Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher, for the original investigation available here and that led to the creation of this post.

The 2016 U.S. elections sparked a lot of controversies, as several law enforcement agents and security researchers believed countries like Russia may have greatly influenced its turnout. We sought to find out more about it via an OSINT analysis using various domain and IP intelligence tools.

What’s Been Found in the Original Investigation

The original investigation began with obtaining lists of indicators of compromise (IoCs) related to the attacks. These include:

• 95 command-and-control (C&C) server domains
• 38 email addresses
• 104 connected domains

What the Further Analysis Revealed

The C&C server domains were first subjected to a bulk WHOIS query to find out if any of them had identifiable country-specific ties. The results revealed that only 22 of the 95 C&C server domains had WHOIS records identified, and most of them (50%) claimed to be from the U.S.

Note, however, that domain owners can register their web properties in any country even that where they don’t actually reside in. But since the attackers were targeting the U.S., it may also have made sense that they would use domains registered there.

The connected domains were subjected to a bulk WHOIS query as well just in case the attackers left clues behind. 54 of the 104 connected domains had WHOIS records identified, and most of them were registered in Indonesia, Malaysia, and Nigeria.

Using the email addresses as inputs for advanced historical reverse WHOIS searches, an additional 13,379 domains (excluding those already in the C&C and connected domains lists) were uncovered. Notable examples that contained popular brands include the following:

• apple-security-team[.]com
• maybankegreetings[.]com
• netflix-swedish[.]com
• bancodeevenezuela[.]com
• swarovskishop-site[.]com
• sunglasshut-site[.]net
• neimanmarcus-site[.]com
• hollister-style[.]biz
• google-settings[.]com
• jeepgrandtour[.]net

These could serve as good hosts for phishing sites targeting the brands’ customers. Many domains could also serve as home to generic phishing pages, such as:

• localisation-security[.]com
• localisation-support[.]com
• account-redirect[.]net
• security-verification[.]net
• software-update[.]org

Subdomains containing famous brands could easily be added to these to lure victims into unknowingly handing their credentials to cybercriminals.

A 10% sample of the additional domains were subjected to malware database checks via Threat Intelligence Platform (TIP), and a total of 516 out of 1,378 of the additional domains had ties to malware. Examples of these are:

• apple-security-team[.]com
• support-security-icloud[.]com
• security-icloud-apple[.]com
• onpeutlefaire[.]com
• account-redirect[.]net

Note that many of the malicious domains identified seem to have been randomly generated. Examples include:

• vgperknqlqdwpkbk[.]com
• yhmpwhsxifmpe[.]com
• vsxszchunolely[.]com
• rijcfwnmlmlqzqnoz[.]com
• ktgtmdchshgbwlepwb[.]com
• hgvmfufotczwbu[.]com

Going by the law of averages, as many as 39% of the additional domains or 5,160 domains could be malicious. And while not all of them may be related to the 2016 U.S. election attacks, individuals and organizations alike would do well to avoid visiting the sites they host. Many of the domains are still live to date.

What’s more, the additional 13,379 domains were subjected to a bulk WHOIS lookup. Only 8,477 of them turned out to have WHOIS records. Most of the domains were registered in China (63%), followed by the U.S. (18%) and Malaysia (2%). The rest (4%) were scattered across 39 other countries while 12% didn’t identify their registrant countries.

It is interesting to note that out of the 13,578 domains identified as IoCs and artifacts for this campaign, only five identified Russia as their registrant country. While we can’t definitely say that is proof of anything, leaving the country out of domain registrations (malicious or otherwise) could also be a tactic to throw the scent off it.

If you wish to further expand the list of IoCs and artifacts we’ve already identified in this post or would like to collaborate with our researchers on similar studies, feel free to contact us.