A digital representation of a landscape at night highlighted by numerous glowing yellow and orange dots, creating a wave-like pattern of illuminated terrain.
Blog DomainTools Research

Identifying Critical Infrastructure Targeting through Network Creation

Background

In addition to independent investigations, DomainTools closely tracks the work of other respected researchers to see what we might miss in our own efforts. Recently, we learned of possible new infrastructure related to the threat actor known as OilRig (aka, APT34 or Helix Kitten). In these situations, DomainTools works to understand the background for such infrastructure and any tendencies which may be revealed by their creation in order to learn how given adversaries operate.

Aside from learning about adversaries, such efforts may also yield new, independent results through further research and analysis. In this case, a preliminary search of DomainTools data yielded a number of interesting, related results to the initial domain:

DomainCreate DateEmailIP AddressISP
7hillsgastro[.]com2020-10-19[email protected]193.239.84.207M247 Europe SRL
ababab[.]biz2020-10-02[email protected]103.19.1.142xTom Japan
alcirineos[.]com2020-10-05[email protected]N/AN/A
amazon-loveyou[.]com2020-11-12[email protected]141.136.36.251Vardas.lt UAB
bargertextiles[.]com2020-10-27[email protected]193.239.84.207M247 Europe SRL
berqertextiles[.]com2020-10-27[email protected]193.239.84.207M247 Europe SRL
careers-ntiva[.]com2020-11-25N/A108.62.118.233Ubiquity Server Solutions Chicago
cererock[.]com2020-11-02[email protected]193.239.84.207M247 Europe SRL
chinaconstructioncorp[.]com2020-11-15[email protected]77.55.219.100Nazwa.pl Sp.z.o.o.
clearinghouseinternational[.]com2020-10-17[email protected]50.63.202.92GoDaddy.com LLC
connect-roofing[.]com2020-11-25N/AN/AN/A
exmngt[.]com2020-11-18[email protected]198.54.117.197Namecheap Inc.
hoganlouells[.]com2020-11-16[email protected]193.239.84.207M247 Europe SRL
hscminkjet[.]com2020-10-27[email protected]193.239.84.207M247 Europe SRL
huopay[.]top2020-10-11[email protected]103.19.1.142xTom Japan
indeptheva[.]com2020-10-05[email protected]193.239.84.207M247 Europe SRL
jiabolianjie0[.]com2020-10-01[email protected]158.247.204.149Choopa LLC
jinkangpu[.]co2020-11-04[email protected]N/AN/A
jlrootfile[.]com2020-10-20[email protected]193.239.84.207M247 Europe SRL
kent-lawfirm[.]net2020-11-12N/A193.239.84.207M247 Europe SRL
klwebsrv[.]com2020-11-26N/AN/AN/A
oculus-au[.]info2020-11-18[email protected]N/AN/A
pet188[.]biz2020-10-16[email protected]193.239.84.207M247 Europe SRL
petrochinas[.]com2020-11-15[email protected]77.55.208.23Nazwa.pl Sp.z.o.o.
renrenbaowang[.]com2020-10-28[email protected]156.253.10.173Ruiou International Network Limited
renrenbaowang[.]net2020-10-28[email protected]156.253.10.173Ruiou International Network Limited
superrnax[.]com2020-10-15[email protected]193.239.84.207M247 Europe SRL
svn-stone[.]com2020-10-23[email protected]N/AN/A
us-customs[.]org2020-10-28[email protected]69.64.147.39Enom Incorporated
virtual-slots[.]com2020-10-23[email protected]208.91.197.91Confluence Networks Inc
virtualcaresadvisor[.]com2020-10-02[email protected]208.91.197.91Confluence Networks Inc.
wilsonconts[.]com2020-11-09[email protected]N/AN/A
wiqzi[.]com2020-10-24[email protected]193.239.84.207M247 Europe SRL
zj-tunq[.]com2020-11-18[email protected]N/AN/A

Several items stood out in the above list of related infrastructure, notably related to common email addresses linked to registrations:

  • cjay006[AT]yandex[.]com
  • ch1styjoe[AT]yandex[.]com
  • diandianlai[AT]yandex[.]com
  • lovelead247[AT]yandex[.]com

Using DomainTools Iris, each of these observed email addresses become a launchpad for investigating additional, related infrastructure. Although at this point connections appear too weak to definitively tie activity back to OilRig behaviors, which is where this investigation began, we have nonetheless reached an interesting and potentially useful intermediate conclusion by identifying linked, suspicious network infrastructure.

