Home / Industry

Revisiting APT1 IoCs with DNS and Subdomain Intelligence

Cyber espionage is a type of cyber attack that aims to steal sensitive and often classified information to gain an advantage over a company or government. The 2020 Data Breach Investigations Report (DBIR) revealed that several hundreds of incidents across industries in the previous year were motivated by espionage.

We zoom in on one cyber espionage group of threat actors believed to be responsible for dozens of security breaches. The group dubbed "APT1” or "Advanced Persistent Threat Group 1" is the most prolific and persistent APT group. They reportedly stole hundreds of terabytes of data and maintained access to victim networks for as long as 1,764 days.

While the group is believed inactive, their implant code was reused in 2018. Could the indicators of compromise (IoCs) of APT1 be reused, too? Are there APT1 patterns detected in currently active fully qualified domain names (FQDNs)?

APT1 IoCs and Trademarks

Cybersecurity professionals closely monitor APT groups, including APT1. In one report by Fireeye detailing such monitoring, we obtained several IoCs consisting of:

  • 88 domain names
  • 7 subdomains
  • 8 email addresses
  • 6 netblocks
  • 3 IP addresses

APT1 actors also tend to leave signatures in the weapons they use. For instance, the APT1 persona identified as "Ugly Gorilla," notably imprinted the initials "UG" in the FQDNs or subdomains. Some examples mentioned in the report are:

  • ug-opm[.]hugesoft[.]org
  • ug-co[.]hugesoft[.]org
  • ug-rj[.]arrowservice[.]net
  • ug-hst[.]msnhome[.]org

All of these subdomains are tagged "malicious" by VirusTotal.

Revisiting the APT1 IoCs

We used the following tools to revisit and discover more about the IoCs:

Domain Names and Associated IP Addresses

Of the 88 domain names publicly attributed to APT1, 28 remain active in the Domain Name System (DNS) as of 4 December 2020. Some of the domains were typosquats of legitimate companies, some of which are now the owners of the IoCs (likely as part of typosquatting protection strategies). These domains and their respective registrant organizations are:

  • arrowservice[.]net: Arrow Electronics, Inc.
  • mcafeepaying[.]com: McAfee LLC
  • msnhome[.]org: Microsoft Corporation
  • myyahoonews[.]com: Oath Inc.
  • yahoodaily[.]com: Oath Inc.

Of the remaining 23 APT1 domain IoCs, 19 were cited as "malicious" by VirusTotal and could already be blacklisted by most security systems. However, four of the domains are not tagged as such even if one is a CNN look-alike domain that cannot be attributed to the news organization.

The table below shows the four domains' corresponding IP addresses and whether they have been reported as malicious. We also retrieved their IP netblocks and checked if they are included in the publicly available IoCs reported by Fireeye.

Table 1: IoCs Not Tagged "Malicious"
DomainIP AddressIP Tagged as Malicious?IP NetblockIP Netblock an IoC?
cnndaily[.]net104[.]31[.]82[.]32No, but with 3 files communicating104[.]31[.]80[.]0 — 104[.]31[.]95[.]255No
comrepair[.]net23[.]236[.]62[.]147Yes23[.]236[.]48[.]0 — 23[.]236[.]63[.]255No
dnsweb[.]org67[.]222[.]16[.]131No67[.]222[.]16[.]0 — 67[.]222[.]23[.]255No
uszzcs[.]com103[.]42[.]182[.]241No103[.]42[.]182[.]0 — 103[.]42[.]182[.]255No

Organizations may also want to revisit these IoCs and include them in their blacklists, as there is a possibility that they could be reused. The domain comrepair[.]net, for one, resolves to a malicious IP address.

Subdomains

We used the Domains and Subdomains Discovery tool to see if there are subdomains that contain Ugly Gorilla's signature. We used the string "ug-" and searched for subdomains containing the said text string. Some 590 subdomains that begin with the text string turned up, including the IoC ug-co[.]hugesoft[.]org.

Some of these subdomains could be innocent ones that only happen to begin with "ug-." However, they are worth looking into, especially since APT1 notoriously signed their FQDNs with the said text string.


The APT1 group had seemingly become inactive. However, that doesn't mean that they can't entrust the weapons in their arsenal to other cyber attack groups. In fact, they may have already done so with their code. Aside from gleaning insights from blacklist sites, it may also be a good idea for organizations to revisit the group's IoCs, check for recent suspicious activities, and uncover more domain and IP footprints.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

IP Addressing

Sponsored byIPv4.Global

Cybercrime

Sponsored byThreat Intelligence Platform

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias