite objects with opportunities to discern fundamental adversary behaviors.
Examining the document, file metadata, shown here using Phil Harvey’s ExifTool, indicates the presence of an unusually long string of numbers as a template object:
Based on the template object and a hard-coded Uniform Resource Locator (URL), the document will attempt to communicate to the domain identified above. The actual functionality of the malicious document hinges on network communication to the attacker domain, with an HTTP request to a resource such as the following:
All following functionality appears dependent on a response to this request. At this time, DomainTools does not have any data or other information as to what may be returned from this response. As a result, our analysis is limited to the document itself and identified network infrastructure. However, defenders may find value in the URL pattern in the HTTP request—words divided by single numbers—for developing Network Intrusion Detection System (NIDS) signatures.
Lack of view into follow-on execution aside, we have a search string to use to fingerprint additional file samples or to disposition items that may be related to the original campaign in the template string. Notably, for a malicious document, the item does not contain any active content (ActiveX objects or Visual Basic for Applications [VBA] macros), limiting our ability to identify further items. However, the template item appears unique enough to serve as a signifier to identify additional samples similarly constructed.
On the infrastructure side, we have several more leads to follow. As previously documented in past blogs on infrastructure hunting and analysis, we have a combination of technical indicators related to domain creation and hosting as well as thematic identifiers related to the domain name itself. For the domain in question, as seen in the previous DomainTools Iris inspection image above, the following observations hold:
Authoritative name server associated with the domain, “bitdomain[.]biz”.
Hosting on a dedicated server, “46.30.188[.]236”, through the Netherlands-based provider “Web2objects Gmbh”.
An SSL/TLS certificate obtained through Sectigo with limited identifying information.
A domain “theme” of mimicking Microsoft Office update services.
While any of the above items in isolation may be relatively limited for identifying adversary tendencies or additional infrastructure—either by being too general or far too specific—in combination, they can yield patterns for further analysis. For example, looking for a combination of privacy-centric email addresses registering domains via PublicDomainRegistry using the name server “bitdomain[.]biz” hosted in Europe with Sectigo SSL/TLS certificates can yield a result set for further analysis. Applying a “thematic” search to the results of such an investigation, such as looking for other Microsoft or Office themes in domain names, can identify additional items for analysis related to this campaign.
Unraveling Additional Infrastructure
Based on the characteristics described in the previous section, DomainTools researchers identified 35 domains matching the patterns associated with the initially observed malicious domain at varying levels of estimative probability or confidence. As shown in the following table, we can observe additional tendencies such as favoring several privacy-oriented email services during registration and an overwhelming focus on European Virtual Private Server (VPS) providers for hosting purposes.
Domain
Date Created
Registrant Email
IP Address
Hosting Provider
Hosting Location
Confidence
iphoneupdatecheck[.]com
2016-05-12
louie@brookes.openmailbox.org
91.236.116.166
jaroslav88@tuta.io
SE
Medium
brexitimpact[.]com
2016-06-23
jaroslav88@tuta.io
185.112.82.7
Oy Creanova Hosting Solutions Ltd.
FI
Low
srv3-serveup-ads[.]net
2019-04-16
salemjoshi@protonmail.com
101.100.209.236
Vodien Internet Solutions Pte Ltd
SG
Low
newoffice-template[.]com
2019-06-12
j.konnoban@email.cz
147.135.170.193
OVH Hosting Inc.
FR
High
ms-check-new-update[.]com
2019-07-08
stivgarret@protonmail.com
87.121.98.51
Tamatiya EOOD
BG
Medium
template-new[.]com
2019-08-28
N/A
66.70.218.38
OVH Hosting Inc.
FR
High
user-twitter[.]com
2019-11-13
hostmaster@user-twitter.com
N/A
N/A
N/A
Medium
live-media[.]org
2019-11-27
sam.walker@tutanota.com
137.74.181.109
OVH SAS
FR
Medium
officeupgrade[.]org
2019-11-29
alex.sval@tutanota.com
198.24.134.13
Secured Servers LLC
US
High
template-office[.]org
2020-01-10
s.taylor87@seznam.cz
185.243.114.175
Access2.it Group B.V.
DE
Medium
get-news-online[.]com
2020-01-15
laptev.vl.90@mail.ru
N/A
N/A
N/A
Low
liveinfo[.]org
2020-01-15
laptev.vl.90@mail.ru
91.195.240.87
Sedo GmbH
DE
Medium
newoffice-update[.]com
2020-02-11
adam.crowld@protonmail.com
51.161.96.100
OVH Hosting Inc.
CA
Medium
update-office[.]com
2020-03-03
paul_wilsonn@protonmail.com
192.52.166.12
CrownCloud US LLC
US
High
upgrade-office[.]com
2020-03-18
p.borovin@protonmail.com
158.69.30.205
OVH Hosting Inc.
