This week’s revelation that foreign actors attempted to break into the Arizona and Illinois board of elections prompted alarm and consternation. On Friday, cybersecurity company ThreatConnect noticed that one of the IP addresses that the FBI mentions in their report about the incidents was also linked to a previous spearphishing attempt against Ukrainian and Turkish governments.
ThreatConnect looked at that IP address — 220.127.116.11 — and found a website very similar to one for Turkey’s ruling AK Party. The practice of registering domains that look like those of real organizations, but with just a letter or character off, is sometimes called typosquatting. Marketers use typosquatted domains all the time. If you’re a customer looking for lampshades.com and mistype lampshads.com, whoever owns that not-quite-right domain can steer you toward their own site.
It works the same in a socially-engineered information attack. People often don’t notice subtle errors in the domains or URLs from institutions that they trust. It was one means by which hackers affiliated with the group COZY BEAR, believed to be Kremlin-backed, tried to lure staff at Washington, D.C., think tanks into opening emails.
“Investigation of this typosquat took us down the rabbit hole that ultimately uncovered evidence of a recent spearphishing campaign primarily targeting individuals affiliated with Turkish and Ukrainian political organizations. … A DomainTools screenshot of srvddd[.]com dated May 9, 2015 shows a directory named ‘mail.solydarnist.org’ was present on the server, suggesting it was used to target solydarnist[.]org, the official website of the political party of incumbent Ukrainian President Petro Oleksiyovych Poroshenko.”
That target pattern suggests—but does not prove—Russian-state backed actors since they would have the biggest interest in spearphishing Turkish and Ukrainian political figures. ThreatConnect is careful not to blame the state election board attack on COZY BEAR or FANCY BEAR explicitly, two groups that cybersecurity company CrowdStrike linked to the DNC and DCCC hack. “The question on everyone’s mind: Who is behind the recently reported compromises of Arizona and Illinois’ state board of elections (SBOE)? The answer is, we don’t know,” they write.
Typosquatting and domain registration tracing is a murky business, leaving an attacker a lot of room to escape attribution. But they can also reveal an attacker’s next moves.
Justin Harvey of cybersecurity company Fidelis recently took at look at the original CrowdStrike post from June, which listed the domains that the Kremlin-backed groups COZY BEAR and FANCY BEAR were using to spearphish the DNC.
The domains were registered through a registration company called IT Itch, which allows people to buy domains with Bitcoins, to prevent tracing. “It’s almost like money laundering,” Harvey said.
Looking over the list of similar IT Itch domains revealed several not-quite-correct domains that could play a role in future spearphishing attacks, including ones that mimic media or national-security organizations such as WorldPostJournal.com, NewsDefenseUSA.com, GoaArmy.org, GeopoliticsMonitor.org. The Huffington Post, the Guardian and others were among the typosquat targets.
Any of these domains could have been registered by FANCY BEAR or COZY BEAR for a future spearphish operation. But none of them could be as well, since anyone wishing to register a domain anonymously can use bitcoins, etc. That does not mean the information is without value. Imagine walking into a room that has recently hosted a variety of criminals and unsavory types, including a spy that you are looking for. The clues you find could relate to your suspect’s future targets, or they could be related to less exotic criminal activity.
It’s hard to know for sure until the next crime is revealed.