Infrastructure Chaining Surfaces NSO Group Connections in Attack

Infrastructure Chaining Surfaces NSO Group Connections

June 21, 2017, Brandon Dixon

mm

As part of our research process, RiskIQ uses open source indicators paired with our internet data sets to surface more connections that may be relevant to defenders. When the Citizen Lab published new research exposing abuse against civil society in Mexico—including journalists and reporters— using tools created by the NSO Group, I was able to apply infrastructure chaining in RiskIQ PassiveTotal to build off of artifacts identified in the report.

Contained within the Citizen Lab report are ten domains we can use as a starting point for research. In conducting searches within PassiveTotal, we observed several overlapping details within WHOIS records and one key IP address. Using the WHOIS record from fb-accounts[.]com, we have some viable pivot points with which we can identify more connections.  

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-1 WHOIS record for fb-accounts[.]com with viable pivots highlighted

Using just the email of eran.benami0401@gmail.com as an example, we not only identify never-before classified infrastructure, but we also see infrastructure previously reported on and associated with the NSO Group from the Citizen Lab.

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-2 Pivot results from the email address used to register fb-accounts[.]com reveals overlap with previously known NSO Group infrastructure and never-before-seen domains

By following each of the leads from WHOIS, we were ultimately able to identify nine new domains that had no association with the NSO Group and three domains that were previously reported. Each of these new domains now becomes additional reference points with which we can investigate further.  

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-3 Illustrates overlap in WHOIS data, which lead to the identification of 9 previously unidentified domains associated with this attack campaign

Going beyond WHOIS data, we were able to strengthen our connections through passive DNS. Viewing resolution history for many of the reported domains leads to dead-end hosting providers or shared hosts, but one IP address, in particular, did appear to show some substantial overlap between previously reported NSO Group activity and newly discovered domains found via WHOIS.

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-4 Passive DNS results from a pivot on 54.191.52.61 reveals infrastructure overlap

Beyond the overlap of infrastructure, this IP address is also interesting from an analyst perspective due to the SSL certificates associated with it. Specifically, two SSL certificates contain common name references to the malicious domain, mymensaje-sms[.]com, which appeared in the Citizen Lab report.

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-5 SSL certificate details associated with 54.191.52.61 shows overlap with reported malicious domain used in attacks

Similar to WHOIS details, we can use the contents of the SSL certificate as pivot points to further our investigation. Performing a pivot on the shared common name shows the two linked SSL certificates and an additional IP address, and also provides timeline insight. Certificate creation times suggest actors may have been using this infrastructure since at least July of 2014.

The Citizen Lab published research showing abuse against civil society in Mexico. I used infrastructure chaining to build off the artifacts in the report.

Fig-6 Pivot results from the SSL certificate common name reveals overlap, additional indicators, and potential timeframes

Unfortunately, exploring second-tier paths didn’t reveal any further infrastructure that appeared associated with the NSO Group. However, recognizing that actors could make a change at any moment, we’ve put together a PassiveTotal project containing all the information from our findings and Citizen Lab’s original reporting. In the event the actors make any changes to what we’ve found, we will get alerts via our monitors.

If you are interested in tracking the NSO Group beyond this single campaign, Citizen Lab has set up a project that is collecting their infrastructure.

Share This