CA
High
tls-login[.]com
2020-03-25
boxerkeen@protonmail.com
103.255.250.70
EN Technologies Pte Ltd.
SG
High
upgrade-office[.]org
2020-04-07
pavel.savin1992@bk.ru
66.248.206.239
Hostkey B.V.
NL
High
newupdate[.]org
2020-06-04
and.frolov@bk.ru
46.183.221.141
DataClub S.A.
LV
Medium
2020-windows[.]com
2020-06-19
gmail.chrome.2020@mail.ru
176.107.181.128
PE Freehost
UA
Low
petronas-me[.]com
2020-07-05
cgog.global@gmail.com
N/A
N/A
N/A
Low
msupdatecheck[.]com
2020-07-10
mike.barrett@tutanota.com
167.114.44.150
OVH Hosting Inc.
CA
High
log1inbox[.]com
2020-08-15
vazquezftcathyo5123@gmail.com
N/A
N/A
N/A
Medium
gmocloudhosting[.]com
2020-08-17
hostmaster@gmocloudhosting.com
N/A
N/A
N/A
Low
msofficeupdate[.]org
2020-08-20
g.j.dodson@protonmail.com
46.30.188.236
Web2Objects GmbH
GB
High
interior-gov[.]com
2020-08-31
gmail.chrome.2020@mail.ru
N/A
N/A
N/A
Low
e-government-pk[.]com
2020-09-04
gmail.chrome.2020@mail.ru
N/A
N/A
N/A
Low
e-govoffice[.]com
2020-09-07
hostmaster@e-govoffice.com
N/A
N/A
N/A
Low
azureblog[.]info
2020-09-25
yshevloin@protonmail.com
N/A
N/A
N/A
Low
rneil[.]ru
2020-10-01
hostmaster@rneil.ru
N/A
N/A
N/A
Low
N/A
N/A
N/A
Low
weather-server[.]net
2020-10-09
lulgaborova90@protonmail.com
N/A
N/A
N/A
Medium
doc-fid[.]com
2020-10-21
hostmaster@doc-fid.com
N/A
N/A
N/A
Low
rarnbler[.]com
2020-11-09
nesmali20@cock.li
80.78.22.11
Cyberdyne
SE
Medium
msofficeupdate[.]com
2020-11-10
emil.moreu@protonmail.com
185.25.51.24
Informacines Sistemos IR Technologijos UAB
LT
High
netserviceupdater[.]com
2020-11-11
hostmaster@netserviceupdater.com
N/A
N/A
N/A
Medium
new-office[.]org
2020-11-13
moris.pelletier@yahoo.com
51.89.50.150
OVH Hosting Inc.
FR
Medium
While the majority of items were created in 2020, some potentially related network observables date as far back as 2016. When matched against malicious document samples examined in the following section, we begin to see the outlines of a persistent, somewhat lengthy campaign. Although extended in time, the same fundamental network behaviors are reflected in observed items throughout this period.
Observed visually, such as in the DomainTools Iris visualization below, we see clusters of activity divided between name servers, registrars, and Top Level Domains (TLDs). With an even larger population, we could begin to distill even more aspects of this adversary’s methods of operation and potentially devise predictive algorithms for future infrastructure creation.
Locating Additional Samples
In addition to identifying additional network infrastructure, a combination of reviewing the original document as well as pivoting off of observed network infrastructure yields additional malicious document samples. Primarily, the unique Template string of numbers combined with relationship to domains and document themes enable the discovery of additional items. As shown in the following table, these items are linked through both the unique Template string as well as contacting infrastructure related to the analysis provided above on network observables.
As described in greater detail in the following section, these items largely feature themes related to conflict in the Caucasus or continuing conflict in Ukraine. Additionally, they extend from December 2019 through November 2020, indicating this activity has continued without significant change for nearly a year.
In addition to these items, DomainTools researchers also identified a second set of documents, all originating from France, with a “testing” theme but matching various characteristics of the above items, such as the unique Template string:
The items above stand out from the other documents for several reasons:
All were submitted to the same multiscanner service on the same day.
The items appear to be iterative given the file naming schema (testmw2, testmw3, etc.).
Analysis of the files indicates fuzzing or alteration of capability among them, in line with the iterative nature of the file names.
An initial conclusion would be these are “testing” runs for a malicious document format or template which would emerge in later campaigns. However, the timing is off for this conclusion to hold as the “test” items appear in mid-September when items using the same template (functionality and lure document) first appear in December 2019.
