The Yandex Domain Problem
Or Who In Russian Intelligence Doesn’t Speak Russian?
On March 22, 2016 William “Billy” Rhinehart, a regional field director at the Democratic National Committee, received an email from Google warning him that someone tried to access his account and that he should immediately change his password. He complied.
Unfortunately for Mr. Rhinehart, it wasn’t Google who sent him that email. He, along with many others, were a victim of Threat Group 4127 — the SecureWorks designation for Fancy Bear (CrowdStrike), APT28 (FireEye), and Sofacy (Kaspersky Lab). Secureworks assesses that TG 4127 “is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.”
Thanks to a bizarre twist involving Guccifer 2.0’s solicitation of a journalist at The Smoking Gun (TSG) to write about the DCLeaks emails in exchange for giving TSG an early look at some of the stolen documents, TSG was able to obtain the original spear phishing email directly from Billy Rhinehart and shared it with ThreatConnect, who posted this screenshot of the email’s headers and identified the actual sender of the email: firstname.lastname@example.org.
What’s Wrong With This Picture?
Yandex is the Google of Russia. Like Google, Yandex is a search engine, and, like Gmail, Yandex‘s users can open a free email account.
When you visit Yandex.ru and create a new email account, the email assigned to you has the .ru domain. However, email@example.com has a .com domain. There’s only one reason why something like that would happen, but first, here’s what a Russian user would see when he creates a Yandex email account on RUNET (the Russian Internet).
Step One: Pretend that you‘re in Russia
Secureworks says that you work on behalf of the Russian government. CrowdStrike says that you’re an employee of the Russian government. And everyone else believes that you’re Russian so for this little experiment to work, you need to be on the Russian Internet.
Assuming that you aren’t already in Russia, you’ll need to connect to a Russian proxy server. I have an account with PrivateVPN and used vpn-ru1.privatevpn.com for my test.
Once you’re connected, run a test to make sure that you’re on RUNET by visiting http://www.ip2location.com/ . It will show you your IP address and geolocation.
Step Two: Go to Yandex.ru
Type Yandex.ru into your browser’s address bar. You should see it resolve to https://yandex.ru/.
At the upper right hand corner of the web page, click the second Russian phrase from the right to open a new email account.
A new registration page will open. The default asks you to provide a mobile number for verification but you have the option of using a CAPTCHA.
Fill out the form, answer the CAPTCHA, and accept the terms, and you’ll be the new owner of a Yandex.ru email address.
How Do I Get A Yandex.com Email Address on RUNET?
For some reason, RUNET is set up to send you to the .ru domain of whatever website you type into your address bar. Besides Yandex, I tried going to Google.com and was sent to Google.ru. I typed Intel.com and was sent to Intel.ru.
So how does our presumed Russian intelligence operative get his Yandex.com email address? He has to click on the Yandex.com link from the Yandex.ru homepage (highlighted below).
Then the process is the same as before except that everything, including the CAPTCHA, will be in English.
The point that I’m trying to make is that if anyone in Russia wanted to spear phish employees of the DNC, then creating a @yandex.com email address instead of a @yandex.ru email address is not only unnecessary extra effort but it makes absolutely no sense. You don’t gain anything operationally. You’ve used Yandex. You might as well paint a big red R on your forehead.
However, you know what does make sense?
That the person who opened the account DOESN’T SPEAK RUSSIAN!
He went with Yandex.com because all analysis stops with merely the name of a Russian company, a Russian IP address, or a Russian-made piece of malware. To even argue that a Russian intelligence officer let alone a paranoid Russian mercenary hacker would prefer a Yandex.com email to a Yandex.ru email is mind-numbingly batshit insane.
I have no idea who created firstname.lastname@example.org to spear phish Billy Rhinehart, but I bet you $100 that he wasn’t Russian.