May 20, 2015

A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.

The report was released by Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks. The report attracted coverage by multiple media outlets, including, Fox News, PoliticoSC Magazine and The Hill. root9B said it had unearthed plans by a Russian hacking gang known variously as the Sofacy Group and APT28. APT is short for “advanced persistent threat,” and it’s a term much used among companies that sell cybersecurity services in response to breaches from state-funded adversaries in China and Russia that are bent on stealing trade secrets via extremely stealthy attacks.

The cover art for the root9B report.

The cover art for the root9B report.

“While performing surveillance for a root9B client, the company discovered malware generally associated with nation state attacks,” root9B CEO Eric Hipkins wrote of the scheme, which he said was targeted financial institutions such as Bank of America, Regions Bank and TD Bank, among others.

“It is the first instance of a Sofacy or other attack being discovered, identified and reported before an attack occurred,” Hipkins said. “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. We’ve spent the past three days informing the proper authorities in Washington and the UAE, as well as the CISOs at the financial organizations.”

However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

The problem with that linkage is although carbon2u[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2u home for their DNS operations, including these clowns.

From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

rolexzadFor example, most of the wordage in this report from root9B discusses fake domains registered to a handful of email addresses, including “adeweb2001@yahoo.com,” adeweb2007@yahoo.com,” and “rolexzad@yahoo.com”.

Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd.

The domain rolexad[dot]com was flagged as early as 2008 by aa419.org, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

Bob Zito, a spokesperson for root9B, said “the team stands by the report as 100 percent accurate and it has been received very favorably by the proper authorities in Washington (and others in the cyber community, including other cyber firms).”

I wanted to know if I was alone in finding fault with the root9B report, so I reached out to Jaime Blasco, vice president and chief scientist at AlienVault — one of the security firms that first published the initial findings on the Sofacy/APT28 group back in October 2014. Blasco called the root9B research “very poor” (full disclosure: AlienVault is one of several advertisers on this blog).

“Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hashes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

Blasco’s comments may sound harsh, but it is true that root9B Chairman Joe Grano bought large quantities of the firm’s stock roughly a week before issuing this report. On May 14, 2015, root9B issued its first quarter 2015 financial results.

There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.


47 thoughts on “Security Firm Redefines APT: African Phishing Threat

  1. Ian McKenzie

    For what it’s worth Brian, I’m with you and Jaime on this one and if I had to guess I’d say any of your regular readers would likely agree as well.

    While there is certainly a ton of great talent coming out of the various government entities it’s important to keep in mind that the resume alone is not indicative of superior business practices. There are plenty of us within the private and research sector’s with much more knowledge and experience 😉

    1. JCitizen

      +1 to you Ian;

      Especially since most government entities seem populated by a bunch of knot heads!

  2. Anonymous

    ah, the good ole legal issue a PR and then pump and dump some stock trick!

    1. JimV

      Whether he was able to successfully accomplish the 2nd critical part of a pump-and-dump scheme isn’t clear, but maybe Brian will be able to follow up on that aspect in a future report.

      Seems highly suspicious, though.

    1. JCitizen

      “Everyone to get off the street”; oh! never mind! Heh! Just a little ’70s humor here.

  3. Neej

    “I’m really surprised that it got a lot of media attention due to the poor research they did,…”

    Why is he really surprised? This is typical of today’s reporting in popular media: a “journalist” with very little idea about the topic they’re writing on paraphrases a press release with no additional checking or research. This happens often and repeatedly so I really do not know why he’s surprised.

    I guess the fact that it could be seen as somewhat supportive of Washington’s “cyberwar” stupidity in that it provides more justification and that it apparently has former high level gov workers putting out this rubbish is another alarm bell as well.

  4. nov

    root9B mentions, …”the malicious code bore specic signatures that have historically been unique to only one organization, Sofacy”. However, I see no other public correlation of the malware hashes to Sofacy.

  5. Adam

    No suprise here jumping the gun, UNLESS they meant APT to be African Phishin Threat ?

    Morons really though.

    “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. ”

    But not such a good job deciding who was responsible.

  6. Mike

    “…National Security Agency (NSA) and Department of Defense cybersecurity experts…”

    The same so-called experts that are perfectly happy to insure the bad guys build (and get well paid) all the computer equipment that gets used all over the world. It’s like the spys that spend all their time watching other spy that themselves are watching spys. While the population and the worlds businesses all get caught in the middle (without ever realizing it). Is it any wonder there are back doors into things?

    I have absolutely no reason to trust anything from any of these people at all. None of them can tell the difference between their own 1’s from 0’s in the ground. I’m alot more likely to be forced into spending alot more time protecting myself from these experts and their policies.

    Oh yeah….one other thing…..

    Thanks Brian but I’m not very likely to get my cyber-security tips from the Politico.

  7. BorisTheBlade

    Anti-russian hysteria in the USA is utter ridiculous. Even more ridiculous than anti-american hysteria in Russia.

    1. atombath

      Hysteria implies that the reaction is irrational, though. Both sides have legitimate reasons for the suspicion.