Overall, this batch of items remains somewhat a mystery as there are no obvious signs linking it to other campaigns. Additionally, some of the items in question are non-functional or lack other components linked to the activity in the first set of documents associated with a likely persistent campaign. DomainTools does not possess any additional information to disposition these items at this time, so they remain somewhat of a mystery relative to the other malicious documents which appear more clearly designed for espionage purposes.
Motivations and Attribution
The identified documents emerge from multiple locations but overwhelmingly focus on Azerbaijan and Ukraine.
More interesting still are the themes associated with the documents in their text and titles. In addition to the document which sparked this investigation and its themes centering on the recent conflict on the Caucasus, identified topics include the following:
C. Bayramov.doc: references the Azerbaijani foreign minister, Ceyhun Bayramov.
Фадеев M1.doc: presents itself as a fundraising advertisement for a documentary filmmaker covering events in the Donetsk region of Ukraine, an area of conflict.
О поставке зенитных ракетных систем С-400.doc: masquerades as a report on the S-400 air defense system, produced by Russia and sold to multiple countries.
Планируемые расходы 2020(1).doc: “Planned Expenses 2020”, a document that appears to show personnel expenses for a Ukrainian local government entity.
Strategic Defence and Security Review (2021 SDSR).doc: a strategic defense planning document intended for the Slovenian defense ministry. Notably, this document appears related to a phishing email sent to an individual who appears to be the Slovenian military attache to the country’s embassy in the Russian Federation.
Справочник АП26.10.2020.doc: a planning document from the Russian-backed but unrecognized breakaway Donetsk People’s Republic.
Новые поправки к Госпрограмме переселения в РФ (вст. в силу 01.07.2020).doc: a document on internal resettlement within the Russian Federation.
Минтруд госслужба.doc:a document from the Russian-backed but unrecognized breakaway Luhansk People’s Republic.
Overall, documents appear related to political, military, and related subjects largely in conflict zones such as the Caucasus and the Russian-backed breakaway regions of eastern Ukraine. Additional items, such as the Slovenian defense document which DomainTools researchers were able to link to a phishing email, strongly imply state-sponsored interests for espionage or similar purposes as motivating this campaign.
In October 2020, severalresearchers noticed some of the documents identified in this report and linked it to a group referred to in public reporting as “Cloud Atlas” or “Inception.” While data available at present does not completely align with prior Cloud Atlas activity, the following commonalities are observed:
Targeting focusing on Russian near-abroad regions.
Use of template objects for initial activity through malicious documents.
Likely reliance on network communication to retrieve second-stage tooling for follow-on activity.
The response to the HTTP requests sent by the documents would presumably be the key for aligning the above campaigns to the Cloud Atlas actor, but absent this evidence DomainTools can neither confirm nor deny association to this group at present.
Irrespective of specific attribution, possible links to a known Advanced Persistent Threat (APT) actor (Cloud Atlas) combined with campaign themes that are highly political in nature with no obvious mechanism for monetization make the discovered campaign a likely state-sponsored or state-directed espionage campaign. While targeting in this case may imply Russian-related interests, it is important to note that earlier Cloud Atlas activity has also targeted entities in the Russian Federation. One possible alternative hypothesis given the targeting in Russia, as well as a focus on breakaway regions in Ukraine, is that the activity represents Ukraine-sponsored cyber espionage activity. Although interesting, again insufficient evidence exists to support this hypothesis at this time.
While the activity described above is certainly concerning, available information at this time does not support even weak attribution to any state interest, with only plausible (but as yet unproven) links to the Cloud Atlas entity. Although specific attribution may not be possible, we can nonetheless conclude with high confidence that this activity represents cyber espionage activity directed by some, as yet unknown, state actor.
Conclusion
Tracking themes related to geopolitical events can be quite fruitful for discovering active campaigns likely related to state-sponsored interests. In the above example, searching for items related to the Armenia-Azerbaijan conflict in the Caucasus in late 2020 yielded a malicious document. Further analysis of this document and related infrastructure then led to the discovery of additional items which outlined an entire campaign stretching back to 2019.
While the victims of this campaign appear geographically limited, largely focusing on Ukraine and Azerbaijan, the lessons drawn from the analysis of both the malicious documents and related network infrastructure can be used to further defense against similar types of attacks. By monitoring for these types of event-specific incidents, CTI analysts can gain insight into emerging APT activity and deploy defensive countermeasures shortly after discovery.
To learn how to identify and track adversary operations in DomainTools Iris visit our product page.
FIRST runs a blog open to members and invited guest authors. It publishes contributions relevant to incident responders. Articles should focus on general topics interesting to members. It will not be used to promote individual organisations, products or services. If you are interested in contributing, please get in touch with first-blog@first.org.
Learn more about the Forum of Incident Response and Security Teams through regular blog posts about our organization, events and other programs. Questions or comments? Contact first-press@first.org.
