{"id":1559,"date":"2022-07-06T12:00:00","date_gmt":"2022-07-06T10:00:00","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=1559"},"modified":"2022-07-06T12:01:38","modified_gmt":"2022-07-06T10:01:38","slug":"nato-summit-2022-the-perfect-pretext-to-launch-a-cybercampaign","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/nato-summit-2022-the-perfect-pretext-to-launch-a-cybercampaign\/","title":{"rendered":"NATO Summit 2022: The perfect pretext to launch a cybercampaign"},"content":{"rendered":"\n

S2Grupo’s Threat Hunting team has carried out an investigation on the occasion of the NATO summit held in Madrid on June 29th and 30th on possible APT group campaigns that could have targeted this event.<\/p>\n\n\n\n

In this line, we have investigated those domains that had as part of the name any of the keywords provided by the Lab52 cyberintelligence team. In addition, they have been contextualized through WHOIS information.<\/p>\n\n\n\n

The graph below represents the time distribution of domain name creation and the keywords used in their name. The 15 most used keywords are shown. The time frame represented goes frome April 1st toJune 22nd.<\/p>\n\n\n\n

\"\"
Figure 1. Domain names registered between April 1st and June 22nd<\/figcaption><\/figure>\n\n\n\n

The first thing to note is the shape of the graph. The lower peaks correspond to Saturdays and Sundays of each week. The most logical explanation for this phenomenon is simply that fewer domains are registered on weekends.<\/p>\n\n\n\n

Keyword <\/strong>nato<\/strong><\/em><\/p>\n\n\n\n

The second most used keyword in the SLD of the domains detected between April 1st and June 22nd is nato<\/em>. In the graph below two peaks of domain registration can be observed. These peaks correspond to the dates April 11th and April 25th.<\/p>\n\n\n\n

\"\"
Figure 2. Domains registered between April 1st and June 22nd with the keyword nato<\/figcaption><\/figure>\n\n\n\n

When investigating these results, the following is found, none of the 42 domains registered on April 11th containing nato<\/em> in their SLD seem to be related to the North Atlantic Treaty Organization.<\/p>\n\n\n\n

chinatownone[.]com<\/td>didonatoroberto[.]com<\/td><\/tr>
doctoranatomy[.]com<\/td>donatoelectroshop[.]com<\/td><\/tr>
etnatoys[.]com<\/td>fascinators[.]info<\/td><\/tr>
genatonerscanner[.]com<\/td>guidedanatomy[.]com<\/td><\/tr>
hnsartesanato[.]com<\/td>homecareexterminators[.]com<\/td><\/tr><\/tbody><\/table>
Figure 3. Examples of domains registered on April 11th with the keyword nato in their SLD<\/em><\/figcaption><\/figure>\n\n\n\n

As for the peak on April 25th, several patterns have been observed in the registered domains:<\/p>\n\n\n\n

  • Domains with the word anatomy<\/em>:<\/li><\/ul>\n\n\n\n

    There are 22 domains containing the word anatomy<\/em>. They were registered by the same company, Ascio Technologies, Inc. Danmark and all of them registered in Norway. In addition, the word leader<\/em> seems to be recurrent among these domain names.<\/p>\n\n\n\n

    \"\"
    Figure 4. Registrars of the domains that contain the word anatomy in their SLD<\/figcaption><\/figure>\n\n\n\n
    • Domains registered by NameCheap, Inc<\/em>:<\/li><\/ul>\n\n\n\n

      A large part of the domains registered on May 25th that have nato<\/em> in their SLD were registered by NameCheap, Inc.<\/p>\n\n\n\n

      \"\"
      Figure 5. Registrars of the domains registered on May 25<\/em>th that have nato<\/em> in their SLD<\/figcaption><\/figure>\n\n\n\n

      A closer look at these domains shows that they were registered in the United States and Iceland.<\/p>\n\n\n\n

      \"\"
      Figure 6. Registrant’s country of the domains registered on May 25th that have nato in their SLD<\/figcaption><\/figure>\n\n\n\n

      The domains registered in Iceland do not appear to be related or follow a pattern.<\/p>\n\n\n\n

      ajinatoto[.]online<\/td><\/tr>
      anatomyofguitartone[.]marketing<\/td><\/tr>
      cltvedbugexterminator[.]com<\/td><\/tr>
      thetubinator[.]com<\/td><\/tr><\/tbody><\/table>
      Figure 7. Examples of domains registered in Iceland<\/em> on April 25th with the keyword nato in their SLD<\/em><\/figcaption><\/figure>\n\n\n\n

      However, those that were registered in the United States do appear to be related to each other. Moreover, they all seem to refer to the North Atlantic Treaty Organization. In a way, it seems that these domains are intended to masquerade as legitimate domains of the organization. All the domains are shown below.<\/p>\n\n\n\n

      actnato[.]com<\/td>brandnato[.]com<\/td>econato[.]com<\/td>fnato[.]com<\/td><\/tr>
      freenato[.]com<\/td>gamenato[.]com<\/td>historynato[.]com<\/td>insidenato[.]com<\/td><\/tr>
      natobank[.]com<\/td>natoblog[.]com<\/td>natoconference[.]com<\/td>natodesign[.]com<\/td><\/tr>
      natoexpo[.]com<\/td>natofinance[.]com<\/td>natofurniture[.]com<\/td>natogames[.]com<\/td><\/tr>
      natohealth[.]com<\/td>natointelligence[.]com<\/td>natomap[.]com<\/td>natomarket[.]com<\/td><\/tr>
      natopartner[.]com<\/td>natophone[.]com<\/td>natopost[.]com<\/td>natopress[.]com<\/td><\/tr>
      natoq[.]com<\/td>natosecret[.]com<\/td>natosport[.]com<\/td>natostaff[.]com<\/td><\/tr>
      natotoday[.]com<\/td>natotravel[.]com<\/td>natoworks[.]com<\/td>netnato[.]com<\/td><\/tr><\/tbody><\/table>
      Figure 8. Domains registered by NameCheap in the United States on April 25th with the keyword nato in its SLD<\/em><\/figcaption><\/figure>\n\n\n\n

      To avoid results for words containing the letters nato<\/em> as in the previous case of domains with the word anatomy<\/em>, another approach was to search for domains starting with the word nato. Those domains registered by NameCheap, Inc. have been excluded because they have been collected in the previous analysis. The graph shows a peak registration on June 6th.<\/p>\n\n\n\n

      \"\"
      Figure 9. Domain names registered between April 1st and June 22nd that begin with the keyword nato<\/figcaption><\/figure>\n\n\n\n

      Most of these domains were registered by PublicDomainRegistry in Poland. Both the SLD and TLD of these domains are suspicious and appear to be malicious.<\/p>\n\n\n\n

      natofrontline[.]com<\/td>natofrontline[.]info<\/td><\/tr>
      natofrontline[.]net<\/td>natofrontline[.]online<\/td><\/tr>
      natofrontline[.]site<\/td>natofrontline[.]store<\/td><\/tr>
      natofrontline[.]tech<\/td>website<\/td><\/tr><\/tbody><\/table>
      Figure 10. Domains registered by PublicDomainRegistry in Poland on June 6th with the keyword nato at the begining of their SLD<\/em><\/figcaption><\/figure>\n\n\n\n

      Keyword <\/strong>otan<\/strong><\/em><\/p>\n\n\n\n

      After analysing the domains containing the keyword otan<\/em>, any relation to NATO has been ruled out. Only two domains have been found that could be related: otan[.]info<\/em> and fuckotan[.]com<\/em>.<\/p>\n\n\n\n

      Keyword <\/strong>summit<\/strong><\/em><\/p>\n\n\n\n

      The graph below represents the time distribution of domain registration with the word summit<\/em> in the SLD. Several peaks of domain registration can be seen.<\/p>\n\n\n\n

      \"\"
      Figure 11. Domain names registered between April 1st and June 22nd with the keyword summit<\/em><\/figcaption><\/figure>\n\n\n\n

      Most of the domains in the three peaks were registered by GoDaddy.com (55.72%) and in the United States (68.47%).<\/p>\n\n\n\n

      \"\"
      Figure 12. Domain registrars<\/figcaption><\/figure>\n\n\n\n
      \"\"
      Figure 13. Registrant’s country<\/figcaption><\/figure>\n\n\n\n

      Analysis of these domains has led to the conclusion that they are likely to be used for fraudulent activities. The SLDs were probably designed to get the victim’s attention and get them to access the domain. Here are some examples.<\/p>\n\n\n\n

      newworldleadershipsummit[.]com<\/td>theworkplacesummit[.]com<\/td><\/tr>
      blockchain-one-to-one-summits[.]com<\/td>audisummitforprogress[.]com<\/td><\/tr>
      beautyrichsummit[.]com<\/td>biotech-summit[.]com<\/td><\/tr>
      chemical-recycling-summit[.]com<\/td>globalmanufacturingsummit[.]org<\/td><\/tr>
      munich-newspace-summit[.]org<\/td>womensinclusionsummit[.]org<\/td><\/tr><\/tbody><\/table>
      Figure 14. Examples of suspicious domains<\/em><\/figcaption><\/figure>\n\n\n\n

      Therefore, this research leads us to conclude that most of the domains identified as suspicious during the analysis will be used for malicious purposes, either as part of a Command and Control infrastructure or through disinformation campaigns. There is no doubt that the NATO summit held in Madrid during the last week of June has been used as a medium for cybercriminal purposes.<\/p>\n","protected":false},"excerpt":{"rendered":"

      S2Grupo’s Threat Hunting team has carried out an investigation on the occasion of the NATO summit held in Madrid on June 29th and 30th on possible APT group campaigns that could have targeted this event. In this line, we have investigated those domains that had as part of the name any of the keywords provided […]<\/p>\n","protected":false},"author":22,"featured_media":1575,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-1559","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2022\/07\/Flag-North-Atlantic-Treaty-Organization-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2022\/07\/Flag-North-Atlantic-Treaty-Organization-600x600.jpg","author_info":{"display_name":"Arubaro","author_link":"https:\/\/lab52.io\/blog\/author\/varit0\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1559"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=1559"}],"version-history":[{"count":6,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1559\/revisions"}],"predecessor-version":[{"id":1574,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1559\/revisions\/1574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/1575"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=1559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=1559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=1559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}