According to recent research conducted by DNS Threat Researcher Dancho Danchev, the National Security Agency (NSA) seemingly runs a free VPN domain portfolio to lure malicious users and learn more about their Internet activities.

Here is an overview of the key findings and additional enrichment conducted with WhoisXML API’s intelligence tools and Maltego:

• 24 domains were identified as part of the free VPN services campaign.
• 22 possible registrant email addresses are known for involvement in the campaign.
• Research on Maltego using the WhoisXML API Reverse WHOIS Search transform uncovered 174 domains related to the registrant email addresses.

Data Set: Free VPN Services Courtesy of the NSA

Danchev obtained a list of domains related to the NSA-operated free VPN services. The said list contained 24 domains used to identify related web properties that could hint at ties to potential threat actors or malicious campaigns. A portion of these 24 domains are:

• bluewebx[.]com
• bluewebx[.]us
• irs1[.]ga
• iranianvpn[.]net
• irsv[.]me
• dnsspeedy[.]tk

The full list of the domains is available for download here.

In-Depth Research Findings

Over the course of the in-depth investigation, 22 registrant email addresses linked to the NSA-owned free VPN services were identified. Using the registrant email addresses as search terms for Maltego research using the WhoisXML API Reverse WHOIS Search transform, we obtained 174 related domains. That means the domains’ WHOIS records shared the registrant email addresses. Examples of the connected domains include:

• 17silu[.]com
• 0008[.]club
• 118km[.]cn
• maturediva[.]com
• gaysexvideo[.]us
• 7l0[.]com
• lemodagarments[.]com
• 024jk[.]cn
• alisale[.]xyz
• 52haoli[.]com

A bulk WHOIS lookup for the 174 email domains revealed the following:

• Only 125 of the domains had retrievable current WHOIS records.
• A total of 40 domains (32%) were created in 2021. The remaining 68% were created between 2002 and 2020.
• Only 84 of the domains had unredacted or non-privacy-protected registrant email addresses.
• Of the 92 domains whose WHOIS records revealed their registrant country, a majority (58 or 63%) were registered in China. It’s also interesting to note that none of them are based in Iran.

A bulk malware check using Threat Intelligence Platform API, meanwhile, showed that two of the 174 domains connected to the registrant email addresses were dubbed “dangerous” on various threat sources. These are cnairs[.]com and avxz[.]com.

A bulk DNS lookup performed on the 174 domains revealed that 98 currently resolved to IP addresses, which could mean they are in use. It may be best for individuals and organizations alike to avoid connections to and from these 98 IP addresses due to their connection to domains related to an ongoing malicious campaign. Examples of these IP addresses are:

• 156[.]235[.]127[.]229
• 216[.]12[.]164[.]161
• 137[.]175[.]109[.]146
• 23[.]80[.]133[.]27
• 107[.]165[.]118[.]140
• 173[.]82[.]107[.]121
• 104[.]165[.]41[.]82
• 47[.]88[.]84[.]51
• 47[.]91[.]202[.]66
• 47[.]91[.]205[.]63

All of the web properties mentioned in this post could pose varying levels of risk to individuals and organizations that knowingly or unknowingly have dealings with or grant system or network access to them. And avoiding them may be a worthy endeavor, given their potential connection to an ongoing malicious campaign.

If you are a security researcher working on the same or a similar investigation, talk to us by filling out this form. We can share resources like the complete list of web properties possibly related to the ongoing campaign.