,
16 tweets,
6 min read
Read on Twitter
Exclusive: A day in the life of “Den Katenberg,” alleged GRU hacker apnews.com/c554ea59bd0b4e…
Something that I've been working on quietly but which the indictment probably makes moot: the Secureworks list had several Fancy Bear email addresses which the group used for self-testing.
How I found this out: Fancy Bear generated malicious links in batches. But between these waves of activity they would sometimes generate 1-4 malicious links, often connected to weird-sounding email addresses.
Here's Fancy's bitly activity for March 4, 2016, for example:
Here's Fancy's bitly activity for March 4, 2016, for example:
The red boxes show two waves of targeting activity. But look at the grey box that precede them by a few minute. They're targeting a much smaller batch of odd-looking emails. [I've redacted some nonpublic emails]
Same pattern of activity on March 9, 2016:
Same pattern of activity on March 9, 2016:
The pattern repeats across the data set. It's as if they test the waters with a handful of target email, and then (a few minutes or an hour or two later) send out waves of phishing to a much larger set.
The idea that this is systematic testing is reinforced if we look at which emails are targeted during these apparent dry runs.
Do these addresses look familiar? Search for "dailyforeignnews" and "dernyalzongy" to see where else addresses have come up ...
Do these addresses look familiar? Search for "dailyforeignnews" and "dernyalzongy" to see where else addresses have come up ...
Now look at March 10, 2016 -- the first day that Fancy Bear targets the Clinton campaign. At 6:46 GMT there's an initial email sent to a Gmail address with the word "pentest" in it [I've redacted the rest]. A few minutes later, a wave of 29 phishing links.
Skip forward to March 15, 2016. The pattern is almost Morse Code-clear
12:33 Test
13:00 Phish
13:38 Test
13:44 Phish
13:58 Test
14:13 Phish
There's that "dailyforeignnews" address again at 13:38. [I've redacted the rest.]
12:33 Test
13:00 Phish
13:38 Test
13:44 Phish
13:58 Test
14:13 Phish
There's that "dailyforeignnews" address again at 13:38. [I've redacted the rest.]
This kind of activity is typical. Hackers are constantly testing. The costs are negligible. But the risks are not, as we'll soon see ...
Let's go now to March 19, 2016. It's on this day that the DOJ says John Podesta's email was hacked by GRU phishing specialist Lt. Aleksey Lukashev. Podesta's was one of 70+ accounts that were targeted around 8:28 GMT that day. But look at the apparent tests before and after.
Those that follow APT28 will recognize the "dailyforeignnews" and "denryalzongy" emails. But check out the "denkaten" address also targeted at 7:37 GMT, less than hour before Podesta is hit.
"denkaten" appears 3 times in the Secureworks data; each one appears to be a test-drive.
So on a whim, I added "denkaten" as a contact in a throwaway Gmail account & connected it to a throwaway Twitter account. I ingested my Gmail contacts to "find my friends." Coincidence?
So on a whim, I added "denkaten" as a contact in a throwaway Gmail account & connected it to a throwaway Twitter account. I ingested my Gmail contacts to "find my friends." Coincidence?
I've tried to reach @denkaten for comment. So far have not heard back. Den, I'm eager to hear from you.
His Twitter account does not appear particularly active.
His Twitter account does not appear particularly active.
Den Katenberg's Facebook page, which was located at this address, has now been taken down.
facebook.com/profile.php?id…
facebook.com/profile.php?id…
Note the watermark near the bottom right of the image. Any digital forensics sleuths able to ID it?
Google cache of Den Katenberg's public Facebook profile:
webcache.googleusercontent.com/search?q=cache…
Archive of the Google cache:
web.archive.org/web/2018071323…
He gives his hometown as "London"
webcache.googleusercontent.com/search?q=cache…
Archive of the Google cache:
web.archive.org/web/2018071323…
He gives his hometown as "London"
