Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Russian Phish on Hudson Institute & IRI Org: Filling In The Gaps

leave a comment »

So Microsoft proclaimed that they had taken down some domains and stopped the GRU/SVR from carrying out some more active measures against the US election cycle. Now, they obviously have some more intel than they are letting us all know about because while the domains are definitely set up for some gov spearphishing, we don’t have any emails or data to show they actively had a campaign running. The domains (see below) are concerned with two think tanks that have a plethora of data that the Russians would want to have and perhaps tinker with but the government domains are aimed squarely at the Senate.

 

While the domains that are meant to typo-squat the think tanks are around one hundred days old, the senate domains are much older. In fact, these domains have been creepin around anywhere nearly a year to just over a year. So you can see where the Russian services were aiming and have been planning for at least a year plus on the senate campaign. The think tanks are a newer though and as such I have to wonder about the thought process by the GRU/SVR on these. Were the Russians looking to simply gain access to these think tanks and gather intel not just on their Russian stances but also around the world as the Russians have done before (mostly by the SVR collections missions) or was their plan to somehow steal their data and leak it as part of the larger active measures campaigns?

It seems though from my searching that the domains never had any real pages attached to them but for one having an IIS front end with nothing else. Wayback machine fails on all of them as does Google, so I am going to assume that these were all just domains used as C2 for traffic and perhaps a drive by attack in the case of one that showed up in VT and Hybrid (see above) but I could find no malware being attached to these domains with these tools. This is not to say that they didn’t and that people clicked on links and got infected at the Senate or these think tanks. I guess we will have to wait for Microsoft to elucidate some more on these.

 

But, back to these think tanks and the phishing that likely was to come or already happened. I am going to assume they already happened and that is how these domains were picked up because something happened internally and got reported? I MS paying that much attention to domains or is it they were seeing O365 traffic (phish) and caught on? As I remember reading so far they really don’t tell us how they got the tip off but they must have had evidence because they took over the domains. In this section though, I want to focus on the why and the what of the active measures here by the Russians. Why these two think tanks? What were they going to do with the access one wonders. Or would this have been in tandem with the senate domains luring those being phished to an IRI report? It turns out that IRI (International Republican Institute) put out a press release on the revelations on their domain squat.

I guess that either IRI could be phished itself as well as this as well as the other org squatted (Hudson Institute) could be not only the targets of phish using these domains but also used as fodder to entice Republicans as well as perhaps Democrats to click on a tasty link and either get a drive by or be linked to a credential phishing site. As the DNC attacks I believe were credential harvesting sites, it is likely that this would be the case for all these entities were the Russians looking to gain a foothold on any of them. I am gonna say though, that the domain my-iri.org and the sharepoint domain for hudson.org  says that they were looking to fool internal folks into clicking on something. As to the other domains it looks straight up like internal users being targeted.

So what would the goals be here with these? If you were to go after their internal systems and the fellows there what would you be looking for? I am going to say this too would have been a fishing expedition for information that the Russian government could use to destabilize all kinds of places as well as to understand how the think tanks were approaching Russia. If you look at the image at the top of the page you can even see how Hudson has a paper on countering the Kleptocracy. My concern here would be that not only would the adversaries be looking to steal information but also to pull the same kind of job on these orgs that they did to the DNC. Basically, I think it would be a disinformation campaign against these orgs to cause instability in their content and their following. I could also see tinkering with their reports as well as a means to make them untrustworthy. An added bonus to this also would be collection on any collaborators that the Russians might want to eliminate in country if the emails have source conversations too.

Of course now we are hearing that the Russians are attacking not only Dems but also Republicans and it is important to remember that their goal is to sow chaos and cause division. This is because if they can cause these things, the outcome is to have inaction as well as possibly traction for those like Trump that they are actively supporting with these kinds of active measures as we saw in 2016. So, there you have it, unless Microsoft and others care to give us some more information to work from this is pretty much all you can glean from their motives by proxy of their domains. You can see though, that they have been working on these plans for some time, at least a year for the think tanks and over a year for the senate campaigns.

 

In closing though, I want to just say that it would be real easy for the Russians to get the conventions of the email addresses as well as who to target at these institutions just by using LinkedIN. I did some cursory searches in Google and LI and came up with shovels full of names and email addresses to use. It’s phishing season kids! I do wonder just how much security training these people have….

Hmmmm…

K.

Written by Krypt3ia

2018/08/21 at 18:28

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: