Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign. UNC1151 is likely a state-backed threat actor  waging an ongoing and far-reaching influence campaign that has targeted numerous countries across Europe. Their operations typically display messaging in general alignment with the security interests of the Russian Federation; their hallmarks include anti-NATO messaging, intimate knowledge of regional culture and politics, and strategic influence operations (such as hack-and-leak operations used in conjunction with fabricated messaging and/or forged documents). PACT assesses with varying degrees of confidence that there are 81 additional, unreported domains clustered with the activity that FireEye and ThreatConnect detailed in their respective reports [1,2,4]. PACT also assesses with High Confidence that UNC1151 has targeted additional European entities outside of the Baltics, Poland, Ukraine and Germany, for which no previous public reporting exists.
In July of 2020, FireEye’s Mandiant released a threat intelligence report  on an influence campaign they dubbed “Ghostwriter,” wherein they detailed a cluster of activity that demonstrated an “anti-NATO agenda” that “primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe.” In April of 2021, ThreatConnect published a Threat Intel Update  that included possible related Ghostwriter infrastructure spoofing military organizations in Poland and Ukraine, and quotes German investigative reporting  detailing Ghostwriter activity against members of the German government and claiming a possible connection to the Russian state. Later in April of 2021, Mandiant released an update to their initial report , wherein they attributed at least some of the Ghostwriter activity to UNC1151, “a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns.” In May of 2021 (the following month), DomainTools released a report consisting of UNC1151 infrastructure  that corroborated previous findings and included previously unreported infrastructure and network-based IOCs related to UNC1151. Finally, in August of 2021, VSQUARE released an exhaustive analysis  of the Ghostwriter influence campaign that corroborated previous findings linking Ghostwriter/UNC1151 activity to the Kremlin and detailing the group’s activity back to 2017 (and possibly earlier), during which time the group was identified using its phishing infrastructure to send targeted spearphishing messages and engaging in politically-destructive hack-and-leak operations.
It may assist the reader to detail a brief timeline of notable events of interest that were reliably reported and attributed :
PACT identified overlapping TTPs throughout this investigation, notably the techniques used to carry out influence operations (e.g., phishing for credentials to engage in hack-and-leak) and domain and subdomain naming themes such as `poczta` and other Polish and Ukrainian words. Previous reports  have attributed these overlaps in behavior displayed by distinct groups (APT28, APT29, and UNC1151) to hypothesize that all this activity is related in some way to the Russian state generally and its intelligence apparatus specifically; PACT agrees with this assessment: it is likely that UNC1151’s activity is either controlled or influenced by Russian intelligence services. PACT is not attributing the activity of APT28 and APT29 to UNC1151 or vice versa.
UNC1151 and the associated Ghostwriter campaign are broad in both scope and target; previous reporting indicates targeting of audiences within the Baltic nations (Estonia, Latvia, and Lithuania) as well as Germany, Poland, and Ukraine. Analysis of phishing infrastructure from these reports indicates the group was targeting official government accounts (both civil and military) as well as personal accounts. Additional analysis by PACT indicates the targeting of yet other audiences.
Previous reporting and additional analysis suggest that one of UNC1151’s behaviors is to use root domains with common, seemingly-legitimate words and themes (e.g., `net-account[.]online` or `login-telekom[.]online`) and then build upon them with specific, targeted subdomains to create long URLs that make their phishing domains look legitimate (e.g., `gmx.net-account.online` or `verify.login-telekom[.]online`). Additional examples appear elsewhere in this report and demonstrate UNC1151’s ability to craft convincing domains that allow them to capture credentials in highly-targeted spearphishing campaigns that can then be used for follow-on influence operations: hack-and-leak and inauthentic messaging (sending forged or manipulated messages or posting inflammatory material from hijacked or fake accounts). This ability, combined with UNC1151’s reported capacity to understand and exploit pre-existing socio-cultural fissures to sow discord and angst in the targeted states (in accordance with Moscow’s security goals) can prove damaging and difficult to counteract, and therefore should be underscored.
PACT identified domain and subdomain naming themes that indicated targeting of the following audiences: Ukrainian and Polish government (particularly the defense sector) (image 1,2), European iPhone and iCloud users (image 3), the French Defense Information and Communication Delegation (DICoD) (a department of the French Ministry of the Armed Forces) (image 4), and users of popular regional web service providers across Europe and Russia (images 5-8), as well as global tech giants like Google, Microsoft, Apple, Twitter, and Facebook (images 9,10).
