Via the events collected mostly from passive DNS records, I’ll highlight that threat actor(s)/ group(s) were using since 2010 a “DNS highjacking” tactic which is here observed as replacing victim’s zone authoritative name servers, by their controlled one, for small period of time. This could result in interception, espionage or sabotage by these means. The victims profiles found, strongly align with China’s interests. Various areas of activity are concerned, from Fortune 100 to cultual or religious organizations :
- France: Safran, Snecma (now Safran Aircraft Engines)
- Korea: Microsoft, Adobe, Honeywell, Nintendo, Logic Korea (Video game), KFTC (Financial payment service), Minghui (Falun Gong organization), Shinchonji (Evangelists)
- Australia: Australian Postal Corporation, Guangming (Falun Gong organization)
- United States : Makerbot (3D Printing company).
US DOJ & Aerospace
Referring to the indictment by the U.S. Department of Justice (DOJ) of ten Chinese intelligence officers for espionage (2018-10-10), cf:
And according to this indictment :”Beginning in at least December 2013 and continuing until his arrest, Xu targeted certain companies inside and outside the United States that are recognized as leaders in the aviation field. “
NB: You can read this link too, that summarize also well these recent events.
I decided to look what I can find on a (c)old case “linked” to this indictment. My starting point was this CrowdStrike article from
The events (publish and/or occurring were around the same period too..) i.e at the end of the 2013 year and beginning of 2014 :
French Aerospace VFW CrowdStrike Article
2014-01-11 2014-02-11 2014-02-25
We know that Safran, Snecma (a Safran subsidiary) and the French aerospace industries association : the “Groupement des industries françaises aéronautiques et spatiales” (GIFAS) were concerned.
I decided to start from what we know, and lookup into Passive DNS data, mostly.
First thing was that Safran let one of his RR pointing for more than two months to a malicious IP. (?!) The two other domains were a contrario malicious domains, crafted for, and not directly related to the victims.
Safran Name Server
From the CrowdStrike article :
Of particular interest was secure[.]safran-group[.]com. Safran is a France-based aerospace and defense company with a focus on the design and production of aircraft engines and equipment. The company owns the safran-group[.]com domain, and the fact that one of its subdomains was pointed at a malicious IP address suggests that the adversary compromised Safran’s DNS.
The second point is bold text above : “(…)the adversary compromised Safran’s DNS.” I didn’t find something thus that could help to understand how it was accomplished. By searching the Internet I found a UC San Diego thesis with title : “Investigating DNS Hijacking Through High Frequency Measurements” which seems well informed on the incidents :
Snecma Name Server
What we can read in CrowdStrike article, is that a number of domains were added to the “host’s” file of victim machines, but :
“the purpose of this component is unclear. It does not map these domains to malicious IP addresses because the 18.104.22.168/24 range belongs to the company”
By looking at the snecma.fr Name Servers I found some weird ones at the moment : ns1.acfine.net and ns2.acfine.net
- snecma.fr was previously indicated and was China’s interest without any doubt at that time. We have covered briefly this above.
- guangming.org seems to be a “Falun Gong” information website, this is of the utter interest in China’s policy. We can see multiple references to this “organization”, and China see it as a cult (see this official Chinese governmental link e.g). NB: The website may be related to their practice in Australia.
- makerbot.com is a 3D Printing company, based in New York.
Could this be another objective from attackers, or another group inside a team ? APT could be composed of several groups/teams, with different goals, and sometime using the same architecture or sharing the same TTPs.
