Tracking Turla: What We Can Learn from a Clicky ID

Tracking Turla: What We Can Learn from a Clicky ID

June 16, 2017, Mike Browning

Also by Steve Ginty

The threat actor group Turla is leaving behind breadcrumbs in the form of trackers. Infamous for their targeted attack campaigns aimed at visitors of foreign affairs, embassy, and visa and passport websites in 2016, research shows Turla continues to execute watering hole campaigns against those same visitors.

Visitors of these websites, many of which are listed in the riskIQ PassiveTotal Public Project dedicated to Turla, are redirected to malicious command and control servers because of a code snippet added to the original page inserted by the threat actor. According to a recent WeLiveSecurity post, attackers added a reference to Clicky, a real-time web analytics framework, to compromised pages. This tracking code (ClickyId100673048) acted as a cover for the appended script, making it appear legitimate to cursory or novice examination.

The WeLiveSecurity post says this script calls another script, a server used to collect information about the system on which it’s running. This attack then distributes this “fingerprinting” JavaScript to targets by filtering visitors using an IP range. If they are within the targeted IP range, they receive the fingerprinting script.

When investigating attack campaigns like this, every piece of information is important for tracking down and stopping threats against your organization. Below, you can see the Clicky ID inside RiskIQ PassiveTotal. By clicking on one of the domains inside the Public Project, www.namibianembassyusa[.]org, and pivoting on the “trackers” data set, you can see the rest of the domains compromised by Turla leveraging the same tracker:

Fig-1 Compromised domains linked by the ClickyID used by Turla

Many hacking organizations beyond Turla utilize tools like Clicky and Google Analytics (which Turla has also used) not just to mask or legitimize their malicious code, but also to measure the success of their campaigns, just like legitimate organizations do.

For example, often when a website’s HTML is scraped and reposted for something like a phishing campaign, malicious actors don’t bother to change things like the associated Google Analytics ID, tracking pixels, cookies, or social networks connections. Being able to search official tracking codes can surface pages where the threat actor has forgotten to change this information, leading to security teams finding and shutting down a malicious campaign.

In addition to using your trackers to find phishing pages, once you have identified attacker-owned infrastructures such as the domains and IPs they’re using to serve phishing pages, you can then check to see if they have implemented trackers of their own. By knowing this information, you can see other instances across the internet where we saw the same malicious actor’s analytics tracker and uncover additional campaigns associated with them.

These values can provide insights into additional infrastructure that typically goes unnoticed by static data sets.  RiskIQ gathers the full DOM during the loading process of pages that we crawl. We extract details such as website trackers, analytics codes, social network accounts and other unique details. These values can provide insights into additional infrastructure that typically goes unnoticed by static data sets. RiskIQ has data about trackers from includes IDs from providers like Google, Yandex, Mixpanel, New Relic, Clicky, and more.

To start pivoting on these data sets for yourself, try RiskIQ PassiveTotal Community Edition for free by visiting