by Threat Researcher Joe Slowik, in conjunction with Black Lotus Labs from Lumen
Monday, December 14th, 2020
Originally published at www.domaintools.com/resources/blog
Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes.
The above theory is supported by historical incidents linked to geopolitical tensions:
Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date.
With the above thesis in mind, DomainTools researchers examined technical artifacts emerging around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region. While investigating, researchers discovered the following malicious document file on a commercial multi-scanner service:
Name: PKK militants in Nagorno-Karabakh.doc MD5: e00af9b6303460666ae1b4bdeb9503ba SHA1: ce810173555d6a98ce10c847f16e95575fe13405 SHA256: 7c495c21c628d37ba2298e4a789ff677867521be27ec14d2cd9e9bf55160518f
Masquerading as a news article covering details about the Caucasus conflict, the document contains a reference to an external site to fetch additional material to the victim’s computer:
In this specific case, the document attempts to communicate to the domain “msofficeupdate[.]org”:
Overall, the document appears focused on the Armenian-Azerbaijani conflict with dedicated network infrastructure enabling the attack sequence. While we could stop and view this item in isolation, further analysis reveals even more interesting elements.
Both the document and the domain contain items of interest for further analysis and pivoting. Reviewing lessons from a previous DomainTools blog, we can examine the technical indicators related to this campaign as composite objects with opportunities to discern fundamental adversary behaviors.
Examining the document, file metadata, shown here using Phil Harvey’s ExifTool, indicates the presence of an unusually long string of numbers as a template object:
Based on the template object and a hard-coded Uniform Resource Locator (URL), the document will attempt to communicate to the domain identified above. The actual functionality of the malicious document hinges on network communication to the attacker domain, with an HTTP request to a resource such as the following:
All following functionality appears dependent on a response to this request. At this time, DomainTools does not have any data or other information as to what may be returned from this response. As a result, our analysis is limited to the document itself and identified network infrastructure. However, defenders may find value in the URL pattern in the HTTP request—words divided by single numbers—for developing Network Intrusion Detection System (NIDS) signatures.
Lack of view into follow-on execution aside, we have a search string to use to fingerprint additional file samples or to disposition items that may be related to the original campaign in the template string. Notably, for a malicious document, the item does not contain any active content (ActiveX objects or Visual Basic for Applications [VBA] macros), limiting our ability to identify further items. However, the template item appears unique enough to serve as a signifier to identify additional samples similarly constructed.
On the infrastructure side, we have several more leads to follow. As previously documented in past blogs on infrastructure hunting and analysis, we have a combination of technical indicators related to domain creation and hosting as well as thematic identifiers related to the domain name itself. For the domain in question, as seen in the previous DomainTools Iris inspection image above, the following observations hold:
While any of the above items in isolation may be relatively limited for identifying adversary tendencies or additional infrastructure—either by being too general or far too specific—in combination, they can yield patterns for further analysis. For example, looking for a combination of privacy-centric email addresses registering domains via PublicDomainRegistry using the name server “bitdomain[.]biz” hosted in Europe with Sectigo SSL/TLS certificates can yield a result set for further analysis. Applying a “thematic” search to the results of such an investigation, such as looking for other Microsoft or Office themes in domain names, can identify additional items for analysis related to this campaign.
Based on the characteristics described in the previous section, DomainTools researchers identified 35 domains matching the patterns associated with the initially observed malicious domain at varying levels of estimative probability or confidence. As shown in the following table, we can observe additional tendencies such as favoring several privacy-oriented email services during registration and an overwhelming focus on European Virtual Private Server (VPS) providers for hosting purposes.
|Domain||Date Created||Registrant Email||IP Address||Hosting Provider||Hosting Location||Confidence|
|brexitimpact[.]email@example.com||126.96.36.199||Oy Creanova Hosting Solutions Ltd.||FI||Low|
|srv3-serveup-ads[.]firstname.lastname@example.org||188.8.131.52||Vodien Internet Solutions Pte Ltd||SG||Low|
|newoffice-template[.]email@example.com||184.108.40.206||OVH Hosting Inc.||FR||High|
|template-new[.]com||2019-08-28||N/A||220.127.116.11||OVH Hosting Inc.||FR||High|
|officeupgrade[.]firstname.lastname@example.org||18.104.22.168||Secured Servers LLC||US||High|
|template-office[.]email@example.com||22.214.171.124||Access2.it Group B.V.||DE||Medium|
|newoffice-update[.]firstname.lastname@example.org||126.96.36.199||OVH Hosting Inc.||CA||Medium|
|update-office[.]email@example.com||188.8.131.52||CrownCloud US LLC||US||High|
|upgrade-office[.]firstname.lastname@example.org||184.108.40.206||OVH Hosting Inc.||CA||High|
|tls-login[.]email@example.com||220.127.116.11||EN Technologies Pte Ltd.||SG||High|
|msupdatecheck[.]firstname.lastname@example.org||18.104.22.168||OVH Hosting Inc.||CA||High|
|msofficeupdate[.]email@example.com||22.214.171.124||Informacines Sistemos IR Technologijos UAB||LT||High|
|new-office[.]firstname.lastname@example.org||126.96.36.199||OVH Hosting Inc.||FR||Medium|
While the majority of items were created in 2020, some potentially related network observables date as far back as 2016. When matched against malicious document samples examined in the following section, we begin to see the outlines of a persistent, somewhat lengthy campaign. Although extended in time, the same fundamental network behaviors are reflected in observed items throughout this period.
Observed visually, such as in the DomainTools Iris visualization below, we see clusters of activity divided between name servers, registrars, and Top Level Domains (TLDs). With an even larger population, we could begin to distill even more aspects of this adversary’s methods of operation and potentially devise predictive algorithms for future infrastructure creation.
In addition to identifying additional network infrastructure, a combination of reviewing the original document as well as pivoting off of observed network infrastructure yields additional malicious document samples. Primarily, the unique Template string of numbers combined with relationship to domains and document themes enable the discovery of additional items. As shown in the following table, these items are linked through both the unique Template string as well as contacting infrastructure related to the analysis provided above on network observables.
|SHA256||File Namestrong||First Seen||Submitter Country||Domain Contacted|
|1f117d5f398e599887ec92a3f8982751ceb83f2adb85d87a2c232906104e8772||C. Bayramov.doc||25 Jul 2020||AZ||upgrade-office.org|
|4ad0e64e8ebed1d15fac85cd7439bb345824f03d8b3c6866e669c24a42901daa||Scandal that killed 346 people.doc||29 May 2020||AZ||upgrade-office.com|
|68bde4ec00c62ffa51cef3664c5678f1f4985eb6054f77a5190b4d62bd910538||xyz.doc||13 Sep 2020||TR||msofficeupdate.org|
|7ba76b2311736dbcd4f2817c40dae78f223366f2404571cd16d6676c7a640d70||Фадеев М1.doc||18 Dec 2019||UA||officeupgrade.org|
|7c495c21c628d37ba2298e4a789ff677867521be27ec14d2cd9e9bf55160518f||PKK militants in Nagorno-Karabakh.doc||12 Oct 2020||AZ||msofficeupdate.org|
|89503c73eadc918bb6f05c023d5bf777fb2a0de1e0448f13ab1003e6d3b71fef||О поставке зенитных ракетных систем С-400.doc||11 Dec 2019||AZ||officeupgrade.org|
|c630aa8ebd1d989af197a80b4208a9fd981cf40fa89e429010ada56baa8cf09d||Планируемые расходы 2020(1).doc||28 Dec 2019||UA||officeupgrade.org|
|e5a4957d0078d0bb679cf3300e15b09795167fdcfa70bbeab6de1387cd3f75bf||Strategic Defence and Security Review (2021 SDSR).doc||31 Oct 2020||SI||msofficeupdate.org|
|7a1effd3cfeecdba57904417c6eeaa7a74d60a761138885b338e8dc17f2c3fbc||Справочник АП26.10.2020.doc||29 Oct 2020||UA||msofficeupdate.org|
|0b116f5b93046c3ce3588bb2453ddbb907d990c2053827600375d8fd84d05d8b||Новые поправки к Госпрограмме переселения в РФ (вст. в силу 01.07.2020).doc||16 Sep 2020||UA||N/A|
|79c0097e9def5cc0f013ba64c0fd195dae57b04fe3146908a4eb5e4e6792ba24||N/A||16 Sep 2020||GB||newoffice-template.com|
|d8f13e6945b6a335382d14a00e35bfefadbdfb625562e1120e5ed0b545f63e11||N/A||09 Nov 2020||N/A||template-new.com|
|348b25023c45ed7b777fa6f6f635cb587b8ffbf100bfa6761d35610bba525a11||Минтруд госслужба.doc||04 Nov 2020||UA||msofficeupdate.org|
|93279005aa4c8eddf01020b31bc2b401fe1366cbcc9bb2032ffaeb2984afcd79||Минтруд госслужба 1 1.doc||03 Nov 2020||UA||msofficeupdate.org|
As described in greater detail in the following section, these items largely feature themes related to conflict in the Caucasus or continuing conflict in Ukraine. Additionally, they extend from December 2019 through November 2020, indicating this activity has continued without significant change for nearly a year.
