Inside Cyber Warfare - Jeffrey Carr [83]
In other cases, domains are registered with stolen data. In one case that was reported to me, the stolen data was from a US serviceman deployed in Iraq. When he returned to the United States at the end of his tour, he was contacted by his service’s investigative division in reference to his “terrorist” website. The investigation was dropped once it was determined that his identity had been stolen and used to register the domain name; however, that determination didn’t happen in a timely manner and caused quite a bit of consternation on the part of the serviceman and his family.
Nevertheless, checking WHOIS registrations does provide another link in the evidence chain. Sometimes mistakes are made and actual government websites are used as the identifying data (e.g., GhostNet). This is rare, but it does happen. Part of any OSINT investigation is looking for the small oversights that even the most careful individuals make from time to time.
The Cambridge University investigation of the Chinese espionage operation against the Office of His Holiness the Dalai Lama (OHHDL) underscores the value of checking WHOIS data:
During our initial network monitoring exercise, we observed sensitive files being transferred out of the OHHDL using a modified HTTP protocol: the malware picked up files from local disks and sent them to three servers which, according to APNIC, were in China’s Sichuan province, using a custom protocol based on HTTP. The malware uses HTTP GET and HTTP POST messages to transfer files out and also appears to verify successful transmission. Sichuan, by the way, is the location of the Chinese intelligence unit specifically tasked with monitoring the OHHDL.
NOTE
WHOIS information can be checked with numerous free online Internet toolkits, such as http://www.dnsstuff.com, http://www.robtex.com, http://www.demon.net/external/, and http://www.whois.sc, simply by entering either a domain name (sans the “www”) or an IP address.
Caveats to Using WHOIS
There are numerous caveats to using WHOIS in an investigation.
The information contained on a cyber warfare, extremist, or hacker website will most likely be stolen, fraudulent, or garbled. Even legitimate registrants may elect to use a privacy service to mask their WHOIS information.
Another caveat is that multiple websites may be hosted on the same server and yet have nothing to do with one another.
In spite of these issues, an investigation into WHOIS information still may provide pieces of a larger puzzle. The following are some tips that might prove useful when investigating other attack platforms similar to StopGeorgia.ru that engage in cross-border cyber attacks:
If the data is clearly fraudulent (garbled or nonsensical name and address info), it is not a legitimate site.
If the data appears to be legitimate but a web search on the name and email address shows it was used to register numerous blacklisted websites, then again, it is not a legitimate site.
If, as in the case of Innovative IT Solutions Corporation (the hosting company for the StopGeorgia.ru domain), the data is accurate, the next step is to perform a web search on the business address.
If multiple businesses are registered at the same address, it is most likely a mailbox rental facility, and chances are the business is a front for other purposes.
If the business location is adjacent to a government office or, even better, a Ministry of Defense office (as was the case with Steadyhost.ru in Chapter 7), you have secured another piece of the investigative puzzle.
Chapter 10. Weaponizing Malware
A New Threat Landscape
There are so many emerging threats to computer networks that a detailed overview of them is beyond the scope of this book. Instead, this chapter addresses various modes of attack that have been used in cyber warfare and espionage, as well as