So just to be explicit about our research @ThreatConnect, we initially came across the cubenergy-my-sharepoint[.]com by exploiting some consistencies that we've seen in previous Fancy Bear infrastructure.
To be specific, the use of a PositiveSSL certificate in conjunction with a Sharepoint-related string, has been used several times previously by Fancy Bear and not widely seen elsewhere.
Notably, that was seen in several of the Fancy Bear domains spoofing NGOs that Microsoft sinkholed earlier this year, like soros-my-sharepoint[.]com and transparencyinternational-my-sharepoint[.]com.
That cubenergy-my-sharepoint[.]com domain lead to another, dpkshodnya-my-sharepoint[.]com, by way of some initial redirect information. That domain also has that PositiveSSL certificate and Sharepoint string consistency.
That domain was initially registered using a barid[.]com email address. I then reviewed barid[.]com email registered domains using name servers that Fancy Bear has previously consistently used (like ITitch) and found those additional kub-gas[.]com and kvatral95[.]com domains.
Ultimately, none of these characteristics are definitively indicative of APT28 activity and we don't have any specific information on how the domains have been operationalized.
However, considering the possible targets that the domains spoof and given the aforementioned non-definitive consistencies, we assess with moderate confidence that the domains probably are associated with APT28 operations.
More information on how and against whom the identified infrastructure was operationalized could ultimately strengthen our assessment and increase our confidence in that attribution.
Should have included this originally, but this research leveraged capabilities from @DomainTools, @censysio, @urlscanio, @FarsightSecInc, and @PassiveTotal. Many thanks to you all for enabling this research.
