Connect with us

Hi, what are you looking for?



Tech Firms Target Domains Used by Russia-linked Threat Group

Tech companies ThreatConnect and Microsoft are moving toward exposing and taking down domains associated with Russia-linked threat group known as Fancy Bear.

Tech companies ThreatConnect and Microsoft are moving toward exposing and taking down domains associated with Russia-linked threat group known as Fancy Bear.

Also tracked as APT28, Pawn Storm, Sofacy, Tsar Team, Strontium and Sednit, the threat group has been associated with a variety of high-profile cyber-attacks aimed at government and other types of organizations worldwide.

Last year, the threat group was said to have orchestrated election-related hacker attacks in the United States. The actor allegedly developed the so called XTunnel malware specifically to compromise the Democrat National Committee (DNC) network last year, and was said in February 2017 to be using brand new Mac malware to steal data.

ThreatConnect says their team was able to identify “dozens of recently registered domains and IPs that have varying levels of association to the Russian APT.” Moreover, the security firm discovered three name servers the group most likely used for domains, which allows defenders to “proactively identify new domains that may be associated with Fancy Bear activity”.

One of the domains, the security company reveals, is unisecproper[.]org, which was registered using the email address le0nard0@mail[.]com and is hosted on a dedicated server at the IP The certificate used by this domain has been already associated (PDF) with Fancy Bear in operations targeting the DNC and German Parliament, which clearly indicates that the domain is associated with the group.

Using the SSL certificate, ThreatConnect discovered recent IPs associated with Fancy Bear, along with numerous domains hosted on these IPs, also supposedly associated with the threat group. Some of these domains were discovered in previous investigations as well.

The researchers also managed to find name servers used by Fancy Bear, including nemohosts[.]com, bacloud[.]com, and laisvas[.]lt. The investigation eventually led to the discovery of hundreds of domains associated with these name servers, tens of which were hosted on dedicated servers.

The researchers note these are suspicious domains but note that “consistencies in registration and hosting tactics do not definitively associate many of these suspicious domains with previous malicious, Fancy Bear activity.”

Advertisement. Scroll to continue reading.

“It’s important to caveat our confidence in these indicators’ association to FANCY BEAR activity. For many of those indicators that we’ve included here, we don’t know whether they have actually been used maliciously. But if known bad is all that you are worried about or interested in, then you’ll always be at least one step behind the attacker. Only by leveraging intelligence to identify and exploit our adversaries’ tactics can we move from a reactive, whack-a-mole state to a proactive, informed defense,” ThreatConnect says.

Microsoft, in the meantime, is taking legal action against Fancy Bear: the tech company filed a civil lawsuit in August 2016, seeking to seize command-and-control (C&C) domains used by the group. According to court documentation Microsoft made public, there are hundreds of domains containing Microsoft trademarks that it is looking to take control of.

The actors failed to appear in a federal court in Virginia to defend themselves, and Microsoft is pushing for a default judgment in its favor. By seizing the domains, Microsoft would be able to cut the group off from communicating with infected systems.

“Microsoft seeks a preliminary injunction directing the registries associated with these Internet domains to take all steps necessary to disable access to and operation of these Internet domains to ensure that changes or access to the Internet domains cannot be made absent a court order and that all content and material associated with these Internet domains are to be isolated and preserved pending resolution of the dispute. Microsoft seeks a permanent injunction, other equitable relief and damages,” Microsoft notes.

Previously, Microsoft used legal action to take down botnets. In 2012, as part of Operation b71, the company seized C&C servers associated with the notorious Zeus family of malware. In 2014, in an attempt to take down the Bladabindi (njRAT) and Jenxcus (NJw0rm) malware families, the company seized 23 No-IP domains to route bad traffic to a sinkhole.

Related: DHS Uses Cyber Kill Chain to Analyze Russia-Linked Election Hacks

Related: Russian Cyberspies Use New Mac Malware to Steal Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.