Unfortunately for Mr. Rhinehart, it wasn't Google who sent him that email. He, along with many others, were a victim of Threat Group 4127โโโthe SecureWorks designation for Fancy Bear (CrowdStrike), APT28 (FireEye), and Sofacy (Kaspersky Lab). Secureworks assesses that TG 4127 "is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government."
Thanks to a bizarre twist involving Guccifer 2.0's solicitation of a journalist at The Smoking Gun (TSG) to write about the DCLeaks emails in exchange for giving TSG an early look at some of the stolen documents, TSG was able to obtain the original spear phishing email directly from Billy Rhinehart and shared it with ThreatConnect, who posted this screenshot of the email's headers and identified the actual sender of the email:hi.mymail@yandex.com.
Yandex is the Google of Russia. Like Google, Yandex is a search engine, and, like Gmail, Yandex's users can open a free email account.
When you visit Yandex.ru and create a new email account, the email assigned to you has the .ru domain. However, hi.mymail@yandex.com has a .com domain. There's only one reason why something like that would happen, but first, here's what a Russian user would see when he creates a Yandex email account on RUNET (the Russian Internet).
Step One: Pretend that you're in Russia
Secureworks says that you work on behalf of the Russian government. CrowdStrike says that you're an employee of the Russian government. And everyone else believes that you're Russian so for this little experiment to work, you need to be on the Russian Internet.
Assuming that you aren't already in Russia, you'll need to connect to a Russian proxy server. I have an account with PrivateVPN and used vpn-ru1.privatevpn.com for my test.
Once you're connected, run a test to make sure that you're on RUNET by visiting http://www.ip2location.com/ . It will show you your IP address and geolocation.
Step Two: Go to Yandex.ru
Type Yandex.ru into your browser's address bar. You should see it resolve tohttps://yandex.ru/.
Now let's say that you don't want a @yandex.ru email. You want a @yandex.com email. So you type https://yandex.com into your browser and ..., no joy. It resolves back to https://yandex.ru/
For some reason, RUNET is set up to send you to the .ru domain of whatever website you type into your address bar. Besides Yandex, I tried going to Google.com and was sent to Google.ru. I typed Intel.com and was sent to Intel.ru.
So how does our presumed Russian intelligence operative get his Yandex.com email address? He has to click on the Yandex.com link from the Yandex.ru homepage (highlighted below).
The point that I'm trying to make is that if anyone in Russia wanted to spear phish employees of the DNC, then creating a @yandex.com email address instead of a @yandex.ru email address is not only unnecessary extra effort but it makes absolutely no sense. You don't gain anything operationally.You've used Yandex. You might as well paint a big red R on your forehead.
However, you know what does make sense?
That the person who opened the account DOESN'T SPEAK RUSSIAN!
He went with Yandex.com because all analysis stops with merely the name of a Russian company, a Russian IP address, or a Russian-made piece of malware. To even argue that a Russian intelligence officer let alone a paranoid Russian mercenary hacker would prefer a Yandex.com email to a Yandex.ru email is mind-numbingly batshit insane.
I have no idea who created hi.mymail@yandex.com to spear phish Billy Rhinehart, but I bet you $100 that he wasn't Russian.
Reader Comments
to our Newsletter