Keypoints
- Study focused on six APT groups that have targeted European countries: APT28, BackdoorDiplomacy, Kimsuky, MoustachedBouncer, Muddy Water, and ToddyCat.
- Researchers filtered APT candidates from MITRE’s list, selecting groups that launched campaigns affecting Europe from 2023 onward or were active in 2023 and had targeted Europe previously.
- WHOIS History API and reverse WHOIS queries were used to extract email addresses from current and historical WHOIS records and treat them as IoCs.
- Findings include 50+ domains with public email addresses in current WHOIS records and 12,200+ domains in historical records linked to those emails.
- More than 2,500 email-connected domains remained active at the time of the report, and 15,100+ FQDNs were associated with IP-based IoCs across 1,000+ root domains.
- BackdoorDiplomacy analysis: 14 IoC domains yielded 39 historical email addresses (10 public); reverse WHOIS found 26 current and 12,018 historical email-connected artifacts, and 38 IoC IPs mapped to 14,318 FQDNs under 1,071 root domains.
MITRE Techniques
- [T1595] Reconnaissance – Conducting reconnaissance on European organizations. [‘Procedure: Conducting reconnaissance on European organizations.’]
- [T1566] Phishing – Used as an initial access vector associated with BackdoorDiplomacy and its EAGERBEE activity. [‘Procedure: Utilizing EAGERBEE malware for initial access.’]
- [T1566] Phishing (Credential Harvesting) – Targeting email accounts to steal credentials. [‘Procedure: Targeting email accounts for credential theft.’]
- [T1059] Command and Scripting Interpreter (Execution) – Executing malicious payloads on compromised systems. [‘Procedure: Executing malicious payloads on compromised systems.’]
- [T1543] Create or Modify System Process (Persistence) – Establishing persistence through backdoor installations. [‘Procedure: Establishing persistence through backdoor installations.’]
- [T1041] Exfiltration Over C2 Channel – Exfiltrating sensitive data from targeted organizations. [‘Procedure: Exfiltrating sensitive data from targeted organizations.’]
Indicators of Compromise
- [Domains] IoC domain lists and email-connected domains – example counts: 14 domains used as IoCs for BackdoorDiplomacy (source pivot), 50+ domains with public emails in current WHOIS records.
- [Email addresses] Email artifacts from WHOIS history – 39 email addresses found in BackdoorDiplomacy historical WHOIS records (10 were public), with reverse WHOIS yielding thousands of linked domains.
- [IP addresses] IPs named as IoCs for several groups – 38 IP addresses identified for BackdoorDiplomacy, which mapped to 14,318 FQDNs under 1,071 root domains.
- [FQDNs / Root domains] Fully qualified domain names hosted on IoC IPs – 15,100+ FQDNs associated with identified IP IoCs across 1,000+ root domains (e.g., 14,318 FQDNs under 1,071 roots for BackdoorDiplomacy).
WhoisXML API’s research team conducted a focused analysis of six advanced persistent threat groups that have targeted European countries—APT28, BackdoorDiplomacy, Kimsuky, MoustachedBouncer, Muddy Water, and ToddyCat—with the goal of uncovering threat artifacts tied to those campaigns. The team began by filtering the roughly 40 APT groups listed on the MITRE ATT&CK page, keeping groups that either launched attacks against European countries from 2023 onward or were active in 2023 elsewhere while having previously targeted Europe. After identifying candidate groups, researchers used the WHOIS History API to locate domains already flagged as indicators of compromise and to extract email addresses appearing in historical WHOIS records.
To convert those email artifacts into broader domain and asset linkages, the team separated public from privacy-protected addresses and ran the public emails through Reverse WHOIS and DRS Reverse WHOIS Search queries. This process revealed domain name artifacts tied to the email addresses in both current and historical WHOIS records. The researchers also used a Screenshot API to verify which email-connected artifacts were still accessible online and queried the Premium DNS Database to expand analyses for groups where IP addresses were named as IoCs.
The study surfaced extensive email-connected infrastructure: more than 50 domains contained the public email addresses in current WHOIS records, historical WHOIS searches tied over 12,200 domains to those emails, and more than 2,500 of the email-connected domains remained active at the time of reporting. In addition, IP-based pivots for four of the six groups yielded over 15,100 fully qualified domain names hosted across more than 1,000 root domains, providing a broad view of assets associated with the identified IoCs.
The report offers a deeper case study of BackdoorDiplomacy, an actor believed to operate from China and active since at least 2017. Although the group most recently targeted Southeast Asian governments with an upgraded EAGERBEE malware strain, it has previously attacked foreign affairs ministries and telecommunications companies across Europe, Africa, the Middle East, and Asia (including activity reported in 2021). Researchers started their BackdoorDiplomacy analysis from 14 domains identified as IoCs and found 39 email addresses in their historical WHOIS records; 10 of those addresses were public. Reverse WHOIS queries tied those emails to 26 email-connected artifacts in current WHOIS records and 12,018 artifacts in historical records. Pivoting from 38 IP addresses designated as IoCs produced 14,318 FQDNs under 1,071 root domains, with those FQDNs last visited between August 2023 and July 2024.
Readers interested in the full data set and methodology can download the complete white paper, which expands on the WHOIS and passive DNS data used to derive these findings and includes additional artifacts. Read more: https://circleid.com/posts/2024-domain-intelligence-study-of-6-apt-groups-notorious-for-targeting-europe