The Forrester Wave™: Digital Risk Monitoring, Q3 2016 named RiskIQ a leader in Digital Risk Monitoring, and gave RiskIQ top ranking for Current Offering & Data Coverage.
Download the Report
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
June 21, 2017, Brandon Dixon
As part of our research process, RiskIQ uses open source indicators paired with our internet data sets to surface more connections that may be relevant to defenders. When the Citizen Lab published new research exposing abuse against civil society in Mexico—including journalists and reporters— using tools created by the NSO Group, I was able to apply infrastructure chaining in RiskIQ PassiveTotal to build off of artifacts identified in the report.
Contained within the Citizen Lab report are ten domains we can use as a starting point for research. In conducting searches within PassiveTotal, we observed several overlapping details within WHOIS records and one key IP address. Using the WHOIS record from fb-accounts[.]com, we have some viable pivot points with which we can identify more connections.
Fig-1 WHOIS record for fb-accounts[.]com with viable pivots highlighted
Using just the email of email@example.com as an example, we not only identify never-before classified infrastructure, but we also see infrastructure previously reported on and associated with the NSO Group from the Citizen Lab.
Fig-2 Pivot results from the email address used to register fb-accounts[.]com reveals overlap with previously known NSO Group infrastructure and never-before-seen domains
By following each of the leads from WHOIS, we were ultimately able to identify nine new domains that had no association with the NSO Group and three domains that were previously reported. Each of these new domains now becomes additional reference points with which we can investigate further.
Fig-3 Illustrates overlap in WHOIS data, which lead to the identification of 9 previously unidentified domains associated with this attack campaign
Going beyond WHOIS data, we were able to strengthen our connections through passive DNS. Viewing resolution history for many of the reported domains leads to dead-end hosting providers or shared hosts, but one IP address, in particular, did appear to show some substantial overlap between previously reported NSO Group activity and newly discovered domains found via WHOIS.
Fig-4 Passive DNS results from a pivot on 220.127.116.11 reveals infrastructure overlap
Beyond the overlap of infrastructure, this IP address is also interesting from an analyst perspective due to the SSL certificates associated with it. Specifically, two SSL certificates contain common name references to the malicious domain, mymensaje-sms[.]com, which appeared in the Citizen Lab report.
Fig-5 SSL certificate details associated with 18.104.22.168 shows overlap with reported malicious domain used in attacks
Similar to WHOIS details, we can use the contents of the SSL certificate as pivot points to further our investigation. Performing a pivot on the shared common name shows the two linked SSL certificates and an additional IP address, and also provides timeline insight. Certificate creation times suggest actors may have been using this infrastructure since at least July of 2014.
Fig-6 Pivot results from the SSL certificate common name reveals overlap, additional indicators, and potential timeframes
Unfortunately, exploring second-tier paths didn’t reveal any further infrastructure that appeared associated with the NSO Group. However, recognizing that actors could make a change at any moment, we’ve put together a PassiveTotal project containing all the information from our findings and Citizen Lab’s original reporting. In the event the actors make any changes to what we’ve found, we will get alerts via our monitors.
If you are interested in tracking the NSO Group beyond this single campaign, Citizen Lab has set up a project that is collecting their infrastructure.