Possible Fancy Bear Domains Spoofing Anti-Doping and Olympic Organizations
Update - 1/19/18
We recently identified two additional domains -- login-ukad[.]org[.]uk and adfs-ukad[.]org[.]uk -- which appear to spoof UK Anti-Doping. The domain login-ukad.org.uk uses the Domains4Bitcoins name server previously mentioned and, as of January 19 2018, is hosted on dedicated server at the IP 185.189.112[.]191. This IP address is in the same 220.127.116.11/24 block as a previously identified IP that hosts the USADA-spoofing domain webmail-usada[.]org. SOA records for the login-ukad[.]org[.]uk domain indicate the domain was registered using the email address luciyvarn@protonmail[.]com. No other domains registered using that email address have been identified.
Using a DomainTools Reverse WHOIS search, we can identify that adfs-ukad[.]org[.]uk uses the same "Zender inc" organization name and "Vapaudenkatu 57" address string as login-ukad[.]org[.]uk. While this domain is not currently hosted on a dedicated server, it also appears to spoof UKAD. Given the consistency in spoofing UKAD, it suggests that the actor behind these domains may be engaged in a concerted effort against the UKAD or using their name to target others outside of the organization.
Like with the domains originally identified, we have no indication that these domains have been used in operations, but some of their registration and hosting information are consistent with previously identified Fancy Bear infrastructure. While these domains are not definitively attributable to Fancy Bear, given these consistencies they merit additional scrutiny. This information has been shared in our Common Community in Incident 20180119A: UKAD Spoofed Domains.
On 10 January, the Fancy Bears' HT - a faketivist most likely generated to release information garnered from Fancy Bear/APT28/Sofacy operations - released a post suggesting they had compromised emails from the International Olympic Committee (IOC). While we cannot verify the legitimacy or provenance of those leaked emails, ThreatConnect has identified spoofed domains imitating the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia (OCASIA). These suspicious domains have consistencies with other previously identified Fancy Bear infrastructure and raise the question of a broader campaign against the upcoming 2018 winter games.
At this time, we cannot confirm whether these domains have been used maliciously nor definitively tie them to Fancy Bear without additional data. ThreatConnect has notified the spoofed organizations.
Fancy Bears' HT doing faketivist things
Way Back When...In 2016
We're old enough to remember when Russian threat actors hacked the World Anti-Doping Agency (WADA) in the summer of 2016 after WADA recommended Russian athletes be banned from the 2016 games in Rio due to a large-scale state-backed doping program. After that hack, over 40 athletes' personal data was leaked.
When the IOC banned Russia from the upcoming winter games in South Korea due to systematic doping, we thought the stage was set for more retaliatory hacks. If you're unfamiliar with said doping scandal check out the documentary Icarus on Netflix (@IcarusNetflix).
Concerted Effort to Spoof USADA
In the course of our ongoing efforts to monitor domains registered through registrars that Fancy Bear has shown a tendency to use, we recently identified the domain webmail-usada[.]org, which spoofs the USADA's legitimate domain. This domain was registered on December 21 2017 and uses the Domains4Bitcoins name server that Fancy Bear has previously used. Additionally, as of January 10, 2018, this domain is hosted on a dedicated server at the IP 185.189.112[.]242.
ThreatConnect's DNS Resolution History for webmail-usada[.]org
While the domain was registered using privacy protection, start of authority (SOA) records for the webmail-usada[.]org domain indicate the domain was registered using the email address jeryfisk@tuta[.]io.
Hurricane Electric SOA information on webmail-usada[.]org
Using Iris from our friends at DomainTools, we can identify that this email address was also recently used in the SOA records to register another USADA-spoofing domain usada[.]eu.
DomainTools Iris results for jeryfisk@tuta[.]io
This domain is not currently hosted. No other domains registered using that email address have been identified. However, given the consistency in spoofing USADA, it suggests that the actor behind these domains may be engaged in a concerted effort against the USADA or using their name to target others outside of the organization. This information has been shared in our Common Community in Incident 20180103B: USADA Spoofed Domains.
Guilt By Registrant Associations
We also identified a third domain, wada-adams[.]org, which spoofs the WADA's legitimate domain and Anti-Doping Administration and Management System (ADAMS). While this domain does not use a small or boutique name server that Fancy Bear has shown a tendency to use, and it is currently parked, it was registered on December 14, 2017 using the email address wadison@tuta[.]io.
Additional domain registered by wadison@tuta[.]io
This email address has only registered one other domain, networksolutions[.]pw, which uses the previously mentioned Domains4Bitcoins name server, and as of January 10, 2018, is hosted on dedicated server at the IP 23.227.207[.]182. The WADA-spoofing domain is currently parked; however, given the consistencies between wadison@tuta[.]io's networksolutions[.]pw domain and previously identified Fancy Bear infrastructure, it merits additional scrutiny. This information has been shared in our Common Community in Incident 20180103C: Domains Registered by firstname.lastname@example.org.
Olympic Council of Asia Spoofed Domain
Another interesting domain, ocaia[.]org, also recently came across our desks during Fancy Bear research. This domain was registered on December 25, 2017 and uses a THCServers name server -- another Fancy Bear favorite -- and appears to spoof OCASIA's legitimate domain ocasia[.]org. It should be noted that this spoofed domain is co-located on the IP 193.29.187[.]143 with about six other domains. Fancy Bear's domains often use dedicated servers, but given the subject and timing of this registration, defenders should also be on the lookout for this domain. This information has been shared in Incident 20180110B: Olympic Council of Asia Spoofed Domain.
We're going to reiterate something here: At the time of this blog's publishing, we don't know whether any of the infrastructure identified in this post is actually being used maliciously. But that's okay. In fact, we'd argue that if you're only concerned about what is known to be bad, you're going to be had.
While these domains are not definitively attributable to Fancy Bear, given these domains' consistencies and Fancy Bears' HT posts, they merit additional scrutiny. Furthermore, this incident highlights the importance of identifying activity that is consistent with adversaries' known infrastructure registration and hosting tactics. In doing so, organizations can incorporate a proactive approach to threat intelligence that may identify indicators like these that are associated with their adversaries before they are used against them.