Home / Industry

From Fake News Proliferation to Data Theft: Tracing the Red Cross Hack to a Misinformation Network

The International Committee of the Red Cross (ICRC) hack in January 2022 led to the compromise of the sensitive information belonging to 515,000 people. While no indicators of compromise (IoCs) relevant to the attack have been publicized, a security researcher did expose a possible link to an Iranian misinformation network. We built on this connection in this study and uncovered the following:

  • A total of 19 email addresses related to misinformation IoCs
  • More than 650 domains that used the email addresses, according to their historical WHOIS records
  • Close to 25% of the domains had active IP resolutions
  • More than 800 domains shared the same IP addresses

A complete list of the cyber resources and other data points can be downloaded from our website.

The Red Cross Link

The security researcher’s report identified an email address of a RaidForums user offering to sell the stolen Red Cross data, potentially implying that a ransom has been demanded. The email address was also mentioned in a website seizure application affidavit submitted by the Federal Bureau of Investigation (FBI) in 2020.

Interestingly, three of the 16 domains connected to the email address through their historical WHOIS records remain active and continue to resolve to various IP addresses. One of the domains, moslempress[.]com, hosts (or redirects to) the following web page:

Building on the FBI affidavit and a FireEye report referenced in the legal document, we wanted to see the status of other domains connected to the email addresses mentioned in both reports. While the analysis can’t be directly correlated to the Red Cross data breach, it can help shed some light on how persistent and interrelated threat actors can be.

Fake News Domains: Vehicles for Data Theft?

The FBI affidavit intended to seize websites that were part of a misinformation network dubbed the “Liberty Front Press.” A total of 29 domain names were specified in the said affidavit, although WHOIS history searches for the 19 email addresses mentioned in both the FBI and FireEye reports revealed more than 650 domains.

While only two of the domains have been tagged “malicious,” most of them use news-related text strings, such as “press,” “news,” “media,” and “source.” Around 159 of the domains still actively resolved to various IP addresses. In fact, Bulk IP Geolocation detected a total of 245 IP resolutions pointing to 195 unique IP addresses.

Furthermore, several domains continue to host news-related content, similar to those shown by the website screenshots below.

The persistence of misinformation websites is consistent with similar studies we’ve done in the past, specifically related to the Iranian Islamic Radio and Television Union (IRTVU) and the Islamic Revolutionary Guard Corps (IRGC).

However, the Red Cross data breach may shed more light on the threat actors’ motives. Aside from spreading misinformation—and although they are often categorized as nation-state-backed cybercriminal groups—money may still be a strong motivation for these people.

More Connected Domains

Fake news websites could only be fronts or vehicles for more nefarious activities, such as ransomware attacks and data theft. For this reason, monitoring them is vital in cybercrime prevention.

With that in mind, we performed reverse IP lookups for the 195 IP addresses connected to the initial list of domain names. From there, we identified 52 IP addresses that are possibly privately owned since they each had less than 100 domains resolving to them. We also uncovered 828 additional domains and subdomains from these IP addresses.


We started our investigation with one email address that served as a link between the Red Cross data breach and a fake news network. Has the stolen data been shared with other cybercriminals? Or are the threat actors behind the hack the same ones trying to sell the data on underground cybercriminal forums?

While the answers to these questions remain unclear, we now have more than 1,400 suspicious cyber resources sharing the same email addresses and IP addresses with known misinformation-related domains. This additional threat intelligence can fuel further and deeper investigations.

Are you a threat analyst or researcher interested in the cyber resources mentioned in this report? Please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API