Tech companies ThreatConnect and Microsoft are moving toward exposing and taking down domains associated with Russia-linked threat group known as Fancy Bear.
Also tracked as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit, the threat group has been associated with a variety of high-profile cyber-attacks aimed at government and other types of organizations worldwide.
Last year, the threat group was said to have orchestrated election-related hacker attacks in the United States. The actor allegedly developed the so called XTunnel malware specifically to compromise the Democrat National Committee (DNC) network last year, and was said in February 2017 to be using brand new Mac malware to steal data.
ThreatConnect says their team was able to identify “dozens of recently registered domains and IPs that have varying levels of association to the Russian APT.” Moreover, the security firm discovered three name servers the group most likely used for domains, which allows defenders to “proactively identify new domains that may be associated with Fancy Bear activity”.
One of the domains, the security company reveals, is unisecproper[.]org, which was registered using the email address [email protected][.]com and is hosted on a dedicated server at the IP 22.214.171.124. The certificate used by this domain has been already associated (PDF) with Fancy Bear in operations targeting the DNC and German Parliament, which clearly indicates that the domain is associated with the group.
Using the SSL certificate, ThreatConnect discovered recent IPs associated with Fancy Bear, along with numerous domains hosted on these IPs, also supposedly associated with the threat group. Some of these domains were discovered in previous investigations as well.
The researchers also managed to find name servers used by Fancy Bear, including nemohosts[.]com, bacloud[.]com, and laisvas[.]lt. The investigation eventually led to the discovery of hundreds of domains associated with these name servers, tens of which were hosted on dedicated servers.
The researchers note these are suspicious domains but note that “consistencies in registration and hosting tactics do not definitively associate many of these suspicious domains with previous malicious, Fancy Bear activity.”
“It’s important to caveat our confidence in these indicators’ association to FANCY BEAR activity. For many of those indicators that we’ve included here, we don’t know whether they have actually been used maliciously. But if known bad is all that you are worried about or interested in, then you’ll always be at least one step behind the attacker. Only by leveraging intelligence to identify and exploit our adversaries’ tactics can we move from a reactive, whack-a-mole state to a proactive, informed defense,” ThreatConnect says.
Microsoft, in the meantime, is taking legal action against Fancy Bear: the tech company filed a civil lawsuit in August 2016, seeking to seize command-and-control (C&C) domains used by the group. According to court documentation Microsoft made public, there are hundreds of domains containing Microsoft trademarks that it is looking to take control of.
The actors failed to appear in a federal court in Virginia to defend themselves, and Microsoft is pushing for a default judgment in its favor. By seizing the domains, Microsoft would be able to cut the group off from communicating with infected systems.
“Microsoft seeks a preliminary injunction directing the registries associated with these Internet domains to take all steps necessary to disable access to and operation of these Internet domains to ensure that changes or access to the Internet domains cannot be made absent a court order and that all content and material associated with these Internet domains are to be isolated and preserved pending resolution of the dispute. Microsoft seeks a permanent injunction, other equitable relief and damages,” Microsoft notes.
Previously, Microsoft used legal action to take down botnets. In 2012, as part of Operation b71, the company seized C&C servers associated with the notorious Zeus family of malware. In 2014, in an attempt to take down the Bladabindi (njRAT) and Jenxcus (NJw0rm) malware families, the company seized 23 No-IP domains to route bad traffic to a sinkhole.