Profiling Russia's U.S Election Interference 2016 - An OSINT Analysis

Note: This OSINT analysis has been originally published at my current employer's Web site - https://whoisxmlapi.com where I'm currently acting as a DNS Threat Researcher since January, 2021. 

We’ve decided to take a closer look at the U.S Elecetion 2016 interference provoked by several spear phishing and malicious campaigns courtesy of Russia for the purpose of offering and providing actionable threat intelligence including possible attribution clues for some of the known participants in this campaign potentially assisting fellow researchers and Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.

In this analysis we’ll take a closer look at the Internet connected infrastructure behind the U.S Election 2016 campaign in terms of malicious activity and offer practical and relevant including actionable threat intelligence on their whereabouts.

Sample malicious and fraudulent C&C domains known to have participated in the U.S Elections 2016 campaign:

linuxkrnl[.]net

accounts-qooqle[.]com

account-gooogle[.]com

accoounts-google[.]com

account-yahoo[.]com

accounts-googlc[.]com

accoutns-google[.]com

addmereger[.]com

akamainet[.]net

akamaivirusscan[.]com

apple-icloud-services[.]com

apple-notification[.]com

arabianbusinessreport[.]com

azamtelecom[.]com

babylonn[.]com

baengmail[.]com

boobleg[.]com

chinainternetservices[.]com

com-hdkurknfkjdnkrnngujdknhgfr[.]com

combin-banska-stiavnica[.]com

cvk-leaks[.]com

fb-security[.]com

g00qle[.]com

global-exchange[.]net

googlesetting[.]com

hlbnk[.]com

homesecuritysystems-sale[.]com

icloud-localisation[.]com

imperialc0nsult[.]com

informationen24[.]com

interglobalswiss[.]com

intra-asiarisk[.]com

invest-sro[.]com

iphone-onlineshopping[.]net

kur4[.]com

lastdmp[.]com

localisation-apple-icloud[.]com

localisation-apple-support[.]com

localisation-mail[.]com

login-163[.]com

login-kundenservice[.]com

magic-exchange[.]com

mail-apple-icloud[.]com

mailpho[.]com

malprosoft[.]com

medicalalertgroup[.]com

megafileuploader[.]com

mfadaily[.]com

mfapress[.]com

militaryexponews[.]com

msoftonline[.]com

myaccountgoogle[.]com

myaccountsgoogle[.]com

mydomainlookup[.]net

mypmpcert[.]com

net-a-porter-coupon[.]com

newiphone-online[.]net

newiphone-supply[.]net

newreviewgames[.]com

nobel-labs[.]net

nvidiaupdate[.]com

obamacarerx[.]net

onlinecsportal[.]com

pass-google[.]com

password-google[.]com

paydaytoday-uk[.]com

pb-forum[.]com

planetaryprogeneration[.]com

regionoline[.]com

security-notifications[.]com

service-facebook[.]com

servicesupdates[.]com

set121[.]com

set132[.]com

set133[.]com

sicherheitsteam-pp[.]com

sicherheitsteam-pp[.]net

skypeupdate[.]com

smp-cz[.]com

soft-storage[.]com

solutionmanualtestbank[.]com

ssl-icloud[.]com

team-google[.]com

techlicenses[.]com

techlicenses[.]net

ua-freedom[.]com

updates-verify[.]com

us-mg7mail-transferservice[.]com

us-westmail-undeliversystem[.]com

us6-yahoo[.]com

vatlcan[.]com

wordpressjointventure[.]com

ya-support[.]com

yandex-site[.]com

yepost[.]com

Related malicious and fraudulent emails known to have participated in the U[.]S Elections 2016 campaign:

