The Democratic National Committee (DNC) breach was a high-profile cyber attack in recent history. Years later, the cybersecurity community can still benefit from insights and actionable intelligence relevant to the attack. In line with this, WhoisXML API threat researcher Dancho Danchev dove deep into the DNS system intrusion using publicly available indicators of compromise (IoCs). We further enriched his findings, allowing us to uncover:

• 11,000+ IoCs and artifacts known to be involved in the breach
• 13 unredacted email addresses known to be involved in the campaign
• More than 50% of the IoCs and artifacts still actively resolve to web pages as of 26 August 2022
• Dozens of these properties have been flagged as malicious despite their connection to the campaign

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Mapping the Malicious Infrastructure of the DNC System Intrusion

Danchev’s investigation began with 103 cyber resources tagged as IoCs in the DNC breach, consisting of seven IP addresses, 83 domains and subdomains, and 13 email addresses. Reverse IP API revealed that the IP addresses no longer resolved to live properties, but 12 domains still actively resolved to IP addresses as of 29 August 2022.

On the other hand, the email addresses known to have been involved in the campaign have been used to register more than 10,000 domains, giving us an infrastructure comprising 11,048 IoCs and related artifacts. We looked at these properties under our DNS microscope. Details of our findings are below.

Most Used Domain and IP Administrators

About 30% of the digital properties in the study were registered with Gname.com Pte. Ltd., a Singapore-based domain registrar. GoDaddy and DropCatch followed with 12% and 7%, respectively. The rest of the top 10 registrars are shown in the chart below.

On the other hand, the largest concentration of resolving properties pointed to EGI Hosting as the Internet service provider (ISP). The other ISPs that made up the top 10 were Google, Peg Tech, Eonix, Cloudflare, Cnservers, Cogent Communications, Multacom Corporation, Leaseweb, and Federal Online Group. The chart below shows the ISP distribution.

Location of the Cyber Resources

We looked at two types of locations for the digital properties involved in the DNC breach. Through Bulk IP API, we discovered that more than a quarter of the resolving properties were geolocated in the U.S.

However, the domain registrations mostly came from China (59.9%). Only about 30.6% were registered in the U.S.

Malicious Web Properties

We also aimed to determine how these properties were represented in malware detection engines. Out of over 10,000 domains connected to the campaign via registrant email addresses, only 80 were reported as malicious. Only one of the initial IoCs was flagged as malicious.

Content of Resolving Properties

As previously mentioned, more than half of the artifacts and a dozen IoCs still had active resolutions. While most of them were parked, several hosted adult and gambling content. We also found quite a few with, or redirecting to, news-related content and mentioning the domains themselves had expired and were available for sale again. Below are some examples.

Other properties hosted or redirected to suspicious pages that could potentially serve as vehicles for credential theft, such as the following:

We have expanded 100 publicly available DNC breach IoCs and uncovered more than 10,000 artifacts by looking at DNS and WHOIS connections.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.