Over the last month and a half, ThreatConnect has authored a number of blog posts pulling at strands of a nebulous Russian spiderweb of malicious infrastructure – one data point at a time. Along the way, we’ve built off of the work other researchers have done and have engaged with a handful of journalists who are eager to get to the bottom of the story. We assess the Guccifer 2.0 persona that surfaced after the DNC breach was announced in June is a Russian creation to maximize the impact of strategic leaks.
But it looks like we missed something called DCLeaks, another outlet for leaked material. We believe DCLeaks is another Russian-backed influence outlet based on the following:
- Guccifer 2.0’s use of DCLeaks to share purloined emails from a Hillary Clinton campaign staffer with journalists
- DCLeaks hosting a portfolio of leaked emails belonging to Billy Rinehart Jr. — a former development manager at the United Nations Foundation and regional field director for the DNC — whose email account was breached in the same manner as a known FANCY BEAR attack method
- DCLeaks’ registration and hosting information aligns with other FANCY BEAR activities and known tactics, techniques, and procedures
For more on this, see today’s article from The Smoking Gun detailing DC Leaks.
DCLeaks was established in mid-2016 and initially garnered some publicity for releasing a series of emails from retired Air Force General Philip Breedlove, who in his last position was the commander of U.S. European Command and NATO forces. In this role as the most senior U.S. military official responsible for Russia, General Breedlove advocated for a more muscular response to Russian aggression in Ukraine and the leaked emails detail internal lobbying pertaining to the Obama Administration’s policy.
The About page for DCLeaks claims “the American hacktivists” initiated the “new level project”:
DCLeaks is a new level project aimed to analyze and publish a large amount of emails from top-ranking officials and their influence agents all over the world. The project was launched by the American hacktivists who respect and appreciate freedom of speech, human rights and government of the people. We believe that our politicians have forgotten that in a democracy the people are the highest form of political authority so our citizens have the right to participate in governing our nation.
The website has grouped its leaks into portfolios that include General Breedlove, Bill and Hillary Clinton, the Republican party, George Soros, and William “Billy” Rinehart, among others. Each of these portfolios has a description of the individual or organization, but most of the language that DCLeaks uses is either borrowed from Wikipedia or very simplistic in nature. This limits our ability to use language on the site to support an attribution assessment in a meaningful way.
Guccifer 2.0: Using DCLeaks, but Quietly
On June 27, 2016, The Smoking Gun (TSG) received a series of emails from Guccifer 2.0 (guccifer20@aol[.]fr) with the subject “leaked emails”. Most of the messages were sent from the Russia-based Elite VPN IP address 95.130.15[.]34 (located in France) as previously highlighted in our blog post. Some of the emails were sent from another probable Elite VPN IP address 208.76.52[.]163 (Miami, FL). The messages were not spoofed as they passed Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) checks.
Within the message thread the Guccifer 2.0 persona offered exclusive access to private Clinton campaign emails.
After TSG expressed interest in reviewing the emails, the Guccifer 2.0 persona responded indicating he had a relationship with DCLeaks, claiming that it was a Wikileaks subproject. He also provided a username and password to the exclusive DCLeaks content. Finally the Guccifer 2.0 persona asked TSG not to link or associate the DCLeaks content to the the Guccifer 2.0 blog. As of this writing, the Sarah Hamilton portfolio of leaked documents is no longer password protected.
In a follow up message the Guccifer 2.0 persona provides TSG with credentials to the DCLeaks portfolio on Hillary Clinton staffer Sarah Hamilton.
There is no public evidence supporting the statement that DCLeaks is a Wikileaks sub-project. We also find it noteworthy that the Guccifer 2.0 persona is hosting content on DCLeaks and has privileged permissions to access and administer password protected content. This indicates the persona has a relationship with DCLeaks beyond simply being a source for leaks.
From Yandex and DCLeaks With Love: Separate Leaked Portfolio Matches FANCY BEAR Attack Pattern
At the time of this writing, DCLeaks maintains a protected page for Billy Rinehart Jr. – a regional field director for the DNC. Seeing this, The Smoking Gun reached out to Rinehart and obtained a copy of the spearphish used to gain access to his email account. Rinehart was targeted with a spearphish on March 22, 2016 in a timeline and manner matching FANCY BEAR activity initially reported by Secureworks(Secureworks refers to the group as TG-4127). The mid-June 2016 report detailed specific targeting of Google accounts.
The email message was sent from an individual spoofing the legitimate “firstname.lastname@example.org” account and contained the subject “Sоmeоne has your passwоrd.” The spearphish message was actually sent from hi.mymail@yandex[.]com, an email address from the Moscow-based webmail provider Yandex. The message appeared to be a security notification from Google which alerted the user with the following content:
The image of the email shown above was reconstructed from offline content, so not all images and formatting are displayed as in the original online version. The faux message contained a link to a bit.ly shortened URL. According to bit.ly, the link only clicked once during the week of March 20 – the week it was sent.
The bit.ly link would redirect the user to a faux Google URL myaccount.google.com-securitysettingpage[.]ml where the user would then input their credentials into a credential phishing page. The URLs were specifically crafted with encoded strings that were specific to the targeted victim, a technique that was also highlighted within the Secureworks research. Based on this, we assess with high confidence that Rinehart interacted with the malicious link and unknowingly passed his credentials to the attackers.
If Rinehart entered his credentials into the faux Google phishing page, he would reveal his password to the attackers. The attackers would then have unfettered access to the contents of his Gmail account, unless he had two-factor-authentication enabled. It is also possible for the attackers to establish “man in the mailbox” access where they use Forwarding and POP/IMAP features to exfiltrate the contents of the inbox en masse.
According to RiskIQ’s PassiveTotal myaccount.google.com-securitysettingpage[.]ml was actively resolving to IP Address 80.255.12[.]237 (Core-Backbone GmbH; Germany) between March 18 – March 29, 2016. VirusTotal indicates that there is low detection for this domain and others which have previously resolved to 80.255.12[.]237. ThreatConnect is sharing additional suspicious domains which have been hosted on IP Address 80.255.12[.]237 within incident 20160805A: DCLeaks Bitly.
The Rinehart example suggests an end-to-end operation where FANCY BEAR collection was most likely posted to DCLeaks for use as an influence operation. A targeted spearphish was sent to Rinehart from a Russian webmail provider leveraging tactics, techniques and procedures (TTPs) which have been previously identified by Secureworks and closely aligned with activity that has been associated with FANCY BEAR. This is the same group CrowdStrike reported breaching the DNC and for whom ThreatConnect and Fidelis identified infrastructure that aligned with reports of the DCCC breach. Shortly after receiving the email and likely clicking on the malicious link, Rineharts’ email correspondence shows up on the newly established DCLeaks site.
DCLeaks, SOAre you Russian?
Guccifer 2.0’s knowledge of DCLeaks and the Rinehart story made us wonder – from an infrastructure perspective – whether we could identify any associations from the site to known Russian APT activity. A review of the SOA records associated with dcleaks[.]com identifies the following:
Immediately the SOA registrant, feehan@europe[.]com, sticks out as notable. This email address uses the same webmail provider as frank.merdeux@europe[.]com, which was in the SOA for the spoofed misdepatrment[.]com domain that we assessed was a part of the DNC hack. Furthermore, we previously identified a pattern wherein FANCY BEAR actors create fictitious registrant email addresses by leveraging webmail providers, such as 1&1’s europe[.]com or mail[.]com, to register domains. While not a definitive indicator of FANCY BEAR activity, it casts doubt on DCLeaks’ “American hacktivist” origins.
Reviewing the initial name server for dcleaks[.]com, thcservers.*.orderbox-dns[.]com, based on SOA records we identify only 14 other domains initially used these name servers for their most recent registration.
We shared these domains in the incident 20160808A: THCservers Orderbox Name Server Domains within the ThreatConnect platform and using the Analyze function were able to identify that at least one of the domains, service-yandex[.]ru, has previously been associated with FANCY BEAR activity based on feeds from our partners at RedSky Alliance.
Leveraging DomainTool’s Reverse DNS and Iris capabilities, we are able to identify that about 118 other domains currently use dcleaks[.]com’s current name server, cata501836.*.orderbox-dns[.]com. We have shared these links in incident 20160808E: CATA501836 Orderbox Name Server Domains and using the Analyze function we were able to identify that at least two additional domains — mailtransferservice[.]com and e-mail-supports[.]com — were possibly associated to FANCY BEAR, based on passive DNS resolutions to FANCY BEAR IP addresses. Service-yandex[.]ru also currently uses these name servers.
Both the THCServers and Cata501836 Orderbox name servers appear to belong to THCServers[.]com operating out of Carcea, Romania. This hosting company also operates larger name servers with over 4,000 domains, so it is unclear why they also operate these smaller name servers. Given that both of these name servers have multiple domains previously associated with FANCY BEAR activity, these could be dedicated to specific customers or those purchasing a certain type of hosting service.
This all begs the following questions:
- Why would the supposed “American hacktivists” behind DCLeaks choose this seemingly random, small, Romanian registrar to register their domain?
- Is it merely coincidence that DCLeaks uses the same name server as other domains that are associated with FANCY BEAR?
Summary of Analysis
We assess that DCLeaks is another Russian influence operation, possibly put on by the same Russian actors behind the Guccifer 2.0 persona. We base this assessment on the following circumstantial findings:
- DCLeaks has posted content from General Breedlove that was germane to Russian military intervention in Ukraine.
- Guccifer 2.0 has not publicly mentioned or promoted DCLeaks. Only in private communications with TSG does Guccifer 2.0 reveal prior knowledge of DCLeaks.
- Guccifer 2.0 is the first known entity to have prior knowledge of and privileged access to exclusive content (Sarah Hamilton Emails) on the DCLeaks webpage before it was publicly available.
- Guccifer 2.0 claimed that DCLeaks is a Wikileaks subproject where there is no public evidence of any formal or informal relationships between DCLeaks and Wikileaks.
- FANCY BEAR activity targeting Billy Rinehart in March 2016 most likely resulted in his emails being posted to DCLeaks.
- DCLeaks’ website was registered by an individual using a 1&1 webmail provider (europe[.]com), which is consistent with previously identified FANCY BEAR TTPs.
- DCLeaks’ domain was registered through an obscure Romanian registrar whose small name servers have been associated with other FANCY BEAR activity.
Additional information that would help us reevaluate our assessment and our confidence in it includes the following:
- Information indicating whether the other individuals in DCLeaks’ portfolio were also targeted by FANCY BEAR.
- Information indicating whether Billy Rinehart had been targeted and compromised by any other actors.
- Information indicating whether individuals other than those behind Guccifer 2.0 can authorize access to protected content on the site.
Caution: We’re going to do something that might draw a little bit of scorn and make a reference to a Star Wars prequel. Ok, here it is – toward the end of Episode III: Revenge of the Sith, we witness Emperor Palpatine’s realization of the Galactic Empire and the downfall of the Old Republic and the Jedi Order. One of Palpatine’s most effective tools in swaying politicians and civilians to his side is the use of influence operations. In his final address to the Senate he states the following.