|Image 1: Phishing domain crafted to target Ukrainian government accounts.|
|Image 2: Phishing domain crafted to target Polish government accounts.|
|Image 3: Phishing domain crafted to target European iCloud users.|
|Image 4: Phishing domain crafted to target French DICoD accounts.|
|Image 5: Phishing domain crafted to target meta.ua, a popular Ukrainian web services provider.|
|Image 6: Phishing domain crafted to target bigmir) net, a large information and entertainment portal based in Ukraine.|
|Image 7: Phishing domain crafted to target “interia.pl”, a large Polish web services provider.|
|Image 8: Phishing domain crafted to target “ukr.net”, a Ukrainian web services portal.|
|Image 9: Phishing domain crafted to target Twitter accounts.|
|Image 10: Phishing domain crafted to target accounts of major social media and tech giants.|
UNC1151 has proven the effectiveness of these tactics, as hundreds of victims, including members of the Polish Parliamentary Intelligence Committee and the chief of the Chancellery of the Prime Minister of Poland, took the bait and gave attackers access to their private email accounts . Unfortunately, the successful phishing of its targets is only an initial, enabling feature of UNC1151’s operational methodology. The actor then uses that access for follow-on influence operations.
PACT leveraged Prevailion’s unique visibility and proprietary intelligence platform, along with previous public reporting, to identify patterns and cross-reference web infrastructure (e.g., historical domain registration, TLS certificate, DNS, and hosting data) to aid in the identification of additional UNC1151 infrastructure. PACT identified an additional 83 domains associated with UNC1151 that have not been previously reported: 52 of which PACT assesses with High Confidence are or were part of UNC1151’s operational infrastructure, and 31 that PACT assesses with Moderate Confidence to be previously-used phishing infrastructure for the actor’s targeted phishing campaigns.
The High Confidence cluster has been cross-referenced with previous public reporting and is listed at the bottom of this blog; PACT also included the rest of the UNC1151 infrastructure from previous reporting for defenders’ and researchers’ convenience. This cluster includes the phishing domains that PACT assesses with high confidence were intended to gain login credentials for members of the French Defense Ministry’s DICoD. Much of this cluster appears designed to capture login credentials for official and personal accounts of Polish and Ukrainian audiences (images 11,12); common subdomain themes are shared throughout (images 13-16). Activity related to this cluster of domains is ongoing, as evidenced by the registration of `login-inbox[.]site` on 2021-08-20.
|Image 11: Phishing domain crafted to target official accounts of a Polish audience.|
|Image 12: Phishing domain crafted to target personal accounts of a Ukrainian audience.|
|Image 13-16: Phishing domains displaying common subdomain themes.|
The Moderate Confidence cluster was identified using observed hosting commonalities, previous reporting on widespread phishing campaigns , and commonalities of domain and subdomain naming themes . This cluster of activity was active as recently as July 2021, but most of the domain registrations occurred in 2019 with expirations in 2020. The naming themes indicate a targeted audience of Apple (iPhone and iCloud) users in Europe; nearly all root domains have at least one subdomain that includes the words “apple” or “icloud” (images 17,18). Additional subdomains appear to target Paypal and OVH Telecom logins as well (images 19,20). If PACT is correct in attributing this activity to UNC1151, this cluster of mostly-expired Moderate Confidence activity indicates a change in targeting around 2020/2021, as Ghostwriter was primarily aimed at an audience in Poland, Ukraine, and the Baltics (as one can easily see with a quick glance at the subdomains in the High Confidence cluster). This Moderate Confidence cluster, by contrast, appears to have explicitly targeted European iCloud users.
|Image 17: Phishing domain crafted to target Apple/iCloud accounts.|
|Image 18: Phishing domain crafted to target Apple/iCloud accounts.|
|Image 19: Phishing domain crafted to target Paypal users.|
|Image 20: Phishing domain crafted to target OVH Telecom.|
PACT is unable to verify that UNC1151 is a homogenous group with central direction; PACT also cannot verify that all Ghostwriter activities were conducted by UNC1151, as PACT analysts only have visibility into the web-based infrastructure. It is possible that phishing infrastructure creation, credential gathering, access, and the influence operations were centrally directed or controlled but carried out by different groups. It is clear, however, that there is an overarching theme and direction to these activities. It is this theme and direction that PACT has identified and continues to track under the UNC1151 actor, which corroborates the reports cited below.
PACT continues to track UNC1151 and the Ghostwriter campaign by leveraging Prevailion’s unique and unparalleled visibility into malicious infrastructure creation, and will publish follow-on updates as they are identified and corroborated.
PACT Assesses with High Confidence that the following domains are part of UNC1151 operations; additionally, they do not appear in public reporting that has surfaced as part of PACT’s analysis:
The following domains have been previously attributed as part of UNC1151 operations:
PACT Assesses with Moderate Confidence that the following domains are part of phishing infrastructure that UNC1151 used; additionally, they do not appear in public reporting that has surfaced as part of PACT’s analysis:
Matt Stafford, Senior Threat Intelligence Researcher
A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.
What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]