Norse Special Threat Report: FLYING KITTEN / Operation Saffron Rose Indicators of Compromise (IOCs) uncovered by Norse sensor network

05/15/2014

In the analysis of malicious activity labelled as FLYING KITTEN / Operation Saffron Rose, there are a number of Indicators of Compromise (IOCs) shared attributed to this 'named intrusion set.' Our analysis on these IOCs indicate that the more critical IP addresses involved have Norse IPQ ratings identifying these systems as malicious, and our sensor network identified other domain names with malicious history or intent. In sharing this information, Norse hopes to shed light into this activity for fellow Information Security and IT professionals to use in mitigating the threat to their networks and systems.

This 'named intrusion set' is attributed to targeting critical infrastructure sectors and political dissidents. This sort of specific targeted activity has a different profile and intent; where the goal is to gain and hold onto internal system/network access and exfiltrate intellectual property. Best efforts are to accomplish as stealth as possible; detection and mitigation is utilizing multiple tools and datasets for layered mitigations/compensating controls.

The activity of these suspect IP addresses and associated indicators provided ratings of MEDIUM to HIGH by Norse's threat intelligence platform for the most severe systems involved. The Indicators Of Compromise (IOCs) attributed to the FLYING KITTEN / Operation Saffron Rose 'named intrusion set' are:

IP Host Organization ISP AS # Country Location Norse IPQ rating
5.9.244.151 static.151.244.9.5.clients.your-server.de Constantin Constantinescu Hetzner Online AG 24940 Germany Gunzenhausen MEDIUM
5.9.244.157 static.157.244.9.5.clients.your-server.de Constantin Constantinescu Hetzner Online AG 24940 Germany Gunzenhausen HIGH
88.150.227.197 h88-150-227-197.host.redstation.co.uk Sinet Telekom d.o.o [1] Sinet Telekom d.o.o [1] [1] Serbia Belgrade LOW
74.63.239.116 116-239-63-74.static.reverse.lstn.net Limestone Networks Limestone Networks 46475 USA Texas, Dallas HIGH
81.17.23.226 12.adilaiwoang.net CLIENTID4996 - iSS Private Network Private Layer INC 51852 Switzerland Zürich LOW
81.17.28.227 NXDOMAIN CLIENTID4996 - iSS Private Network Private Layer INC 51852 Switzerland Zürich LOW
81.17.28.229 NXDOMAIN CLIENTID4996 - iSS Private Network Private Layer INC 51852 Switzerland Zürich LOW
81.17.28.231 NXDOMAIN CLIENTID4996 - iSS Private Network Private Layer INC 51852 Switzerland Zürich LOW
81.17.28.235 NXDOMAIN CLIENTID4996 - iSS Private Network Private Layer INC 51852 Switzerland Zürich LOW
176.227.193.13 h176-227-193-13.host.redstation.co.uk Dedicated Server Hosting Redstation Limited 35662 UK Gosport, Hampshire HIGH

[1] Note that Sinet Telekom d.o.o no longer provides internet services, and this IP was recently assigned to Redstation Limited, GB (ASN 35662).

IP Domain Last Observed
5.9.244.157 aeroconf2014.org 2014-01-14 3:00:24-08:00
5.9.244.157 rea12.atk.com.cookieauth.dll.internet.secure.employee.ssl.webmail.login.microsoft.exchange.mailservermigration.tk 2014-01-14 3:03:04-08:00

With Norse's dark intelligence gathering capabilities, we were able to determine potential additional domains that could be related to the suspect activity. One of the systems already outlined, with six questionable domains. One of these domains was observed as recently as this week, with others observed in Fall 2013. Note that this system has multiple domains hosted, most of which look to be legitimate. Our analysis does not correlate the activity attributed to FLYING KITTEN / Operation Saffron Rose with these domains listed below at this time. Though from our analysis there are enough indications that these domains have been involved with suspect activity.

IP Domain Last Observed
74.63.239.116 armexconex.com 2014-05-13 2:36:49-07:00
74.63.239.116 tehrantakhfif.ir 2014-02-28 4:51:22-08:00
74.63.239.116 ronixairtools.com 2014-01-23 3:34:25-08:00
74.63.239.116 khorvash6.ir [2] 2014-01-12 2:46:29-08:00
74.63.239.116 www.eset4u.ir [3] 2013-11-20 5:39:57-08:00
74.63.239.116 ptcebook.com [4] 2013-10-02 2:21:03-07:00

[2] The domain khorvash6.ir was identified as having malicious URLs from the January 2014 timeframe on Virustotal

[3] The domain is listed as compromised on 2013-07-14 02:44:55 by Zone-H, is implicated as a phishing web site on Kunjon and on phishtank in November 2013.

[4] Virustotal results on this now suspended domain provides indications of being malicious.

The bulk of the IPs referenced in this report are rated MEDIUM to HIGH by Norse's threat intelligence platform, which designates a risk factor of 34 through 89. Users integrating Norse dark threat intelligence into their firewall, Intrusion Detection\Prevention Systems, or SIEM can track these high risk IPs and monitor, block, or quarantine according to their security policy and acceptable risk. For further information regarding these IOCs, and scope of these indicators regarding kill chain involvement & potential mitigations contact your affiliated ISAC and/or CERT. Regarding integrating the Norse Darklist or IPViking capabilities to your organization, or questions regarding our analysis detailed here please contact us.