As part of our research process, RiskIQ uses open source indicators paired with our internet data sets to surface more connections that may be relevant to defenders. When the Citizen Lab published new research exposing abuse against civil society in Mexico—including journalists and reporters— using tools created by the NSO Group, I was able to apply infrastructure chaining in RiskIQ PassiveTotal to build off of artifacts identified in the report.
Contained within the Citizen Lab report are ten domains we can use as a starting point for research. In conducting searches within PassiveTotal, we observed several overlapping details within WHOIS records and one key IP address. Using the WHOIS record from fb-accounts[.]com, we have some viable pivot points with which we can identify more connections.
Using just the email of firstname.lastname@example.org as an example, we not only identify never-before classified infrastructure, but we also see infrastructure previously reported on and associated with the NSO Group from the Citizen Lab.
By following each of the leads from WHOIS, we were ultimately able to identify nine new domains that had no association with the NSO Group and three domains that were previously reported. Each of these new domains now becomes additional reference points with which we can investigate further.
Going beyond WHOIS data, we were able to strengthen our connections through passive DNS. Viewing resolution history for many of the reported domains leads to dead-end hosting providers or shared hosts, but one IP address, in particular, did appear to show some substantial overlap between previously reported NSO Group activity and newly discovered domains found via WHOIS.
Beyond the overlap of infrastructure, this IP address is also interesting from an analyst perspective due to the SSL certificates associated with it. Specifically, two SSL certificates contain common name references to the malicious domain, mymensaje-sms[.]com, which appeared in the Citizen Lab report.
Similar to WHOIS details, we can use the contents of the SSL certificate as pivot points to further our investigation. Performing a pivot on the shared common name shows the two linked SSL certificates and an additional IP address, and also provides timeline insight. Certificate creation times suggest actors may have been using this infrastructure since at least July of 2014.
Unfortunately, exploring second-tier paths didn’t reveal any further infrastructure that appeared associated with the NSO Group. However, recognizing that actors could make a change at any moment, we’ve put together a PassiveTotal project containing all the information from our findings and Citizen Lab’s original reporting. In the event the actors make any changes to what we’ve found, we will get alerts via our monitors.
If you are interested in tracking the NSO Group beyond this single campaign, Citizen Lab has set up a project that is collecting their infrastructure.