Research Saturday 10.9.21
Ep 204 | 10.9.21

Taking a closer look at UNC1151.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Matt Stafford: So, we had been following some of the open-source reporting about this particular influence campaign ever since FireEye came out with it in 2020.

Dave Bittner: That's Matt Stafford. He's a Senior Threat Intelligence Researcher at Prevailion. The research we're discussing today is titled, "Diving Deep into UNC1151's Infrastructure: Ghostwriter and Beyond.

Matt Stafford: It was interesting to us for a number of reasons, least of which being that it is ongoing, so we wanted to ensure that the community and the industry at large had as much information as it needed to kind of proactively take care of whatever issues that this campaign was causing.

Dave Bittner: Can you give us some of the background on the players here? I mean, we're sort of highlighting UNC1151, and also, I suppose Ghostwriter has, I don't know, hitched their wagon to that name, or is a subset? How would you describe it?

Matt Stafford: Sure. Ghostwriter is a large, broad influence campaign that started years ago. It's been years in the running. Some of the reporting suggests it goes back to 2014, 2015, but FireEye released their report in 2020, saying it went back to 2017. And then in 2021, they released another report actually attributing parts of Ghostwriter, the influence campaign, to a certain threat actor, "UNC1151." They, along with some other vendors in the industry, released some indicators of compromise, which really was a list of domains and infrastructure that UNC1151 had used for parts of the Ghostwriter campaign. That is where we started pulling on the threads with our, you know, unique visibility into web-based infrastructure to kind of illuminate more of the Ghostwriter infrastructure.

Dave Bittner: Well, let's walk through that together. I mean, first of all, can you describe to us, how do you go about doing the things you do? Where do you get the the unique views into this that you do as a company

Matt Stafford: Sure. So Prevailion in sits on a proprietary data set that uses domain registration, passive DNS, DNS zone data, and infrastructure data sets as input, and then we have kind of a bespoke data analysis pipeline that correlates all of that with several different threat exchange feeds. And what that does for is it shrinks the haystack to a manageable size, which then allows our human analysts to come in and chase down the resultant leads at the end of that. So, we boil the ocean down to a more manageable size – maybe a large pond. So then we can effectively expend our limited time and resources on leads that have been pre-identified.

Dave Bittner: Well, let's walk through it together, then, how you apply your tools to this data set that, as you say, you know, FireEye's Mandiant Group had had sort of blazed the pathway here and then you picked it up and applied your own techniques to it. Can you walk us through how that works?

Matt Stafford: Sure. So, we used previous public reporting – FireEye was among the vendors that had released reporting on this, and we used that as our starting point. We were able to identify some patterns and overlap with web infrastructure creation, so that being historical domain registration data, TLS certificate data, DNS records, and hosting data, which allowed us to kind of identify additional domains that had been used by UNC1151 during the Ghostwriter campaign. So we identified an additional eighty-three domains, which had not been previously reported, which kind of contributed to a threefold increase in UNC1151's known infrastructure.

Dave Bittner: Now, are there patterns here? I mean, anything that stands out with these domains in terms of their tradecraft?

Matt Stafford: Yes, we identified overlapping TTPs throughout the investigation. Domain naming themes that likely enabled phishing across both official government and personal accounts. Recurring Polish and Ukrainian words that formed additional naming themes that we could then identify and use to further our investigation. Domain naming structures, how they actually created the naming structure for their domains and subdomains was something that we were able to pivot on and use as overlapping behavior. And they also had a regional focus – you could tell from the subdomains that they were using who their targets were. So that also helped us identify where they were operating and what they were focusing on.

Dave Bittner: And what can we gather there, in terms of who this is likely and who they're targeting?

Matt Stafford: So, according to the previous open-source reporting, this group is a cyberespionage group, a state-backed cyberespionage group that engages in targeted spearphishing. So they're not blasting out huge amounts of phishing emails – they are picking their targets carefully, which overlaps with the domain naming themes we've seen. They will create kind of a generic, legitimate-sounding root domain such as net/account[.]online, and then they will include a prefix to that for a subdomain that will allow them to target specific audiences. So, we've seen prefixes to those v we've seen subdomains to those root domains for regional email providers such as "" or "gmx, which are Eastern European Ukrainian email providers. And we've also seen that all the way to official Polish and Ukrainian military and government accounts.

Dave Bittner: Now, some of the results that you gathered here, you assessed with high confidence and some with moderate confidence. What goes into you determining, you know, the amount of confidence that you have in a conclusion here?

Matt Stafford: So, because Prevailion is focused on web infrastructure, we can't see anything that occurred on the endpoint and we don't have any visibility into the web servers of the threat actor or the victim. So all we can see is historical hosting data, historical DNS data. So that is one part of why we have to assess things with moderate confidence. The other part of it is sometimes the personas that the threat actor used or the age of the evidence we're looking at will prevent us from assessing something with high confidence. There's just too much time has passed or there isn't enough overlapping infrastructure or facts to support an assessment of high confidence.

Dave Bittner: So what are the conclusions here, I mean, based on the research that you all did? What did you learn?

Matt Stafford: I think the biggest takeaway was that this activity is ongoing. I mean, we have domain registrations as current as this month, September of 2021. So despite the fact that the security community continues to track this, both within private industry as well as various governments, it has not caused an observable slowdown in this actor's operations. The weekend after we published this blog post, the German government attributed publicly phishing attempts on members of German parliament to this threat actor. And as recently as this week, there have been additional threat intelligence reports from other vendors that this campaign is still ongoing.

Dave Bittner: It's interesting to me the sort of community effort that's going on here. I mean, you know, as you mentioned, you built off of some open-source information from other organizations, information coming from various places around the world. Why is it important for you at Prevailion in to take a part in this, to publish your own information here to build on what's already been gathered?

Matt Stafford: I think the most important reason to keep working at this problem as a community is because this activity is very hard to defend against. It's hard to get counter-messaging out there, especially in the case of tainted leaks, where there's a tree of disinformation in a forest of fact, it makes it really difficult to identify and counteract some of these damaging narratives. And when you have a threat actor that has such an enhanced ability to identify and take advantage of sociocultural fissures in the target environment, it becomes incumbent on everybody in the industry with visibility to shine a light on this activity.

Dave Bittner: You know, you mentioned that that these folks, you know, the Ghostwriter campaign is primarily spearphishing. And so, as you mentioned, you know, targeted. Is it likely that the folks that they are after are aware that they are at a heightened risk of being targeted for something like this? I guess what I'm asking is, you know, this isn't a broad campaign where, you know, standard sorts of suggestions for, you know, endpoint protection, those sorts of things, would necessarily fit the bill.

Matt Stafford: Right. I think that the targets of the Ghostwriter campaign probably run the gamut from very informed to not informed. And I think what makes this campaign so dangerous is that they are targeting both official government accounts, which have security built into them for the most part, but they're also targeting personal accounts – iCloud, Twitter, social media accounts. Like, this allows them to take those pre-established personas with built-in followers, as well as implied credibility, and then broadcast disinformation without people being able to fact check it.

Dave Bittner: Our thanks to Matt Stafford from Prevailion for joining us. The research is titled, "Diving Deep into UNC1151's Infrastructure: Ghostwriter and Beyond. We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.