  8. jdoe

    Who is the root9B CEO – Eric Hipkins or Joe Grano?

    1. Frank

      One is CEO, one is Chairman. Those positions aren’t always held by the same person.

  9. Jack

    Geography 101
    Africa = Continent
    Nigeria = Country

  10. Phil

    I lol’d @ Rolexzad Fishery Nig. Ltd. And Jack, the USA is a country, everyone else is whatever.

  11. Robert Scroggins

    Thanks, Brian, for not only going after the bad guys but for also helping to keep the good guys honest!

    Regards,

  12. ED

    I live in Colorado Springs and we have a strong ISSA chapter here. I have never heard of this company. Looking at their website at their many “offices” really casts doubt, especially when they evidently have less than 50 employees.

  13. -stephen

    The Web site of the aa419 organization is aa419[dot]org instead of [dot]com.

  14. Buddha Chris

    I think the security services market much like the general internet news machine is getting so over crowded that the quality of many of the sources and organizations goes down as a result. More and more it’s up to the individual to decide on the validity and authoritativeness of the sources / product in question.

    This I believe is expected behavior any time there is a lot of money flowing around a sector and it’s hot as Information Security is right now.

    BK I think you either the best or one one of the best reporters out there, and I’m sure that doing the high quality work you do takes a lot of time and effort.

    These days a PR stunt can work just as easily as it fails, the only issue is when you go for major exposure like these guys did, if you take shortcuts or are less then truthful it can back fire in a huge way. Now they maybe looked on in a worse light then if they hadn’t released this information.

    One security issue I can see with all the over-hyped PR and how easily people are spoofed is that an intentionally false PR statement could cause havoc in the financial markets and we can need a better way to authenticate these types of intentionally malicious releases.

    Thanks for your service to the community.

    1. Anonymous

      Looks like they have a number of other dubious claims in other press releases. My favorite is:

      “root9B Announces Development of First-ever Credential Risk Assessment and Remediation Solution”

  15. Stratocaster

    Now that the whiz kids at root9B have unmasked this Threat to Western Civilization, I am starting to get spams which purport to be from a bank in Mali. Next stop for the root9B investigators. I wonder if the Nigerian princes have emigrated yet.

  16. Karen Bannan

    “There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.”

    Yes, too true, but that doesn’t mean that it’s not good to be looking for APT! I really liked this white paper based on the Gartner Security Summit that discusses *all* the things that people should be looking at and thinking about related to security: http://bit.ly/1byhygd

    –KB

    Karen J. Bannan, commenting on behalf of IDG and FireEye.

  17. Researcher

    I co-authored one of the Sofacy/APT28 reports that Jaime referenced in his accurate summary in October. He wasn’t the only one to laugh at the root9b report, particularly with respect to the “zero-day hashes”.

    Unfortunately incompetent reports are being rewarded, and it’s great to see Krebs and others starting to call them out.

    Of course there was Norse’s poor report on Iran
    http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0417/Opinion-Security-firm-s-Iran-report-mostly-hype

    Then there was IBM’s claim that 1/500 machines are infected with APT malware, because they reclassified all malware as APT for the purporse of their report
    http://www.infosecurity-magazine.com/news/citadel-trojan-targets-middle-east/

    May favourite so far though is this one. If you look at the malware samples of this you’ll see it’s just adware- it even has an agreement you have to confirm before it installs!
    http://www.zdnet.com/article/12-years-old-and-finally-over-is-the-harkonnen-operation-the-longest-running-malware-campaign-so-far/

    1. JCitizen

      +1 Sorry I have to clutter up Brian’s site just to upvote your post.

    2. Ian McKenzie

      I’ve attended several meetings in regards to some of APT28’s previous attacks and read detailed techincal analysis of their typical operations and as such am inclined to agree.

      However, I’m curious if Brian would care to respond to root9B’s recent post as linked below.

      http://root9btechnologies.com/news/root9B-response-to-krebsonsecurity-blog-post.html

      Perhaps they could setup a webinar or conference call and allow those of us in industry to hear their more detailed briefing.

      1. Oh Please Do This

        Brian, please follow up – it’ll either hopefully show that these guys were correct but don’t write detailed and accurate, well-researched reports, or that they are just as guilty as the Nigerian scammers for posting empty or false PR just before Q1 earnings news with hopes of increasing their valuation.

        As for Stephen H’s comment below on the SEC question, I too wonder about that…

      2. Pete

        I would love to see how they justify their claim on there website,”root9B is a leading provider of advanced cybersecurity services and training for commercial and government clients.” Who defined them as a leader and in what way. Doubt they own a larger market share than 50% of their competition or have been rated better than 50% of their competition by reputable independent security sources. If neither exist, then that is a false claim. Sorry, but I just hate how everyone defines themselves as a leader in something for marketing purposes (and usually pays someone to rank them that way so they can throw something up on their website – ranked best security company by Bob’s BBQ and Outdoor Grill of Bumf- WV).

