In the analysis of malicious activity labelled as FLYING KITTEN / Operation Saffron Rose, there are a number of Indicators of Compromise (IOCs) shared attributed to this 'named intrusion set.' Our analysis on these IOCs indicate that the more critical IP addresses involved have Norse IPQ ratings identifying these systems as malicious, and our sensor network identified other domain names with malicious history or intent. In sharing this information, Norse hopes to shed light into this activity for fellow Information Security and IT professionals to use in mitigating the threat to their networks and systems.
This 'named intrusion set' is attributed to targeting critical infrastructure sectors and political dissidents. This sort of specific targeted activity has a different profile and intent; where the goal is to gain and hold onto internal system/network access and exfiltrate intellectual property. Best efforts are to accomplish as stealth as possible; detection and mitigation is utilizing multiple tools and datasets for layered mitigations/compensating controls.
The activity of these suspect IP addresses and associated indicators provided ratings of MEDIUM to HIGH by Norse's threat intelligence platform for the most severe systems involved. The Indicators Of Compromise (IOCs) attributed to the FLYING KITTEN / Operation Saffron Rose 'named intrusion set' are:
|IP||Host||Organization||ISP||AS #||Country||Location||Norse IPQ rating|
|220.127.116.11||static.18.104.22.168.clients.your-server.de||Constantin Constantinescu||Hetzner Online AG||24940||Germany||Gunzenhausen||MEDIUM|
|22.214.171.124||static.126.96.36.199.clients.your-server.de||Constantin Constantinescu||Hetzner Online AG||24940||Germany||Gunzenhausen||HIGH|
|188.8.131.52||h88-150-227-197.host.redstation.co.uk||Sinet Telekom d.o.o ||Sinet Telekom d.o.o ||||Serbia||Belgrade||LOW|
|184.108.40.206||116-239-63-74.static.reverse.lstn.net||Limestone Networks||Limestone Networks||46475||USA||Texas, Dallas||HIGH|
|220.127.116.11||12.adilaiwoang.net||CLIENTID4996 - iSS Private Network||Private Layer INC||51852||Switzerland||Zürich||LOW|
|18.104.22.168||NXDOMAIN||CLIENTID4996 - iSS Private Network||Private Layer INC||51852||Switzerland||Zürich||LOW|
|22.214.171.124||NXDOMAIN||CLIENTID4996 - iSS Private Network||Private Layer INC||51852||Switzerland||Zürich||LOW|
|126.96.36.199||NXDOMAIN||CLIENTID4996 - iSS Private Network||Private Layer INC||51852||Switzerland||Zürich||LOW|
|188.8.131.52||NXDOMAIN||CLIENTID4996 - iSS Private Network||Private Layer INC||51852||Switzerland||Zürich||LOW|
|184.108.40.206||h176-227-193-13.host.redstation.co.uk||Dedicated Server Hosting||Redstation Limited||35662||UK||Gosport, Hampshire||HIGH|
 Note that Sinet Telekom d.o.o no longer provides internet services, and this IP was recently assigned to Redstation Limited, GB (ASN 35662).
With Norse's dark intelligence gathering capabilities, we were able to determine potential additional domains that could be related to the suspect activity. One of the systems already outlined, with six questionable domains. One of these domains was observed as recently as this week, with others observed in Fall 2013. Note that this system has multiple domains hosted, most of which look to be legitimate. Our analysis does not correlate the activity attributed to FLYING KITTEN / Operation Saffron Rose with these domains listed below at this time. Though from our analysis there are enough indications that these domains have been involved with suspect activity.
|IP||Domain||Last Observed||220.127.116.11||armexconex.com||2014-05-13 2:36:49-07:00|
|18.104.22.168||khorvash6.ir ||2014-01-12 2:46:29-08:00|
|22.214.171.124||www.eset4u.ir ||2013-11-20 5:39:57-08:00|
|126.96.36.199||ptcebook.com ||2013-10-02 2:21:03-07:00|
 The domain khorvash6.ir was identified as having malicious URLs from the January 2014 timeframe on Virustotal
The bulk of the IPs referenced in this report are rated MEDIUM to HIGH by Norse's threat intelligence platform, which designates a risk factor of 34 through 89. Users integrating Norse dark threat intelligence into their firewall, Intrusion Detection\Prevention Systems, or SIEM can track these high risk IPs and monitor, block, or quarantine according to their security policy and acceptable risk. For further information regarding these IOCs, and scope of these indicators regarding kill chain involvement & potential mitigations contact your affiliated ISAC and/or CERT. Regarding integrating the Norse Darklist or IPViking capabilities to your organization, or questions regarding our analysis detailed here please contact us.