See our original report here.
Appendix A: Stage One PowerShell Command
Appendix B: Stage Two PowerShell Command
Due to its large size, this appendix is available in an external Google Document:
Appendix D: Public Stealth Falcon Tweets
- @saalaam25 was targeted on 14 January 2012. The account stopped tweeting on 5 December 2014. The account tweeted about political issues in the UAE.
- @alshamsi789 was targeted on 10 January 2012. The account is still active, and tweets about political issues in the UAE.
- @BdrBakalla was targeted on 9 January 2012. The account is still active, and gives its location as “Abu Dhabi.”
- @morsyuae was targeted on 12 June 2012. The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
- @HaAlReem was targeted on 7 October 2012. The account stopped tweeting on 17 August 2013. The account appeared to tweet in solidarity with political prisoners in the UAE.
- @alsalam45 was targeted on 7 October 2012. The account stopped tweeting on 13 August 2015. The account appeared to tweet in solidarity with political prisoners in the UAE.
- @magdy_masood1 was targeted on 14 August 2013. The account stopped tweeting on 30 July 2014. The account appeared to tweet about Gaza, and against Egyptian President Sisi.
- @UAELionHeart was targeted on 10 January 2012. The account stopped tweeting on 30 June 2013. The account appeared to tweet in solidarity with political prisoners in the UAE.
- @uaepolitician was targeted on 10 January 2012. The account appears to no longer exist.
- @bosalim77 was targeted on 10 January 2012. The account is currently suspended.
- @ZayedSon7 was targeted on 10 January 2012. The account appears to no longer exist.
- @helalsalem11 was targeted on 16 January 2012. The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
- @2011national, now renamed to @2013national, was targeted on 10 January 2012. The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
- @abu_sa33d was targeted on 14 January 2012. The account is still active, and appears to tweet both Jihadi content, and solidarity with political prisoners in the UAE.
- @YouAE_Dxb was targeted on 10 January 2012. The account appears to no longer exist.
- @hwghp was targeted on 5 August 2012. The account is still active, and describes itself as “in solidarity with the UAE detainees.” The account appears to tweet in solidarity with political prisoners in the UAE.
- @Rmadanhom, now renamed to @Duaamadloom, was targeted on 5 August 2012. The account is still active, and appears to tweet in solidarity with political prisoners in the UAE.
Appendix E: Results of aax.me Scan
Due to its large size, this appendix is available in an external Google Sheet:
Appendix F: Indicators of Targeting
Domains (Attack on Donaghy)
IPs (Attack on Donaghy)
Stage One C2 Server IP Addresses
Stage One C2 Server Domains
Stage Two C2 Server IP Addresses
Stage Two C2 Server IP Addresses (Historical)
Stage Two C2 Server Domains
Suspected Attack Domains
uaefreedom.com (on or after October 7, 2012)
Social Media or Email Accounts
Related Social Media Accounts
Appendix G: No Evidence of APT28 Connection
Five (or six) of the domains we linked to our operator were registered using anonymousbitcoindomains[.]com (ABCD), a now-defunct “anonymous” registration service that accepted payment in Bitcoin, through which it appears that only about 89 domains were ever registered (all between 2014-07-09 and 2015-04-30).
The service touted the small amount of information collected from its users:
There appears to be belief in the security community that a significant amount of ABCD activity involved a group known as APT28. APT28 is said to be supported by the Russian Government,1 and has targeted “NATO, governments of Russia’s neighbors, and U.S. defense contractors”.2 For instance, PwC Threat Intelligence lists one of the domain names we believe is related to our operator, netassistcache.com, as an APT28 domain. Though the attacks we profile in this report do not appear to align with known APT28 objectives, and the malware sent to Donaghy does not relate to known APT28 malware, we nevertheless feel compelled to examine whether our operator may be related to APT28. We outline our research below; we do not find any strong indications to suggest that our operator is related to APT28.
A Comparison of Registration Dates
Below, we list the five ABCD domains we linked to our operator, and a sixth ABCD domain that we believe may belong to our operator:
|ABCD Domain||Registration Date|
We noted that several APT28 domains were registered on 2015-03-05, the same day as one of our operator’s domains (and a second domain that may belong to our operator):
al7ruae2014[.]com (possibly our operator)
mediacloudsolution[.]com (our operator)
However, there is no further evidence that the APT28 domains are related to our operator’s domains (e.g., there is no overlap in passive DNS).
A “suspension” of ABCD domains
On 2 July 2015, the DNS entries for at least 21 domain names registered via ABCD were updated to IP address 126.96.36.199, according to passive DNS data. Six of these domain names appear to be directly related to APT28, via public information (microsoftdriver.com and windowsappstore.net appear in an APT28 sample,7 dailyforeignnews.com was documented distributing APT28 malware,8 and diplomatnews.org, worldpoliticsnews.org, and uz-news.org were documented hosting the APT28 exploit kit).9
The Internet Archive records that microsoftdriver.com returned an apparently nonstandard “Notice: Suspended domain” page 12 days after the transfer on 14 July 2015.10 We also identified another ABCD domain, bagacamesmo.biz, which was redirected to 188.8.131.52 on 9/23/2014. Five days later, the Internet Archive records that it displayed a substantially similar notice of domain suspension, except it suggested the suspension was in relation to the “FraudWatch International Security Operations Centre”.11 The reference to FraudWatch appears to be a reference to the eponymous provider of brand-protection services, including website takedown services.12 The Internet Archive records that the suspension message on bagacamesmo.biz was later updated to the same message as the one on microsoftdriver.com.13 The only other instance we found of an ABCD domain whose DNS was changed to 184.108.40.206 was policeoracle.org, which was changed on 18 April 2015. We note that the “Last-Modified” header for microsoftdriver.com reads 17 April 2015.
Therefore, our hypothesis is that ABCD controls 220.127.116.11. When they conducted what appears to be their first domain “suspension” (bagacamesmo.biz, perhaps upon request from FraudWatch), they created a custom suspension page indicating this. Perhaps their second domain “suspension” (policeoracle.org) was on request from a different party, therefore they updated their page to delete the reference to FraudWatch.
One of the at least 21 domain names suspended in this manner on 2 July 2015 was windowsearchcache.com. However, the domain appears to have been “un-suspended” on 22 July 2014, in that its DNS entry before the suspension was restored. It is the only ABCD domain name we were able to identify that was suspended and then un-suspended. It was also the only suspended ABCD domain name that we were able to trace to our operator. We are not sure which party requested the suspension, and why ABCD decided to “un-suspend” windowsearchcache.com.
We are unaware of any evidence linking APT28 to windowsearchcache.com. That windowsearchcache.com appears to be the only un-suspended ABCD domain (and the only one we claim is not APT28), suggest that it may be unrelated to APT28 activity.