Part 2 of 2
In Part 1 of this discussion of threat actor analysis, we got some insights into why threat actor analysis has a major role to play in every phase of cybersecurity, from prevention to mitigation to response to monitoring. Today, we’ll take a look at how a key DomainTools partner, ThreatConnect, used DomainTools and other data to develop a very comprehensive profile—and quite possibly the exact identity—of the actors behind one of the largest data breaches ever known, that of Anthem Healthcare, with personal data on some 80 million people released. While the Anthem breach isn’t the latest major healthcare breach (Premera holds that dubious distinction, for now, at least), it does shed light on how adversary profiling works. Incidentally, the Anthem article almost spookily presages the Premera breach, with discovery of some illegitimate Premera-themed domains.
Whodunit? Most of the suspicion lies on China, with strong connectors in the attack infrastructure pointing to operatives there. Even more specifically, a professor at Southeast University in Nanjing (with ties to a cybersecurity company) may ultimately have masterminded the attack, and may have used students to carry it out as part of a competition. As we saw in Part 1, understanding the adversary can pay off in many different ways, from enhanced forensics to strengthened proactive defenses.
From Attack to Attacker
How did ThreatConnect use domain profile information to ultimately achieve a high-confidence attribution for this attack? The ThreatConnect article explains it in detail, but here we’ll look at a high-level summary of the steps:
- The initial attack domain identified by ThreatConnect (we11point[.]com, a “typo” variant of Anthem’s former name, Wellpoint) was found through malware analysis. This malware had been seen in other Chinese APT attacks; this helped point the attribution analysis toward China, though this was far from conclusive at this early stage.
- The malware and a digital signature associated with it had been connected to an earlier attack, and that earlier attack involved an IP address, 192.199.254[.]126, which hosted the domain topsec2014[.]com–another clue. That domain, in turn, yielded a registrant email address of li2384826402@yahoo[.]com. Whois History on the domain, however, also shows another email address, TopSec_2014@163[.]com. The TopSec domain and email addresses are strong connectors to the Topsec security company–yet another link in the chain of attribution.
- Timing is everything. The registration of topsec2014[.]com, in May of 2014, coincides closely with the TopSec Cup competition. When looking at domains that may or may not be connected, registration dates can be instructive. In the presence of other corroborating information, correlated dates can help solidify connections between domains.
- Obfuscation techniques can aid attackers, but can also aid researchers. Infrastructure connected to both the Anthem attack and an earlier spearphishing attempt on defense contractor VAE, was registered using phony names based on Iron Man superhero characters, something we’ve noted before. While this practice may obscure the actual name of the registrant, it does provide a strong connector for researchers piecing together criminal infrastructure maps.
- Search engines are your friends. The connection to Nanjing Southeast University and a specific professor was shown (strongly, if not conclusively) in search engine results on the topsec_2014@163[.]com email address. While the actual search results came back for topsec2014@163[.]com (no underscore), the similarity of the addresses proved very unlikely to be coincidental. The search results pointed to a professor at the university with extensive experience in cybersecurity and—as further research turned up—cyberattacks.
|we11point[.]com||Malware C2||Malware analysis|
|192.199.254[.]126||C2 hosting infrastructure||Malware analysis|
|li2384826402@yahoo[.]com||initial registrant of topsec2014[.]com||Whois History|
|TopSec_2014@163[.]com||later (current) registrant of topsec2014[.]com||Whois|
|Iron Man-themed email addresses||Whois contact information||Whois|
Ultimately, with the help of a security outfit called Defense Group, Inc, ThreatConnect was able to make a very strong case a) attributing the breach to this professor, and b) establishing a very likely tie to the government, specifically the People’s Liberation Army (PLA).
There are several important points illustrated by the investigation of the Anthem breach that you can put into practice any time:
- Guard against typo or other “squatter” violations of your organization’s domain(s). While at first blush this may seem to be principally a brand protection measure, we are seeing a lot of attack infrastructure that makes use of imitative or illicitly-registered domain names that are related to the victim organization’s domains. Use Domain Search to look up registrations that include your organization’s name. Are they all legitimate? Use Domain Typo Finder to find variants of your organization’s name that may have been illicitly registered. Some organizations defensively register such domains.
- If you spot malicious or suspicious activities (such as phishing attempts or devices on your network calling out to possible C2 infrastructure), use DomainTools Reverse Tools and History Tools to find related infrastructure. Look for the expanded sets of domains and/or IP addresses in your current as well as archived logs. It could be that traffic that escaped notice in the past was part of an attack.
- If you identify malicious infrastructure that has been attacking you—or even just “knocking at the door”—set up monitors to be alerted to expansions of this infrastructure as they come online.
Looking back at an attempted or successful cyberattack can yield plenty of valuable information for the present and the future. Try some of the techniques suggested here, and fine-tune your investigative skills so that, should the unthinkable happen, you’re prepared to respond quickly and effectively.