  18. Stephen H

    So – has anyone dropped a line to the SEC about insider trading? Joe could be in a lot of trouble over buying stock before a major announcement.

    1. Kathy

      If it were true he could, which is why I think there may be more to this than Brian “Krebspersky” knows. Grano is worth a whole lot more than the 50k or so Brian accuses him of making in his “pump and dump” accusation. Why would anyone worth tens of millions risk jail time over $50k? And have you seen the board of directors? Do you think William Webster would associate with a company guilty of what Brian alleges? Does anyone here think for themselves? Or is this a site for lemmings blinded by the Krebslights?

      1. What a shill posting

        Clearly this is some shill from root9B trying to discredit the report. Go back to your pandering.

      2. Barry

        It’s great to see an mature and intelligent voice as yours Kathy.

  19. Lance James

    Granted there are some talented folks coming out of the public sector so this is not directed at them, but I have been seeing quite a bit of cognitive bias lately with these types of attribution attempts and their methodologies demonstrated in their reports. The most shocking part is that anyone from the public sector who is appropriately trained in the trade craft of intelligence should be thoroughly competent in applying ACH (analysis of competing hypothesis) before they feel so certain about the accuracy of their work.

    Hate to say it I’m starting to think that there should be regulation on lemon security companies and delivery of false information and shoddy products.

  20. market watch

    Some more financial analysis on root9b. Looks like there is about 10 million shares about to get dumped by senior executives, including Grano and Hipkins (Ceos).

    http://seekingalpha.com/article/3205696-root9b-negative-asymmetry-80-percent-downside

    Best part:

    “Most troubling is the 44% decline reported in root9B’s cyber segment. Management has billed this segment as being the growth engine (despite representing only 7% of total revenue on a pro forma basis) for the company going forward. However, this segment produced the largest decline in revenue. Verbiage in the 10-Q attributes this to lengthening sales cycles.”

    Looks like the pump and dump is about to fall. SEC, anyone?

  21. Victor

    Hello Brian,

    thanks for the article!

    Just want to point out that you provided the link for aa419.COM, but the correct link is aa419.ORG.

    1. BrianKrebs Post author

      Actually, the link works fine. It’s the wording that’s incorrect. I’ll fix, thanks.

  22. Catherine D.

    The SEC Edgar filings are a beautiful and wonderful treasure trove of info. Thx for the reminder Brian.
    I peeked at the names of all folks who have root9B options:
    http://www.sec.gov/cgi-bin/own-disp?action=getissuer&CIK=0001272550

    Noticed the name ”Wesley Clark” listed. Cross-referenced that name to all companies naming “Wesley Clark” as a director:
    http://www.sec.gov/cgi-bin/own-disp?action=getowner&CIK=0001349193

    and found this gem, which appears to be a Grilled Cheese food truck company, that has retained Wesley K. Clark & Associates, LLC to develop its veterans franchise business at the rate of $20k/month (see section 11.d.):
    http://www.sec.gov/Archives/edgar/data/1497647/000161577415001191/s101150_10q.htm

    so weird.

  23. Ted Mapother

    An interesting article, and nice that we were mentioned (despite that we are aa419.org).

    This is slightly off-topic, but I feel I should add a bit of input from our organization. I personally go through hundreds of fake bank domains each week (as an anti-fraud volunteer) and would like to clarify an often misunderstood area here.

    Fake bank domains (the typical West African fraudster type) can be set up and used for three things. Phishing, 419 websites, and 419 emails.

    Phishing – While there are some being used for phishing, it is far more common to see phishing sites created which spoof email and social media logins rather than impersonating banks. It happens, but it’s not happening that often at all.

    Websites – In some cases, these fake bank domains will have content on a website set up to look like the legitimate bank being impersonated. This is NOT typically used for phishing. A fake bank site set up to look like a real bank site and being used for 419 fraud is meant to trick the victim into believing they are dealing with the real bank. In many cases, there is an “online banking” login. This is NOT phishing. The site owner (scammer) will create the login infomation so that the victim can login and be fooled into believing he really has $2 million in his Barclays/Bank of America/[Insert Bank Name Here] account. When the victim sees what looks like a real bank website, and can then login and see all this “money” in his “account”, the scammer can have an easier time extracting more of the “fees” from the victim to have to pay for the non-existent money. Classic 419 fraud. Again, most often this is NOT phishing, and something that is often misunderstood.

    Emails – What is most often the case with newly registered domains copying legitimate banks, is for them to simply be used for email purposes. Many of the scammers are too lazy to bother setting up content on a website. The will register a domain copying a bank, and then use it for sending emails to victims. This is a made-up example, but emails will come from something like bankmanager@barclaysbnkuk.net – again, not for phishing, just to lend credibility to the scam. The victim can be fooled into believing they are dealing with a representative from the real bank, etc…

    In any case, carry on. Just wanted to give my input on what the fake bank domains are actually being used for.

    Thanks,
    Ted Mapother
    Public Relations Director
    Artists Against 419
    http://www.aa419.org

Comments are closed.