CyberWire Daily - Fancy Bear Duping Doping Domains. [Research Saturday]
Episode Date: January 20, 2018Researchers at ThreatConnect have discovered evidence that Fancy Bear, a cyber espionage group generally associated with Russia's military agency GRU, may be spoofing domains belonging to the World An...ti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia. Kyle Ehmke is a threat intelligence researcher with ThreatConnect, and he takes us through their work. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your
attack surface with public-facing IPs that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by
hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So we have been proactively monitoring for new domains that have registration and hosting consistencies
compared to those previously used by Advanced Persistent Threats, APTs.
That's Kyle Emke. He's a threat intelligence researcher with ThreatConnect.
The research we're discussing today is called Doping Doping Domains,
possible fancy bear domains spoofing anti-doping and Olympic organizations. Research we're discussing today is called duping doping domains, possible Fancy Bear
domains spoofing anti-doping and Olympic organizations.
In this case, we were exploiting some known registration and hosting tactics that we've
seen Fancy Bear previously use for their infrastructure.
Notably, in this case, it was their use of a specific smaller boutique name server, as well as dedicated hosting.
So Fancy Bear is an advanced persistent threat APT that has been attributed to the Russian nation state, more specifically been assessed to be the GRU. On January 10th, the Fancy Bears hacking team, which is a persona that was generated in
2016 to release information garnered from Fancy Bear operations, they released a post suggesting
that they had compromised some emails from the International Olympic Committee or IOC.
And so while we can't necessarily verify the legitimacy or provenance of those leaked emails,
it reminded us of some infrastructure that we had identified earlier in the month
that had those consistencies with previous Fancy Bear operations.
And historically, the Russians have a beef with the World Anti-Doping Agency.
That's correct, yes.
So notably in August of 2016, we saw Fancy Bear conduct operations against the World Anti-Doping Agency
and then ultimately leak out some of the information that they garnered from those operations via this Fancy Bear's hacking team persona. And that was from the IOC banning Russian athletes from the Winter Games,
or I'm sorry, the games in Rio.
And then now the IOC has banned them from South Korea due to accusations of systematic doping.
And so the thought here is that perhaps these are more retaliatory hacks?
Ostensibly, yes.
You know, in this case, we can't, at least for the domains that we identified, say definitively
that they have been attributed to Fancy Bear or that they've actually even been used maliciously.
However, given the timing of when these domains were registered and the timing with Russia being
banned from the 2018 games, these registrations are certainly notable.
So take us through this spoofing effort. What's going on here? Walk us through how it works.
Sure. So oftentimes what we've seen Fancy Bear do is they will register domain names that
appear to be very similar to those organizations that they either want to target
or that have a close relationship with the organizations that they ultimately want to target.
So in this case, we identified four domains, two of which appear to spoof the U.S. Anti-Doping Agency,
one appears to spoof the World Anti-Doping Agency, and another appears
to spoof the Olympic Council of Asia. And so all of these domains, in some way, shape, or form,
have consistencies with previously identified fancy bear infrastructure. And so that's why
we've been calling them out. So when you say they're associated with previous infrastructure,
describe what does that mean?
In these cases, we see that some of these domains use name servers
that we've seen Fancy Bear have a tendency to use in the past.
These name servers are generally small and boutique,
so they only have maybe a couple hundred or maybe several thousand at
most domains using them. Whereas if you compare that to name servers that, for example, GoDaddy
might own, those name servers might house thousands or hundreds of thousands of domains.
And so we're trying to focus on these fairly specific tactics that
Fancy Bear has previously used to proactively identify their infrastructure. So at a real basic
level, can you describe for us how the spoofing works? I mean, you set up a server that is very
similar to the organization you're trying to hit? And then what happens next? Sometimes they will use these domains to craft spear phishing messages that they will send to
their targets. Other times they will use them for command and control servers that they use to
administer malware that they may have infected a target with. Recently, we've seen Fancy Bear use
a lot of credential harvesting efforts. So ostensibly,
if these domains are ultimately used in their operations, that might be what they're used for.
They might house some credential harvesting pages on these spoofed domain websites.