Identifying Network Infrastructure

Most notable among the common items above are those linked to the “cjay006” address:

DomainEmailIP AddressMail Exchange
anhuisiafu[.]com[email protected]N/Amailhostbox.com
boardexecutivemanagement[.]com[email protected]N/Amailhostbox.com
boardsexecutives[.]com[email protected]198.54.117.197mailhostbox.com
chinaconstructioncorp[.]com[email protected]77.55.219.100chinaconstructioncorp.com
cornerstoneconect[.]com[email protected]77.55.217.184cornerstoneconect.com
exmngt[.]com[email protected]198.54.117.197mailhostbox.com
groupsexecutive[.]com[email protected]46.28.109.165groupsexecutive.com
lavalingroup[.]com[email protected]77.55.233.217lavalingroup.com
mngtboard[.]com[email protected]46.28.109.164mailhostbox.com
petrochinas[.]com[email protected]77.55.216.70petrochinas.com
stagmein[.]pl[email protected]N/AN/A

Several themes emerge in the above list, looking at the actual names used for domain creation:

  • Mimicking corporate or executive themes (e.g., “boardsexecutives,” “mngtboard”).
  • Themes linked to the People’s Republic of China (PRC) (e.g., “chinaconstructioncorp,” “petrochinas,” “anhuisiafu”).
  • Construction or engineering company spoofing (in addition to “chinaconstructioncorp,” “lavalingroup” is similar to Canadian engineering company SNC-Lavalin).

Hosting patterns aside, reviewing registration and DNS data showed that some domains featured interesting Mail Exchange (MX) records referring back to the original domain. As described in previous DomainTools blogs, identifying certain hosting and functional characteristics to infrastructure can yield insights into adversary activity. In this case, the presence of the MX records, especially for items such as the construction-themed domains, may indicate use for phishing purposes.

Unearthing a Phishing Campaign

Researching several malware repositories, DomainTools researchers uncovered multiple emails sent from the infrastructure described in the previous section. Reviewed messages are similar to the following item:

Email sent from malicious infrastructure

Email messages had the following purpose and themes:

  • Addressed to either the Russian state nuclear energy firm ROSATOM or its nuclear fuel production subsidiary TVEL.
  • Written in Chinese with a “password reset” theme.
  • Sent from the SNC-Lavalin spoofing domain.

Furthermore, all samples identified by DomainTools contained a link to a common resource:

 hXXp://iafflocal290[.]org/sapm/Poland/china[.]php 

The page presents a logon screen:

Login Page presented on iafflocal290[.]org

The page appears to be a straightforward credential harvester, submitting credentials entered into the form fields as a POST to the same hosting domain. The domain itself appears to be either an abandoned or compromised legitimate website associated with a local fire department in the United States. 

Further research identified the above as a common spoofed logon page for likely credential harvesting purposes. Among other entities identified, DomainTools researchers uncovered pages targeting:

  • A major automobile manufacturer.
  • A major automotive parts supplier.
  • An Internet-of-Things (IoT) technology company.

Purpose and Context

The activity above is interesting on several levels. While Canadian-based SNC-Lavalin has operations worldwide, including in the nuclear industry, the company has no known links to Rosatom, TVEL, or Chinese nuclear projects. However, Rosatom and TVEL have significant operations involving Chinese reactor construction and development. Based on these links, DomainTools assesses some possibility for phishing themes combining Russian nuclear organizations with Chinese construction and critical infrastructure entities against individuals working on such projects.

Yet the samples in question all leverage the Lavalin theme, which does not align with any known projects or activity. The combination of Canadian engineering company spoofing, Russian nuclear technology targeting, and Chinese language phishing messages is therefore somewhat confusing. 

Further research identified the credential harvesting pages associated with other entities, largely with technology or manufacturing themes. Based on this information, a likely intention for the Lavalin-ROSATOM campaign would appear to be credential harvesting to further follow-on espionage and data theft. Unfortunately, insufficient evidence exists to definitively support this claim.

While this investigation began by pivoting off of infrastructure linked to OilRig— associated with Iranian interests by multiple entities—there is nothing conclusive linking the identified phishing activity to behaviors associated with Iranian threat groups. This is especially the case after uncovering the additional, similarly-structured logon pages targeting other industries. At this time DomainTools cannot align the observed phishing activity with any known, tracked threat actor.

Conclusion

Threat hunters and researchers need to incorporate third-party findings and investigations into their own work to expand horizons and ingest new observations for subsequent enrichment. By expanding upon identified work and threat indicators, researchers can unearth related or potentially even completely separate campaigns that happen to overlap in certain characteristics. 

Such is the case with the above investigation, where initial analysis of likely OilRig-related observables revealed a phishing campaign targeting the Russian nuclear industry with Chinese language characteristics, as well as several other manufacturing and technology companies. While much remains unknown about this newly identified campaign, we as threat researchers now have awareness of and insight into the activity that was previously unknown based on dogged analysis and enrichment of third-party research.