Some open line of investigation on this… but I found on the website that a Lockheed Martin’s Senior Research Engineer was using their product since 2014 : It could be interesting for attackers to target this company to correlate different data.
ex: Lockhed Martin Blueprints + robotic mechanisms & Engineering
As correlating two different databases could reveal useful information,
ex: Office of Personnel Management (OPM) wich handle SF-86 form to obtain a security clearance + Anthem (Health Insurance) permitted to find the CIA agents by doing a diff between the data…
Linkedin profile :
Airbus & Microsoft Korea
ns21.dollar2host.com / ns22.dollar2host.com (NS)
2018-11-24 Update : Continuing on ns21. I saw that microsoft.kr was usign briefly this NS in 2010 too :
I found also ns1.dqtec.com (and ns2.dqtec.com) who where using too this NS in 2010, e.g with ns1.dqtec.com below:
What was the IP resolution of these records ?
ns1.dqtec.com ==> 22.214.171.124
ns2.dqtec.com ==> 126.96.36.199
If these IPs used for bad things at the moment (no idea..), some other records may have been pointed to.. Again pivoting :
I have no idea if these records were legit at this time. First thing first, referring to Wikipedia, .gob.ec was replaced by .gov.ec :
For the domains :
- hanm.gob.ec was “el Hospital Provincial Alfredo Noboa Montenegro”.
- cnecarchi.gob.ec was la “Delegación Electoral del Carchi”, depending from Ecuador National Electoral Council for “la delgacion de” (translate to approx. “district of”…) Carchi, website at the moment (2012-05-25) :
Nowadays the website :
- sevfae.mil.ec : We can interpret the function as globally : Ecuador’s Air Force virtual education system. It’s a Military website and domain.
At the moment website was :
AGA is “Academia de Guerra Aérea FAE” which translate to Ecuador’s Air Force war academy. This is also “similar” with the last domain below :
Illustration nowadays (not same domain..) :
ns0.nscomdomain.com / ns1.nscomdomain.com (NS)
Same process. What domains were using these Name Servers ?
Here when I search for ns0, there’s less domains, in fact, only 6, including our microsoft.co.kr. All information was from 2012 :
Examining these domains I was really surprised to find that minghui.or.kr was linked to “Faloun Gong” too ! Do you remember at the beginning of this blog post “guangming.org” ? That could reveal the same kind of interest by this/these actor(s).
- shinchonji.kr is another religious/cult (Evangelists as far as I understand) organization that may represent an interest too for China’s monitoring policy.
- logickorea.co.kr A Korean Company, in the Video Games business. I immediately think about the APT that targeted Video games industry (Winnti) . As Kaspersky noted noted in its report “Winnti. More than just a game”, South Korean video games vendors were targeted :
Interestingly, the digital signature belonged to another video game vendor – a private company known as KOG, based in South Korea.
- kftc.or.kr is a Korean financial payment service company with a lot of service today : Cash Dispenser (CD) Network, Interbank Fund Transfer(IFT), HOFINET, and The Korea Cash (K-CASH) Network connects KFTC, all banks in Korea and a system service provider (SP) for payment settlements using an electronic currency. The K-CASH would be a target for any Intelligence service on earth, including the Ministry of State Security (MSS / Guoanbu). Do you remember the NSA compromised the SWIFT Network revealed in 2017 ?
I know that one 🙂 Honeywell, not because I’m a ICS/SCADA guy but because Shodan ! 😉 Anyway, this Honeywell Korean website was in the list too… NB: honeywell.co.kr website redirect to http://www.honeywell.com/worldwide/ko-kr
Starting from public indicators and passive DNS data, and by looking at the domains, their zone authoritative name servers, and the other domains using the latters (pivoting) we discovered victims.
The volume and diversity of domains names suggest that it is likely that multiple threat actors were involved. This is also likely that China’s interests are in line with these operations, especially because of the cultual/religious aspect, which was of utter interest from China at the time of these events. NB: The same kind of interest is e.g from NetTraveler which specifically targets Tibetan/Uyghur activists.
Actors could use a service like a “DNS highjacking” tactic broker (as Elderwood project was in comparison an APT 0-day-broker), or they are likely to used a shared process for this tactic.
By understanding actor’s tradecraft, we also shine some light on China’s policy, supposed Intelligence services (MSS/Guoanbu), and business needs since 2010 from APT actors (sometime named Turbine Panda / BlackVine & Winnti) where one of the central and common capacity is the Sakula malware.