From Nigerian Scams to DNC Hack Attribution – Part 1

In Crowdstrike’s original announcement that “Russia” had hacked the DNC, Dmitri Alperovitch said, on the one hand, that the “tradecraft” of the hackers was “superb” and their “operational security second none” and, on the other hand, that Crowdstrike had “immediately identified” the “sophisticated adversaries”.  In contrast, after three years of investigation of Climategate, UK counter-intelligence had been unable to pin down even whether the hacker was a lone motivated individual or organized foreign intelligence service.  Mr FOIA of Climategate subsequently emailed several bloggers, including myself, stating that he was a lone individual outside the UK who was a keen reader of Climate Audit and WUWT – a claim that I accept and which is consistent with my own prior interpretation of Climategate data and metadata.
I draw the contrast to draw attention to the facial absurdity of Crowdstrike’s claim that the tradecraft of the DNC hackers was “superb” – how could it be “superb” if Crowdstrike was immediately able to attribute them?
In fact, when one looks more deeply into the issue, it would be more accurate to say that the clues left by the DNC hackers to their “Russian” identity were so obvious as to qualify for inclusion in the rogue’s gallery of America’s Dumbest Criminals, criminals like the bank robber who signed his own name to the robbery demand.
To make matters even more puzzling, an identically stupid and equally provocative hack, using an identical piece of software, had been carried out against the German Bundestag in 2015.  A further common theme to the incidents is that both resulted in a dramatic deterioration of relations with Russia – between Germany and Russia in 2015 and USA and Russia in 2016-2017. Perhaps it’s time to ask “Cui bono?” and re-examine the supposedly “superb tradecraft”. I’ll begin today’s story, perhaps appropriately, with a Nigerian phishing scam. 
Nigerian Phishing Scams
By now, everyone should be aware of Nigerian phishing scams, which are almost as old as the internet.  The scammers set up websites with names resembling legitimate sites, then try to steal credentials through phishing emails. aa419.org contains a voluntary list of fake sites – the screenshot below shows only the first few entries in their list of fake “Paypal” sites.

Over the years, aa419.0rg collected whois information on fake websites. For example, their page on the fake website www.londoncitybankplc[.]com shows that its administrative contact supposedly resides on Cloverdale Lane in DeSoto, Texas and can be contacted at email adeweb2001[@]yahoo.com.

A search of their database on the contact email yields a total of registrations, the most recent of which is http://www.cbiuaebank[.]com, added to their database on May 28, 2015.

 
A search of the aa419 database on “cloverdale” resulted in 33 matches, the most recent of which are shown in the screenshot below.

The root9b Report, May 10, 2015
On May 10, 2015, root9b, a cybersecurity firm in Colorado, released a dramatic report entitled “APT28 targets financial markets: root9b releases zero day hashes”. It began by raising alarm over the “threat posed by Russian hacking groups”:

Cybersecurity experts are increasingly concerned about the threat posed by Russian hacking groups… The increase in cyber-exploits is also accompanied by a much more aggressive Russian foreign policy, which has seen them invade Ukraine and literally seize control of sovereign territory in Crimea. So it should not surprise anyone that just as nuclear capable Russian bombers are increasingly penetrating foreign airspace, their cyber-warriors appear to be ramping up their intrusions as well.

They then described how their “firm of cybersecurity experts, staffed by veterans from the United States Department of Defense” had “uncovered a global attack in the making, and took steps to protect not only our clients, but other identified victims as well”.  The adversary who they had thwarted was identified as APT28 (Crowdstrike’s Fancy Bear), who they identified as a “particularly prolific and superbly talented group of Russian hackers, which has strongly suspected ties to Russian intelligence services”.
root9B espoused a philosophy, later also promoted by Crowdstrike:

To combat threats, root9B realized that technology is not the problem. “Computers don’t attack networks. People do,” said root9B.

root9B said that, in late April 2015, while analysts were carrying out routine security analysis, they “discovered what appeared to be a targeted spearphishing domain aimed at a financial institution”, in the process discovering malware historically “unique” to APT28/Fancy Bear (Sofacy):

As analysts continued their work they discovered several more pieces of new malware. The malicious code bore specific signatures that have historically been unique to only one organization, Sofacy. This malware was pointing at a spearfishing domain registered to impersonate a Middle Eastern financial institution and the domain registration details did not match normal Sofacy operational signatures. That said, the malicious software certainly did.

root9B said that they “initially noted that one in particular, CBIUAEBANK COM, appeared to be a fake version of CBIUAE.COM, the actual domain of the website of Commercial Bank International of the United Arab Emirates.”
Root9B said that, as they analysed the metadata, they noticed a “mistake”, a “very unique signature”:

As root9B analyzed increasing amounts of metadata and associated indicators, they were able to identify a very unique signature consistently used by someone involved in setting up the hack….The discovery of the hacker’s single mistake in tradecraft was indeed a powerful catalyst, and lead to the discovery of a treasure trove of new indicators.

