|
Cyber espionage group Cloud Atlas has been trailing its sights on critical infrastructure operators in countries suffering from political conflict since its discovery in 2014. Aptly nicknamed “Inception,” the group’s tactic of going after nations with bigger problems than cybersecurity seems to be working, as evidenced by successful intrusions over the years.
Check Point Research (CPR) publicized the following indicators of compromise (IoCs), specifically eight domains and two IP addresses, to aid potential targets to avoid succumbing to data breaches. These IoCs are:
WhoisXML API researchers found more artifacts that could help with that, including:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Our closer look into the IoCs began with a bulk WHOIS lookup that revealed the following:
IP geolocation lookups for the IP addresses identified as IoCs, on the other hand, showed they didn’t share any similarity. 185[.]227[.]82[.]21 was geolocated in the Netherlands with Access2.IT Group B.V. as ISP while 146[.]70[.]88[.]123 was located in France under M247 Europe SRL. Both are also considered nonmalicious but their connection to Cloud Atlas probably merits strict monitoring at the very least for signs of suspicious activity.
Given Cloud Atlas’s success so far in infiltrating target networks and that it trails its sights on critical infrastructure operators, we sought to expand the current list of IoCs to enable potential future targets to mitigate the threat.
To obtain as many possibly connected artifacts as possible, we first subjected the domain IoCs to DNS lookups that led to the discovery of eight IP addresses. The bulk IP geolocation lookup revealed that 5[.]135[.]199[.]19 shared the same origin country—France—as the IoC 146[.]70[.]88[.]123. The rest were scattered across four other countries as the map below shows.
While none of the artifacts are detected as malicious, a closer scrutiny of the IP addresses revealed they all had Secure Sockets Layer (SSL) misconfigurations.
Next, reverse IP lookups for the two IP address IoCs and seven additional artifacts provided a list of 324 domains. Of these, two were found malicious—lucid-banzai[.]104-219-233-120[.]plesk[.]page and www[.]lucid-banzai[.]104-219-233-120[.]plesk[.]page.
We also noticed unique strings among the domain IoCs and used these to look for more potential connections via Domains & Subdomains Discovery:
Our inquiry uncovered 1,519 additional domains that can be considered artifacts. Fortunately, for now, only one—solutionefordriversandrestornow[.]online—is considered malicious by malware engines we queried. Examples of artifacts that resembled the IoCs most—they just used different top-level domain (TLD) extensions—include:
The IoC expansion analysis uncovered 1,850 additional Cloud Atlas artifacts, including three malicious domains, that could put potential targets and other organizations at risk should they land on the sites these web properties hosted. Without the help of IP, DNS, and WHOIS intelligence, we wouldn’t have been able to find these connections.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign