IP ADDRESS ATTRIBUTION
INSTRUMENT IN DIGITAL ASSET SURVEILLANCE
Written by Evgeny Dmitriev, Sofia Sedlova, Christina Tkach
Almost a decade ago, Torrent trackers looked into their IP logs to find interesting connections coming from a variety of organizations that openly advocate against their right to exist. Some of the reported illegal downloads even revealed a peculiar taste in music of presidential staff. Peer-to-peer file sharing battle lost, the very same organizations turned their sights on other distributed technologies, cryptocurrency mining being one of them. In this piece, Inca’s investigation team looks into digital fingerprints left by digital currency mining software on the web.
Modern cryptocurrency mining equipment is a sophisticated piece of software or hardware with telemetry pages and remote access functionality. This functionality, however, often comes with a privacy trade off. Improper login configuration and telemetry pages leak important information that can help to identify them on the web. Inca’s investigation team collected digital fingerprints from the telemetry pages of Antminer, Claymore and other mining rigs to generate search strings for Shodan, Censys and Zoomeye. These are technical search engines that are mostly used to discover machine-readable interfaces of web services. Channeling the search engine outputs into our analytics framework called NTerminal, we were able to match obtained IP addresses with IP range allocation datasets obtained from I-Blocklist, a service mostly used to block connections from government and affiliated organizations.
Below are a few examples of mining equipment that were indexed by search engines at IP address ranges that belong to organizations whose purpose is far from running cryptocurrency mining equipment.
1. The Armed Forces Main information Center (AFMIC) is the main Internet Service Provider and Information center for the Egyptian Armed Forces.
2. The Higher Education Commission is a Government of Pakistan’s statutory regulator whose main functions are funding, overseeing, regulating and accrediting the higher education institutions in the country.
Similarly, we managed to find out that the Brazilian Center for Research in Physics linked to the Ministry of Science and Technology and Iranian Research Organization for Science and Technology (IROST) attached to the Ministry of Science, Research and Technology of Iran are involved in illicit mining.
We cannot say that these organizations are directly involved in mining. It is possible that government addresses and capacities are being used by third parties.
3. The Ministry of Interior of the Kingdom of Thailand is a cabinet-level department in the Government of Thailand.
Broadly, blockchain forensic investigations that deanonymize IP address attributions can remove a degree of anonymity that may otherwise be present on the blockchain. When it comes to investigating suspicious activity, it’s crucial for investigators to utilize aggregation tools for different data streams such as NTerminal. It facilitates matching IP addresses involved in mining activity with a specific entity. This establishes a baseline for the whole investigation, where OSINT techniques and digital forensics combined provide actionable intelligence for any interested parties.
Here are a few more results of the IP Address Attribution:
https://gist.github.com/mmore7/2f23486a59143d6ae576f3b5013d782e