The “mistake” in supposedly “superb” Russian tradecraft that had been spotted by root9b was that registrants for the fake websites all used addresses on Cloverdale Lane in DeSoto, Texas:

All of the fictitious personalities list the same street address. While they change names and house numbers for them, they all reside on Cloverdale Lane in DeSoto, Texas.

root9B proclaimed that this mistake was a “a common thread which unraveled all of Sofacy’s careful preparation”. root9B listed a series of domains which were being marshaled by APT28/Fancy Bear: cbibuae[.]com, cbiuaeonline[.]c0m, etc. They also warned of other linked fake domains from other organizations including T-D-canadatrust[.]com.
In addition to the fake websites, root9b also announced the discovery of new “indicators of malware”:

In addition to identifying targets, root9B analysts also discovered indicators of malware, the analysis of which revealed several zero-day threats and their corresponding “hashes.” Each new discovery revealed more information, enabling a more complete picture to emerge.

They issued an urgent warning that “it is recommended that networks begin
blocking the following hashes [shown below] and communications with the identified Command and Control (C2) server”  176.31.112[.]10]:

As I’ll discuss in a subsequent post, the C2 server 176.31.112[.]10 turns out to have a central role in establishing “Russian” responsibility for the DNC hack, a role which has thus far not been critically examined.
The root9B report was widely publicized, including reports by Fox NewsPoliticoSC Magazine and The Hill – all of whom amplified the increasing “Russian” threat.
Krebs, May 20, 2015
The connection of root9B’s indicators of compromise to Nigerian phishing scams was almost immediately (May 20, 2015) noticed by Krebs On Security here.  Krebs stated that the only actual connection between Sofacy (APT28/Fancy Bear) and the fake bank domains was that the “fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com”. However, Krebs observed that “there is plenty of other badness unrelated to Sofacy that calls Carbon2u home for their DNS operations” and concluded that the “vast majority” of the root9B report merely documented “run-of-the-mill” Nigerian scamming:

From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

Krebs observed that the

most of the wordage in this report from root9B discusses fake domains registered to a handful of email addresses, including “adeweb2001@yahoo.com,” adeweb2007@yahoo.com,” and “rolexzad@yahoo.com”.
Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd
The domain rolexad[dot]com was flagged as early as 2008 by aa419.org, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

The presently online version of the root9B report does not mention any of these email addresses – I presume that the root9B report has been altered.  The “phishy bank domain” linked by Krebs is the fake website www.londoncitybankplc[.]com discussed above.  In addition to the associations between fake websites arising from registrar email addresses mentioned by Krebs, there is the association between fake Nigerian websites arising from “Cloverdale Lane”, the supposed centerpiece of the root9B analysis.
 
Krebs interviewed Jaime Blasco, the chief scientist at Alien Vault, an authority on APT28/Sofacy, who confirmed Krebs’ opinion that the research was “very poor”. Blasco opined that the document seemed more like a “marketing report” seeking “media coverage”:

Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hashes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

root9B Postscript
On June 15, pseudonymous Pump Stopper wrote a savage investor review of root9b, stating that it had no valid technology or business, had an “unsustainable valuation of $140m+”  and a “-82.5% downside”.  Pump Stopper under-estimated root9B’s downside: its current market capitalization is now down to $5 million and, at present cash burn, is insolvent.
On January 4, 2016, a class action lawsuit was filed against root9B by investors who alleged that root9B’s officers and directors had made material misrepresentations, including false claims to have detected a ” sophisticated state-sponsored Russian hacking attack”. (The lawsuit cited both the original report and Krebs’ analysis at length.)

The misrepresentations were false because, according to the Company’s own reports filed in 2015, it did not sell “proprietary” hardware and software but was a reseller of another company’s product. Further, root9B did not detect a sophisticated state-sponsored Russian hacking attack but rather a routine “phishing” scheme operated by Nigerian scammers. Defendants Grano and Smith were fully aware of the non-proprietary nature of the hardware sold by root9B as well as the actual details of the hacking attack attributed to Sofacy/APT28 yet nonetheless made the misrepresentations to the public.

root9B raised $11.4 million in stock offerings in first quarter 2015. This is a fraction of Crowdstrike’s money raising and valuation: it’s raised $256 million and was valued at just under $1 billion in May 2017.
Next Post
In the next post in this story, I’ll follow the story of the C2 malware indicator (176.31.112[.]10]) discovered by root9B in their unwitting investigation of Nigerian bank scams.

Source