|
The International Committee of the Red Cross (ICRC) hack in January 2022 led to the compromise of the sensitive information belonging to 515,000 people. While no indicators of compromise (IoCs) relevant to the attack have been publicized, a security researcher did expose a possible link to an Iranian misinformation network. We built on this connection in this study and uncovered the following:
A complete list of the cyber resources and other data points can be downloaded from our website.
The security researcher’s report identified an email address of a RaidForums user offering to sell the stolen Red Cross data, potentially implying that a ransom has been demanded. The email address was also mentioned in a website seizure application affidavit submitted by the Federal Bureau of Investigation (FBI) in 2020.
Interestingly, three of the 16 domains connected to the email address through their historical WHOIS records remain active and continue to resolve to various IP addresses. One of the domains, moslempress[.]com, hosts (or redirects to) the following web page:
Building on the FBI affidavit and a FireEye report referenced in the legal document, we wanted to see the status of other domains connected to the email addresses mentioned in both reports. While the analysis can’t be directly correlated to the Red Cross data breach, it can help shed some light on how persistent and interrelated threat actors can be.
The FBI affidavit intended to seize websites that were part of a misinformation network dubbed the “Liberty Front Press.” A total of 29 domain names were specified in the said affidavit, although WHOIS history searches for the 19 email addresses mentioned in both the FBI and FireEye reports revealed more than 650 domains.
While only two of the domains have been tagged “malicious,” most of them use news-related text strings, such as “press,” “news,” “media,” and “source.” Around 159 of the domains still actively resolved to various IP addresses. In fact, Bulk IP Geolocation detected a total of 245 IP resolutions pointing to 195 unique IP addresses.
Furthermore, several domains continue to host news-related content, similar to those shown by the website screenshots below.
The persistence of misinformation websites is consistent with similar studies we’ve done in the past, specifically related to the Iranian Islamic Radio and Television Union (IRTVU) and the Islamic Revolutionary Guard Corps (IRGC).
However, the Red Cross data breach may shed more light on the threat actors’ motives. Aside from spreading misinformation—and although they are often categorized as nation-state-backed cybercriminal groups—money may still be a strong motivation for these people.
Fake news websites could only be fronts or vehicles for more nefarious activities, such as ransomware attacks and data theft. For this reason, monitoring them is vital in cybercrime prevention.
With that in mind, we performed reverse IP lookups for the 195 IP addresses connected to the initial list of domain names. From there, we identified 52 IP addresses that are possibly privately owned since they each had less than 100 domains resolving to them. We also uncovered 828 additional domains and subdomains from these IP addresses.
We started our investigation with one email address that served as a link between the Red Cross data breach and a fake news network. Has the stolen data been shared with other cybercriminals? Or are the threat actors behind the hack the same ones trying to sell the data on underground cybercriminal forums?
While the answers to these questions remain unclear, we now have more than 1,400 suspicious cyber resources sharing the same email addresses and IP addresses with known misinformation-related domains. This additional threat intelligence can fuel further and deeper investigations.
Are you a threat analyst or researcher interested in the cyber resources mentioned in this report? Please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign