• Skip to primary navigation
  • Skip to main content
  • Skip to footer
lab52

lab52

The threat intelligence division of S2 Grupo

  • Home
  • Faq
  • Blog
  • About
  • Contact

NATO Summit 2022: The perfect pretext to launch a cybercampaign

July 06, 2022

S2Grupo’s Threat Hunting team has carried out an investigation on the occasion of the NATO summit held in Madrid on June 29th and 30th on possible APT group campaigns that could have targeted this event.

In this line, we have investigated those domains that had as part of the name any of the keywords provided by the Lab52 cyberintelligence team. In addition, they have been contextualized through WHOIS information.

The graph below represents the time distribution of domain name creation and the keywords used in their name. The 15 most used keywords are shown. The time frame represented goes frome April 1st toJune 22nd.

Figure 1. Domain names registered between April 1st and June 22nd

The first thing to note is the shape of the graph. The lower peaks correspond to Saturdays and Sundays of each week. The most logical explanation for this phenomenon is simply that fewer domains are registered on weekends.

Keyword nato

The second most used keyword in the SLD of the domains detected between April 1st and June 22nd is nato. In the graph below two peaks of domain registration can be observed. These peaks correspond to the dates April 11th and April 25th.

Figure 2. Domains registered between April 1st and June 22nd with the keyword nato

When investigating these results, the following is found, none of the 42 domains registered on April 11th containing nato in their SLD seem to be related to the North Atlantic Treaty Organization.

chinatownone[.]comdidonatoroberto[.]com
doctoranatomy[.]comdonatoelectroshop[.]com
etnatoys[.]comfascinators[.]info
genatonerscanner[.]comguidedanatomy[.]com
hnsartesanato[.]comhomecareexterminators[.]com
Figure 3. Examples of domains registered on April 11th with the keyword nato in their SLD

As for the peak on April 25th, several patterns have been observed in the registered domains:

  • Domains with the word anatomy:

There are 22 domains containing the word anatomy. They were registered by the same company, Ascio Technologies, Inc. Danmark and all of them registered in Norway. In addition, the word leader seems to be recurrent among these domain names.

Figure 4. Registrars of the domains that contain the word anatomy in their SLD
  • Domains registered by NameCheap, Inc:

A large part of the domains registered on May 25th that have nato in their SLD were registered by NameCheap, Inc.

Figure 5. Registrars of the domains registered on May 25th that have nato in their SLD

A closer look at these domains shows that they were registered in the United States and Iceland.

Figure 6. Registrant’s country of the domains registered on May 25th that have nato in their SLD

The domains registered in Iceland do not appear to be related or follow a pattern.

ajinatoto[.]online
anatomyofguitartone[.]marketing
cltvedbugexterminator[.]com
thetubinator[.]com
Figure 7. Examples of domains registered in Iceland on April 25th with the keyword nato in their SLD

However, those that were registered in the United States do appear to be related to each other. Moreover, they all seem to refer to the North Atlantic Treaty Organization. In a way, it seems that these domains are intended to masquerade as legitimate domains of the organization. All the domains are shown below.

actnato[.]combrandnato[.]comeconato[.]comfnato[.]com
freenato[.]comgamenato[.]comhistorynato[.]cominsidenato[.]com
natobank[.]comnatoblog[.]comnatoconference[.]comnatodesign[.]com
natoexpo[.]comnatofinance[.]comnatofurniture[.]comnatogames[.]com
natohealth[.]comnatointelligence[.]comnatomap[.]comnatomarket[.]com
natopartner[.]comnatophone[.]comnatopost[.]comnatopress[.]com
natoq[.]comnatosecret[.]comnatosport[.]comnatostaff[.]com
natotoday[.]comnatotravel[.]comnatoworks[.]comnetnato[.]com
Figure 8. Domains registered by NameCheap in the United States on April 25th with the keyword nato in its SLD

To avoid results for words containing the letters nato as in the previous case of domains with the word anatomy, another approach was to search for domains starting with the word nato. Those domains registered by NameCheap, Inc. have been excluded because they have been collected in the previous analysis. The graph shows a peak registration on June 6th.

Figure 9. Domain names registered between April 1st and June 22nd that begin with the keyword nato

Most of these domains were registered by PublicDomainRegistry in Poland. Both the SLD and TLD of these domains are suspicious and appear to be malicious.

natofrontline[.]comnatofrontline[.]info
natofrontline[.]netnatofrontline[.]online
natofrontline[.]sitenatofrontline[.]store
natofrontline[.]techwebsite
Figure 10. Domains registered by PublicDomainRegistry in Poland on June 6th with the keyword nato at the begining of their SLD

Keyword otan

After analysing the domains containing the keyword otan, any relation to NATO has been ruled out. Only two domains have been found that could be related: otan[.]info and fuckotan[.]com.

Keyword summit

The graph below represents the time distribution of domain registration with the word summit in the SLD. Several peaks of domain registration can be seen.

Figure 11. Domain names registered between April 1st and June 22nd with the keyword summit

Most of the domains in the three peaks were registered by GoDaddy.com (55.72%) and in the United States (68.47%).

Figure 12. Domain registrars
Figure 13. Registrant’s country

Analysis of these domains has led to the conclusion that they are likely to be used for fraudulent activities. The SLDs were probably designed to get the victim’s attention and get them to access the domain. Here are some examples.

newworldleadershipsummit[.]comtheworkplacesummit[.]com
blockchain-one-to-one-summits[.]comaudisummitforprogress[.]com
beautyrichsummit[.]combiotech-summit[.]com
chemical-recycling-summit[.]comglobalmanufacturingsummit[.]org
munich-newspace-summit[.]orgwomensinclusionsummit[.]org
Figure 14. Examples of suspicious domains

Therefore, this research leads us to conclude that most of the domains identified as suspicious during the analysis will be used for malicious purposes, either as part of a Command and Control infrastructure or through disinformation campaigns. There is no doubt that the NATO summit held in Madrid during the last week of June has been used as a medium for cybercriminal purposes.

Arubaro

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related

Bypassing Qakbot Anti-Analysis
March 24, 2023
Tags: malware, qakbot
Cyber Threat Intelligence Report – Trends Q4 2022
February 06, 2023
Tags: Cybersecurity, Intelligence, Q4, Trends, vulnerabilities
Analyzing the encryption method of emerging ransomware families
November 29, 2022
Tags: AXLocker, Decryption, ransomware

Footer

Copyright &copy Lab52 2019 by S2 Grupo | Legal notice | Cookie policy | Privacy policy