So does that mean there'd be a sort of a multi-tiered thing where I could, you know,
spearfish someone and then they would go
somewhere that they thought was a legitimate, you know, login page, but it's really the bad
guys spoofing something else. Potentially, yeah. So a lot of the operations that we've seen Fancy
Bear use are either some sort of malware effort. So they might send a malicious attachment in the spear phishing message itself, or it is separately a credential harvesting effort.
At least in the recent efforts that we've seen, they've kind of been sticking to credential harvesting, but that doesn't mean that they are not capable of also sending malicious attachments as well.
And in terms of hiding their tracks and covering their
trail, does it seem as though they're being fairly deliberate about that? It's hard to say. You know,
answering that question might ultimately imply that we have an understanding of, you know,
what information their operators are consuming. Certainly in this case, with the domains that we've identified,
they're using things that we've previously discussed in open source intelligence. However,
we don't know the extent to which their operators have actually been reading the information that we put out. I see. One of the things you also pointed out in your research, you referred to
it as guilt by registrant associations.
Can you describe to us what's going on with that?
Sure. So one of the domains that we identified, specifically one that spoofs the World Anti-Doping Agency, the domain is wada-adams.org.
And that specifically spoofs WADA's Anti-doping and administration and management system. That
domain itself does not use a smaller boutique name server that we've previously seen FancyBear use.
However, the email address that was used to register it, which is wadison at tuta.io,
did register another domain which has those consistencies with Fancy Bear infrastructure.
Now, there was also something interesting you all noted in the research about the Olympic
Council of Asia. What was going on there? Sure. So another domain came across our radar,
ocaia.org. And that domain potentially spoofs the Olympic Council of Asia's legitimate domain,
ocaia.org. The domain that we identified uses a THC server's name server, which is again,
another fancy bear registration tactic that we've previously seen, but it's not hosted on a dedicated server. So while it does
have some consistencies, it's not as many as those that we identified elsewhere in the blog. But
given the timing of it, when it was registered, as well as the current geopolitical climate related
to Russia and the Olympics, we thought it was worth noting. But it seems as though these are being prepared for activity.
Have you all actually seen them being used for anything?
Are they active?
In this instance, I think it's really important to point out that while these domains have
those consistencies with previously identified fancy bear infrastructure, it's not enough
to definitively attribute
the domains to them.
Further, in this case, we don't actually know whether the domains we identified have been
used in malicious attacks.
But I would say that there's a defensive takeaway there.
And I would argue that if you're only worrying about indicators that are known to be bad,
you're really missing out on opportunities
to be proactive and guard against malicious activity before it takes place. So what's to
be done next? Is this a matter of keeping an eye on these actors? So what are your next steps?
So our next steps are going to be to continue to monitor those registration and hosting tactics that
we've been keeping an eye on, as well as these domains that we've identified here in the piece.
To any extent, if we can identify that those domains get operationalized,
that's something that is worthwhile to note and point out for potential organizations
like the USADA or WADA.
In terms of people protecting themselves against these sort of things,
is there anything for people to do on their own? It seems like these are more preparatory at this
time, since they're not active campaigns. What suggestions do you have for people?
I think you're definitely right. But I would argue that the sooner that organizations can identify these sorts of suspicious domains that are consistent with
their adversaries' tactics, the better chance they have of mitigating that malicious activity before
it actually happens. So the more that they can minimize that delta between infrastructure
registration and identification and blocking,
the more proactive they'll actually become. One thing I would point out is that Trend Micro this
morning released another report on athletic-related activity from Pondstorm, aka Fancy Bear. They
identified several domains which also use some of the same name servers, dedicated hosting, and were registered using similar email addresses
compared to those that we identified in our piece.
When it comes to these sorts of things,
is there a good bit of collaboration going on
between you and other researchers at different companies?
Are you sharing information?
Obviously, you have this public release, this blog post,
but how much back and forth actually happens?
I mean, I think it kind of all depends on the organizations and who you have a tendency to
work with. In this instance, we didn't actually work with any other organizations on this content.
We did work with domain tools. We tend to use their capabilities quite a bit
in our research efforts. So we did
work with them in identifying these domains. Our thanks to Kyle Emke from ThreatConnect for
joining us. You can read the complete report, Doping Domains, at the ThreatConnect website.
It's in their blog section. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home. Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. Thank you.