The Hafnium attacks targeting Microsoft Exchange Server vulnerabilities triggered several cybersecurity investigators and researchers to hunt for other threat actors that use similar attack methods. Among them is the Cybereason News Network. The researchers detected three malicious activity clusters that point to existing APT groups, namely, Soft Cell, Naikon, and another cluster potentially linked to Group-3390 (also known as “APT27” or “Emissary Panda”).

You can learn more about each APT group here, though we were more interested in the publicly available indicators of compromise (IoCs). We aim to expand these IoCs and uncover more artifacts to help organizations enrich their cyber intelligence and strengthen their cyberdefense.

Publicly Available IoCs

Here is a list of IoCs that served as the starting point for our investigation.

Asian APT Groups? Providing Location Context to the IoCs

The three APT groups are believed to have originated from Asia, specifically China. Cyber intelligence sources appear to support this insight.

Although the IP addresses on the list no longer returned related domain names, IP geolocation lookups revealed that all of them are located in Asian countries, such as Singapore, Hong Kong, China, and Thailand. One IP address (45[.]123[.]118[.]232) is geolocated in Turkey. The geolocation of most of the domain names also points to Asian countries.

IoC Expansion through Historical WHOIS Record Lookups

The current WHOIS records of all the domain IoCs use different privacy protection services. Still, Historical Reverse WHOIS Search returned a few unredacted registrant email addresses. These are listed below, with the first few characters hidden for privacy:

• *****nsong11@163[.]com
• *****mefm@keemail[.]me
• *****325@qq[.]com
• *****mwnh@keemail[.]me
• *****lavrentiev@tutanota[.]com
• *****@frf[.]com
• *****o@hotmail[.]com
• *****kjbjk@163[.]com

Subjecting these email addresses to Maltego searches allowed us to visualize historical associations. For example, the To Historical WHOIS Records transform for domain jrmfeeder[.]org returned 12 records. All, except the oldest one, returned an unredacted registrant email address through the To Registrant Email transform.

The email address appeared in the historical WHOIS records of 8,643 domains, some of which are reflected using the To Domains and IP Addresses (Historical Reverse WHOIS Search) transform on Maltego, as shown by the screenshot below.

In total, around 8,801 domain names were related to the IoCs, at least based on the eight unredacted historical registrant email addresses listed above.

IoC Expansion through Reverse IP Lookups

Another way to discover more artifacts is through conducting reverse IP searches, which look up the IP resolutions of the domains and return other domains that resolve to the same IP address. Of the 34 domains tagged as IoCs for the three APT groups, 20 still had DNS records.

However, they seem to resolve to shared IP addresses since all searches returned 300 connected domains or more for each. Eighteen of the IoCs share the same connected domains, which gave us more than 900 artifacts.

A sample of these artifacts was subjected to a bulk malware check through the Threat Intelligence Platform (TIP). Eight out of the 90 domains and subdomains were flagged as malicious, namely:

• 0-0-0-0[.]cprapid[.]com
• 0-bankinghuntington[.]serveirc[.]com
• 000webhosting[.]serveirc[.]com
• 001100[.]redirectme[.]net
• 1drv[.]email
• account163-mail[.]com
• accountlogin[.]googleverify.adminsysteminfo[.]com
• accountprivacy[.]microsoftpremium[.]adminsysteminfo[.]com

Expanding the list of 34 domain IoCs tagged in cyber attacks connected to three APT groups resulted in the discovery of more than 9,000 artifacts. And over 8,000 of them were connected to one another by their registrant email addresses, while the rest resolved to the same IP addresses.

The artifacts related to Soft Cell, Naikon, and possibly APT27 can be subjected to further contextualization and analysis to beef up your cybersecurity efforts. For a complete list of these artifacts or to discuss security research collaborations, feel free to contact us.