Labels

dinsdag 21 juni 2016

Details about Pawn Storm Targeting MH17 Investigation Team

Details about Pawn Storm Targeting MH17 Investigation Team

Lets take a closer look at what TrendMicro called an operation conducted by Pawn Storm targeting the MH17 investigation team. The Dutch, so-called "Onderzoeksraad".
TrendMicro doesn't mention specific details in their blogpost. So we had to dig them up ourselves, but lets keep in mind we could be wrong!
TrendMicro says a fake server was set up around 29 september 2015 mimicking a OWA server and SFTP server. What we found is this domain: onderzoekraad.nl (The original domain is onderzoeksraad.nl, note the missing 's'). And this domain contains 2 subdomains: VPN and SFTP. The domain onderzoekraad.nl was registered on 23–09–2015. So it seems we've got the right domain.
When registrating a .nl domain personal details do not have to be included in the WHOIS information. Registrant information is however transmitted to the SIDN which coordinates the .nl domains. Through this way we know that the domain was registrated with the email address alexfreezbe@mail.com.
The nickname "alexfreezbe" is very unique. Actually a Google search learns us that this nickname is only used by one person online. A Russian guy called "Alexander Savelyev", using the nicknames "Dark Frize" or "alexfreezbe". We've got him pictured below:


Apparently "Alexander Savelyev" is a very common name in Russia and Ukraine. Actually a member of the OCSE, doing research about the MH17 crash… is called Alexander Savelyev.
Hows that about OPSEC?