Tracking Down Hackers With Passive DNS Data and SSL Certificates
In early February 2018, Bui Thanh Hieu received an email. It was an invitation to an event he had been planning to attend. Bui Thanh Hieu, a Vietnamese dissident and blogger, living in Germany, knows he needs to be cautious. He nevertheless clicked the link in the email. It didn't look suspicious and seemed to come from a familiar email address.
Months later, he learned that a Vietnamese hacking group targeted him. And he wasn't the only one.
An investigation by German public broadcaster BR and newspaper Zeit found that the hacking group named APT 32 or Ocean Lotus targeted dozens of dissidents, human rights activists, and at least one journalist. For their investigation, the journalists looked at PassiveDNS databases to find out who the group targeted.
Tracking the hackers
Previously, the group had also targeted the German automotive industry. For Hakan Tanriverdi, who was part of a team of journalists investigating how the hackers are targeting Vietnamese dissidents, this was the starting point.
"I heard that hackers had targeted a German company and then tried to find out which group was behind it and what reason they might have to be active in Germany," he says. He found that BMW, the German carmaker, had been among the group's targets and published a story on his findings in December 2019.
"I then said: OK, let's just go ahead and see if we can find out more," Tanriverdi says. He read papers by information security companies and researchers to learn more about the group, and someone alerted him to one particularly interesting report. It explained a method to find the computers Ocean Lotus targeted. This was done by looking at DNS-based requests, which include the encoded names of the computers. "I thought this was super specific information, but it was in this paper," he adds.
Hackers use these computer names for different reasons, such as when creating profiles of the people they hacked. In the case of Ocean Lotus, the group's malware connected to a domain belonging to the hackers and then created a subdomain for each targeted computer. "What I thought was interesting was that if we have the name of the computer, we might be able to figure out who they are targeting, and this turned out to be right, though not exactly as I had thought," Tanriverdi says.
To dig deeper, Tanriverdi and his colleagues had to look at PassiveDNS databases, which allowed them to grab all the IP-addresses that one of the hackers' domains was hosted on and then go from there. "Look for new domains on those IPs. Try to find the pattern. Rinse and repeat," Tanriverdi wrote in a Tweet explaining the method.
The Domain Name System, or DNS, is like the phonebook of the internet. It translates domain names into IP addresses. Passive DNS databases, on the other hand, store historical data on whether a domain has been associated with a specific DNS record at some point.
Tanriverdi approached the investigation believing they would find other companies in Germany that had been targeted, but quickly realized they wouldn't be able to find out. "The companies don't name their computers 'Hello Telekom' but use very cryptic names instead," he says.
While they couldn't look into companies, this was an opportunity to check whether IT security companies were right in saying Ocean Lotus mainly hacks Vietnamese people. "And private persons do give their computers pretty straightforward names, such as their first or last names," he says. This way the journalists found some of the people targeted by the hackers, and many were indeed Vietnamese.
A crucial mistake
Once the team had the names of the targeted computers and the associated domains, Tanriverdi used tools such as Domaintools and RiskIQ to investigate further. This way, he found a crucial mistake the hackers may have made.
Hackers these days have the problem that they also have to offer secure HTTPS connections for their websites because browsers will immediately warn users if the connection isn't safe. For this, they need an SSL certificate. "Usually, you would have one certificate per website but these hackers, either because they were lazy or they used automation --this is my hypothesis, we can't be 100% certain-- had one certificate for 280 websites," Tanriverdi says.
He now had an entire list of websites the hackers used. He then wrote a small script that repeatedly checked Shodan (essentially a search engine to find computers connected to the internet) to see which IP addresses last used a particular certificate. "Every time the script ran, I got new IPs back, or it responded saying there were no new ones," he says.
Doing so allowed the journalists to often learn of new hacking operations even before they were happening. "Because first, they set up this website and then, only after, they send out a (phishing) email and start exfiltrating the data," he says.
Tanriverdi says he and his colleagues could have kept investigating but decided against it. "At some point, you run into ethical questions, such as I don't know what investigations are happening at that moment, and I'm not technically advanced enough to look into this without tipping off the hackers."
Tanriverdi has done three investigations like the one into Ocean Lotus so far, including another hacking group called Winnti. He says every time the people he works with have warned him that he could become the target of hackers.
"If I became aware of a hacking attempt, I would probably go into panic mode for a moment before thinking about what is important at that moment," he says. At the same time, locking down systems to prevent hackers from getting in always comes with a trade-off, and at some point, it becomes too impractical, he notes. "If you have to do 50 pirouettes and 20 handstands every time you want to open a Word document, then things are getting complicated."
While investigating Ocean Lotus, he received even more warnings than usual. "They are known for targeting journalists and do not care who they hack."
Either way, he says, there is no way to make it impossible for hackers to target him. "If a hacking group with ties to a state sets its mind on targeting me, then they will have resources to do it. How are you going to defend yourself against that? You can try, but I think it would be naive to believe that they wouldn't be able to."