julienobruno@hotmail[.]com

jenna[.]stehr@mail[.]com

s[.]simonis@mail[.]com

domreg@247livesupport[.]biz

kumarhpt@yahoo[.]com

aksnes[.]thomas@yahoo[.]com

yingw90@yahoo[.]com

andre_roy@mail[.]com

myprimaryreger@gmail[.]com

okorsukov@yahoo[.]com

tzubtfpx5@mail[.]ru

annaablony@mail[.]com

jamesyip823@gmail[.]com

tmazaker@gmail[.]com

emmer[.]brown@mail[.]com

qupton@mail[.]com

adel[.]rice@mail[.]com

trainerkart2@gmail[.]com

cowrob@mail[.]com

direct2playstore@gmail[.]com

cffaccll@mail[.]com

drgtradingllc@gmail[.]com

jack2020@outlook[.]com

pdkt00@Safe-mail[.]net

david_thompson62@aol[.]com

distardrupp@gmail[.]com

perplencorp@gmail[.]com

spammer11@superrito[.]com

jilberaner@yahoo[.]de

snowyowl@jpnsec[.]com

asainchuk@gmail[.]com

OKEKECHIDIC@GMAIL[.]COM

abelinmarcel@outlook[.]fr

idesk[.]corp[.]apple[.]com@gmail[.]com

mutantcode@outlook[.]fr

pier@pipimerah[.]com

vrickson@mail[.]com

prabhakar_malreddy@yahoo[.]com

Sample related email known to have participated in the U[.]S Elections 2016 campaign:

jack2020@outlook[.]com

Sample Maltego Graph of a sample malicious and fraudulent domain registrant known to have participated in the U.S Election 2016 campaign:

Sample related domains known to have participated in the U.S Elections 2016 campaign:

support-forum[.]org

oceaninformation[.]org

vodafoneupdate[.]org

succourtion[.]org

eascd[.]org

northropgruman[.]org

apple-iphone-services[.]com

localisation-security-icloud[.]com

applesecurity-supporticloud[.]com

icloud-iphone-services[.]com

icloud-id-localisation[.]com

apple-localisation-id[.]com

identification-icloud-id[.]com

cloud-id-localisation[.]com

support-security-icloud[.]com

identification-apple-id[.]com

localisation-apple-security[.]com

security-icloud-localisation[.]com

dabocom[.]com

quick-exchange[.]com

hygani[.]com

hztx88[.]com

sddqgs[.]net

qufu001[.]com

lutushiqi[.]com

gsctgs[.]com

tazehong[.]com

hthgj[.]com

kvistberga[.]com

bjytj[.]net

cqhuicang[.]com

softbank-tech[.]com

osce-press[.]org

maxidea[.]tw

sdti[.]tw

gmailcom[.]tw

zex[.]tw

gain-paris-notaire[.]fr

loto-fdj[.]fr

client-amzon[.]fr

idse-orange[.]fr

rgraduzkfghgd[.]com

jmhgjqtmhanoncp[.]com

stwdchstclovuzk[.]com

puxqtyrwzuzybgzehc[.]com

maatil[.]com[.]ng

surestbookings[.]com

asatuyouth[.]org[.]ng

hanna[.]ng

hostlink[.]com[.]ng

sirbenlimited[.]com

dce[.]edu[.]ng

eventsms[.]com[.]ng

krsbczmxwdsjwtizmx[.]com

alizirwzyjazurof[.]com

zslipanehule[.]com

cxotonspmjkxw[.]com

wpifmhyjkxyt[.]com

ngvsngpwdidmn[.]com

imperialvillas[.]com[.]ng

lipyhgpofsnifste[.]com

flexceeweb[.]com

fgfcpkdcnebgduls[.]com

shinjiru[.]us

supportchannel[.]net

couponofferte[.]com

psepaperindustrial[.]com

lakws[.]com

perplencorp[.]com

lbchemtrade[.]com

viaggibelli[.]com

liontitco[.]com

svendiamo[.]com

orogenicgroup[.]com

giudeviaggio[.]com

greenskill[.]net

siteseditor[.]net

e-mail-supports[.]com

biplen[.]com

infradesajohor[.]com

dealhot[.]net

suanmin[.]com

on9on9[.]com

accoutns-google[.]com

puroniq[.]com

sinqa[.]com

sadihadi[.]com

mrangkang[.]com

terumbu[.]com

phygitail[.]com

veraniq[.]com

potxr[.]com

icraw[.]com

thearoid[.]com

teempo[.]com

parblue[.]com

mydomainlookup[.]net

adrianvonziegler[.]net

zetindustries[.]com

researchs[.]com[.]ng

joymoontech[.]com

researchmaterials[.]com[.]ng

james823[.]com

oneibeauty[.]net

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

Stay tuned!

Continue reading →

Exposing GRU's Involvement in U.S Election Interference - 2016 - An OSINT Analysis

Dear blog readers,

Continuing the "FBI's Most Wanted Cybercriminals" series I've decided to share some of the actionable intelligence that I have on GRU's involvement in the 2016 U.S Election interference with the idea to assist U.S Law Enforcement and the U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind these campaigns.

In this post I'll share actionable intelligence including an in-depth discussion on the tactics techniques and procedures of the cybercriminals behind these campaigns. 

