BlackTech has built a reputation relying on (much to the delight of defenders) tech-themed domains and predictable registration patterns. Recent reporting linking malicious domains to the actor suggests these patterns may be fading, at least for the time being signifying a departure from the previous infrastructure configuration.
Items to Note
- Failure to redact email addresses within WHOIS records (mitsumori.gb@gmail[.]com, wufi2011@gmail[.]com, siraiya128@gmail[.]com, senotice@gmail[.]com) leads to dozens more domains likely linked to the actor(s).
- BlackTech prefers dynamic DNS services, with most of the domains’ registrars being GoDaddy, paired with domaincontrol[.]com name servers (NS).
- Domain naming conventions centered around technology/target (recent intrusion reporting shows this pattern may change).
BlackTech, a.k.a. Huapi, Temp.Overboard, Circuit Panda, Radio Panda is a cyber espionage actor routinely associated but never publicly attributed to Chinese security services. Primary targets of the actor include the technology, financial and government sectors in Taiwan, Hong Kong, Japan, and recently the U.S.
Please refer to the excellent reporting by JPCert, NTT, TrendMicro, and PWC’s @cyberoverdrive and @malworms.
Infrastructure New & Old
The data captured in this post uses multiple vendor reports and VirusTotal and RiskIQ to gather passive DNS data. One hundred thirty (130) domains linked to BlackTech were identified and added to a CSV file along with first-seen dates, registrant and registrar information, and name server information.
CSV files allow for identifying possible campaign time-lining and visualizing trends or patterns in BlackTech infrastructure tactics, techniques, and procedures (TTPs). Reusing domains and overlapping infrastructure across different intrusion sets have become a calling card for the actor(s).
The lone spike seen in Figure 1 in 2013 is in large part due to the “Four-Element Sword Engagement.”
Constituting nearly a third of the domains registered, GoDaddy and domaincontrol[.]com NS have provided defenders with clues to out related infrastructure before put in use.
As seen in the below scatter plot, PDR Ltd. and Vitalwerks Internet Solutions, LLC represents the majority of registrars linked to BlackTech recently.
This activity consists of registrar changes in addition to name server information, as seen in Figure 4.
Previously, defenders may have enjoyed success querying for tech-themed dynamic DNS domains registered to GoDaddy with domaincontrol NS. While small wins in the above hunting category may prove fruitful, updated infrastructure configurations should be considered and watched closely.
Stepping back to look at the above data, three assumptions arise (I will leave the true analysis to the experts):
- The change in infrastructure is only temporary, and a return to normal patterns will return.
- The above behavior indicates a group that has had infrastructure burned by security vendors and researchers on social media.
- BlackTech campaigns call for different hosting configurations, explaining the change.
Unfortunately, when it comes to the inner workings of not only BlackTech but many APT groups, few defenders have inside knowledge of day-to-day operations.
Only continued analysis with multiple colored Excel spreadsheets to track changes will inch Blue Teamers closer to understanding one of the above assumptions.
While these configuration changes may not represent breaking news, identifying adversary infrastructure before malicious activity ensues is very important for defenders.
Like puzzle pieces, registrant names and name servers alone may not provide a pretty picture, but when paired with consistent naming themes and other registration information, a clearer picture of an adversary emerges.