Fancy Bears and Where to Find Them
June 2016 by ThreatConnect
ThreatConnect uses the Crowdstrike blog article as a basis for conducting further research into the DNC breach and identifies additional infrastructure.
On June 15, 2016 our partner, Crowdstrike, published a blog article detailing the breach of the Democratic National Committee (DNC) by two Russia-based threat groups, one of which is dubbed FANCY BEAR (also known as APT28 or Sofacy).
In building upon Crowdstrike’s analysis, ThreatConnect researched and shared 20160614A: Russia-based groups compromise Democratic National Committee within the ThreatConnect Common Community. This incident includes the IP address [45.32.129[.]185->https://app.threatconnect.com/auth/...] which Crowdstrike lists as a FANCY BEAR X-Tunnel implant Command and Control (C2) node.
Using ThreatConnect’s Farsight passive DNS integration to review the resolution history for [45.32.129[.]185->https://www.virustotal.com/en/ip-ad...] we uncovered some additional domain resolutions. One of these domain resolutions is the suspicious [domain misdepatrment[.]com->https://www.virustotal.com/en/domai...] (note the transposition of the “t” and the “r” in department).
In reviewing the Domain Whois information, our DomainTools integration reveals that the domain was registered on March 21, 2016 by frank_merdeux@europe[.]com. The domain misdepatrment[.]com was registered on March 21, 2016. Farsight lists the earliest domain resolution as March 24, 2016. On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address 45.32.129[.]185 where it remains resolved at of the time of this writing.
It is important to note that within the Crowdstrike blog, the authors make two key distinctions: “This group is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.”
The domain misdepatrment[.]com closely resembles the legitimate domain for misdepartment.com. Of note, MIS Department Inc. is a technology services provider that lists a variety of clients on its website, one of which is the DNC. Their staff profiles include individuals who provided technical leadership and expertise to the Obama-Biden Campaigns as well as the DNC. Any attacker targeting a particular victim would find the most success targeting organizations and individuals who have administrative access across enterprise assets.
At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. The domain misdepatrment[.]com was registered on March 21, 2016. Farsight lists the earliest domain resolution as March 24, 2016. On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address 45.32.129[.]185 where it remains resolved at of the time of this writing.
DNC Targeting Timeline:
On June 16, 2016 Secureworks reported that a Russia-based group, operating on behalf of the Russian government, used a combination of bit.ly short links and a fake Google login page to target the Clinton Campaign between mid-March and mid-May 2016. The group, dubbed TG-4127 (aka APT28, Sofacy, Sednit, and Pawn Storm), also targeted DNC staff between mid-March and mid-April 2016. This timeline is consistent with the misdepatrment[.]com registration and resolution changes as well as CrowdStrike’s assessment of FANCY BEAR tactics, techniques, and procedures (TTP). Upon identifying this additional infrastructure, ThreatConnect notified CrowdStrike and MIS Department Inc. of the findings. Additionally, it is important to note, ThreatConnect does not have specific evidence that indicates MIS Department Inc. was targeted or breached. However, the registration of a faux domain is consistent with the TTP’s in which FANCY BEAR is known to conduct their operations, and at a minimum demonstrates operational intent. Given that the suspicious domain came into existence and transitioned into an operational state on dates which align with the CrowdStrike timeline, as well as the notable clientele of MIS Department Inc., we estimate that FANCY BEAR likely created and staged the misdepatrment[.]com as a means of indirectly gaining or maintaining access into DNC networks.
• Consolidate and Aggregate Threat Intelligence:
This example highlights how an organization might capture new details and add to existing content associated with a given threat actor. ThreatConnect consolidates publicly available intelligence with commercial sources from premier cyber security firms, such as CrowdStrike, who monitor threat groups such as FANCY BEAR. Organizations can leverage integrations with data service providers such as Farsight and DomainTools to add additional insights and uncover related elements of interest. This aggregation enriches an organization’s intelligence behind the scenes and makes the whole of these security investments greater than the sum of the individual parts.
• Minimize Openly Available Targeting Information:
There is a wealth of publicly available information on both the Democratic and Republican National Committees. This material identifies individuals that play a part in the committee, their backgrounds, and their roles (ie. Information Technology, Finance, Communication, etc.). When possible, it is best practice to safeguard specific information regarding organization employees and affiliates as such information could be leveraged by APTs in social engineering campaigns.
Targeting entities in the US political sphere and compromising documents revealing sensitive personal or strategic details about presidential candidates are consistent with previous FANCY BEAR efforts against the White House and NATO. Intelligence gained from this operation will likely prepare the Russian government for its interactions with new US leadership and inform the way in which Moscow approaches foreign policy decisions related to the US. The compromised information could also be leaked to media outlets in an effort to influence public opinion in a way that benefits Moscow. Cyber threat actors most likely will continue to conduct sophisticated, cyber espionage operations against U.S. political targets ahead of the 2016 election. Understanding threats, like FANCY BEAR, and tracking their TTPs, capabilities, and infrastructure can inform an organization’s defensive efforts.