Sample personal emails involved in the campaign:

dirbinsaabol@mail.com

hi.mymail@yandex.com

Sample domains known to have been involved in the campaign:

linuxkrnl.net - 193.109.68.87; 191.151.156.205

ns1.carbon2u.com

accounts-qooqle.com

account-gooogle.com

accoounts-google.com

account-yahoo.com

accounts-googlc.com

accoutns-google.com

addmereger.com

akamainet.net

akamaivirusscan.com

apple-icloud-services.com

apple-notification.com

arabianbusinessreport.com

azamtelecom.com

babylonn.com

baengmail.com

boobleg.com

chinainternetservices.com

com-hdkurknfkjdnkrnngujdknhgfr.com

combin-banska-stiavnica.com

cvk-leaks.com

fb-security.com

g00qle.com

global-exchange.net

googlesetting.com

hlbnk.com

homesecuritysystems-sale.com

icloud-localisation.com

imperialc0nsult.com

informationen24.com

interglobalswiss.com

intra-asiarisk.com

invest-sro.com

iphone-onlineshopping.net

kur4.com

lastdmp.com

localisation-apple-icloud.com

localisation-apple-support.com

localisation-mail.com

login-163.com

login-kundenservice.com

magic-exchange.com

mail-apple-icloud.com

mailpho.com

malprosoft.com

medicalalertgroup.com

megafileuploader.com

mfadaily.com

mfapress.com

militaryexponews.com

msoftonline.com

myaccountgoogle.com

myaccountsgoogle.com

mydomainlookup.net

mypmpcert.com

net-a-porter-coupon.com

newiphone-online.net

newiphone-supply.net

newreviewgames.com

nobel-labs.net

nvidiaupdate.com

obamacarerx.net

onlinecsportal.com

pass-google.com

password-google.com

paydaytoday-uk.com

pb-forum.com

planetaryprogeneration.com

regionoline.com

security-notifications.com

service-facebook.com

servicesupdates.com

set121.com

set132.com

set133.com

sicherheitsteam-pp.com

sicherheitsteam-pp.net

skypeupdate.com

smp-cz.com

soft-storage.com

solutionmanualtestbank.com

ssl-icloud.com

team-google.com

techlicenses.com

techlicenses.net

ua-freedom.com

updates-verify.com

us-mg7mail-transferservice.com

us-westmail-undeliversystem.com

us6-yahoo.com

vatlcan.com

wordpressjointventure.com

ya-support.com

yandex-site.com

yepost.com

Sample IPs known to have been involved in the campaign:

23.227.196.217

176.31.112.10

191.101.31.112

191.101.31.6

89.40.181.119

Sample names involved in the campaign:

Mike Long

Ward DeClaur

Daniel Farrell

Jason Scott

Richard Gingrey

Alice Donovan

Den Katenberg

Yuliana Martynova

Karen W. Millen

James McMorgans

Kate S. Milton

Stay tuned!

Continue reading →

How to Win the U.S Elections

Juicy barbecues, hugging babies, in between offering, and asking for the Moon days are over. E-voting is the future of technological political engineering. So, how can you win the U.S Elections?

01. Ensure one company holds a virtual monopoly in E-voting systems, thus contributing to yet another monocultural insecurity. If it naturally has some competition, insist its systems are placed in key regions, where barbecues wouldn't work.

02. Start a nation-wide PR campaign emphasizing on the benefits of E-voting. Mention it's innovative, it's going to cut costs while providing you with flexibility, the way it provides flexibity to citizens abroad, moreover, also emphasize on the increased speed of the results.

03. Make sure the rural areas where the masses of technologically unsophisticated citizens are the ones taking advantage of this immature concept. The point is that, even if there's an error, they got no chance of defining it.

04. If something "goes wrong" forward all the responsibility to the virtual monopolist, and promise pracautions against future possiblities for modifying the results -- anyway, sorry folks the elections are over, so till next time keep on speculating what actually happened.

Meanwhile, on the other side of the universe, where we should perhaps thank Jessus for coming up with more colours in live, than black and white only, I stumbled upon an Unredacted Diebold Black Box Voting Hack Reports with quite some disturbing images. Make sure the efficincy that you wish for, doesn't actually happen. A friend also tipped me on this quite longish report on the topic, and didn't forget to warn me to remove my 3D glassess before reading it either.

UPDATE : Interesting political reading related to veto power.

Clippy votes courtesy of the EFF. Continue reading →