In addition to these items, DomainTools researchers also identified a second set of documents, all originating from France, with a “testing” theme but matching various characteristics of the above items, such as the unique Template string:
|SHA256||File Namestrong||First Seen||Submitter Country||Domain Contacted|
|29b49fc728510b8d10a84edbd884cd23a0c453c1158551dbd2d266539d5d09b5||testmw4.doc||18 Sep 2020||FR||N/A|
|da43472f3bced232ae8f905e819339fb75da0224a31fb1c394110c77b3318b09||testmw8.doc||18 Sep 2020||FR||upgrade-office.com|
|6478821432b8458053d953b6cff7d1b49f4349f5da366278778c87bc8789b65c||testmw7.doc||18 Sep 2020||FR||upgrade-office.com|
|4285a05a993359b8418b590d3309a361f2c42ef7bc29216c0209e57b74513adb||testmw6.doc||18 Sep 2020||FR||N/A|
|40b21a2cd054e01cf37eb22d041ef2ea652eaaeae0ba249439fa7ec07a4e9765||testmw5.doc||18 Sep 2020||FR||aaaaaaa-aaaaaa.com|
|282c805363469440eef082ac0f2a52dbdd47a8cdaecc08df4c1b4c073c5a8256||testmw3.doc||18 Sep 2020||FR||test.com|
|df2a85d84daf10b4dcf8d8fdd83493f3c04f2ac7b3edaf4730df0522cc52009f||testmw2.doc||18 Sep 2020||FR||N/A|
The items above stand out from the other documents for several reasons:
An initial conclusion would be these are “testing” runs for a malicious document format or template which would emerge in later campaigns. However, the timing is off for this conclusion to hold as the “test” items appear in mid-September when items using the same template (functionality and lure document) first appear in December 2019.
Overall, this batch of items remains somewhat a mystery as there are no obvious signs linking it to other campaigns. Additionally, some of the items in question are non-functional or lack other components linked to the activity in the first set of documents associated with a likely persistent campaign. DomainTools does not possess any additional information to disposition these items at this time, so they remain somewhat of a mystery relative to the other malicious documents which appear more clearly designed for espionage purposes.
The identified documents emerge from multiple locations but overwhelmingly focus on Azerbaijan and Ukraine.
More interesting still are the themes associated with the documents in their text and titles. In addition to the document which sparked this investigation and its themes centering on the recent conflict on the Caucasus, identified topics include the following:
Overall, documents appear related to political, military, and related subjects largely in conflict zones such as the Caucasus and the Russian-backed breakaway regions of eastern Ukraine. Additional items, such as the Slovenian defense document which DomainTools researchers were able to link to a phishing email, strongly imply state-sponsored interests for espionage or similar purposes as motivating this campaign.
In October 2020, several researchers noticed some of the documents identified in this report and linked it to a group referred to in public reporting as “Cloud Atlas” or “Inception.” While data available at present does not completely align with prior Cloud Atlas activity, the following commonalities are observed:
The response to the HTTP requests sent by the documents would presumably be the key for aligning the above campaigns to the Cloud Atlas actor, but absent this evidence DomainTools can neither confirm nor deny association to this group at present.
Irrespective of specific attribution, possible links to a known Advanced Persistent Threat (APT) actor (Cloud Atlas) combined with campaign themes that are highly political in nature with no obvious mechanism for monetization make the discovered campaign a likely state-sponsored or state-directed espionage campaign. While targeting in this case may imply Russian-related interests, it is important to note that earlier Cloud Atlas activity has also targeted entities in the Russian Federation. One possible alternative hypothesis given the targeting in Russia, as well as a focus on breakaway regions in Ukraine, is that the activity represents Ukraine-sponsored cyber espionage activity. Although interesting, again insufficient evidence exists to support this hypothesis at this time.
While the activity described above is certainly concerning, available information at this time does not support even weak attribution to any state interest, with only plausible (but as yet unproven) links to the Cloud Atlas entity. Although specific attribution may not be possible, we can nonetheless conclude with high confidence that this activity represents cyber espionage activity directed by some, as yet unknown, state actor.
Tracking themes related to geopolitical events can be quite fruitful for discovering active campaigns likely related to state-sponsored interests. In the above example, searching for items related to the Armenia-Azerbaijan conflict in the Caucasus in late 2020 yielded a malicious document. Further analysis of this document and related infrastructure then led to the discovery of additional items which outlined an entire campaign stretching back to 2019.
While the victims of this campaign appear geographically limited, largely focusing on Ukraine and Azerbaijan, the lessons drawn from the analysis of both the malicious documents and related network infrastructure can be used to further defense against similar types of attacks. By monitoring for these types of event-specific incidents, CTI analysts can gain insight into emerging APT activity and deploy defensive countermeasures shortly after discovery.
To learn how to identify and track adversary operations in DomainTools Iris visit our product page.