Domain Risk Rule: Ukraine Conflict Related Domain Lure

The Ukraine Conflict has created a massive cybersecurity threat by supercharging phishing as an attack technique. Phishing lures attract victims to malicious web pages by exploiting high interest in negative news and disasters.

Recorded Future is currently observing new Ukraine related domains daily, both newly registered domains and subdomains. Some of these domains are important public services, many are benign, and some are malicious. Our Security Intelligence Platform automatically checks these domains against whitelists, evaluates them for technical evidence of maliciousness, and provides clarity on the small fraction of these domains that are convicted as lures.

Rules Triggering and Severity Levels

There are two rules for Ukraine-Related Domain Lures. These rules are triggered when certain keywords are present in the domain and we also observe technical data indicating that the domain is being used for nefarious purposes. The malicious verdict is applied when the evidence obtained from proprietary sources indicates malicious activity. The suspicious severity is applied when our supporting evidence indicates spam and/or untrusted activity from the domain. 

Recent Ukraine-Related Domain Lure: Malicious severity (risk score of 65 or higher, depending on other evidence of risk observed for the domain.)

  • The domain has a URL with confirmed malicious activity and/or malware associated in high fidelity technical data sources.
  • The domain has been verified as malicious in technical research done by Insikt Group.
  • The domain was recently seen in the past 30 days.
Recent Ukraine-Related Domain Lure: Suspicious severity (risk score of 25 - 64)
  • The domain has a URL with suspicious activity, tagged as untrusted and/or Spam related activity from a vetted third party security source providing high efficacy technical data.
  • The domain was recently seen in the past 30 days.
The rule will age after 30 days and be tracked as historical. 

Suggested Actions

Since detections of domains in this stage are early in the attacker lifecycle, this rule allows defenders to implement controls at early stages and get ahead of adversaries. It can be used by security operations centers, incident responders, and threat hunters to detect and prevent phishing attacks, watering hole attacks, drive-by downloads, and social engineering attempts by bad actors to lure victims into clicking on malicious sites that contain information about Ukraine, ultimately allowing the actors to run arbitrary code and steal data. 
The malicious severity can allow security engineering to implement the Ukraine related indicator or risk list into an integration at perimeter ingress/egress controls (Firewalls, Web Gateways, Proxies, etc.). The risk list can also be useful to implement in a SIEM for threat hunters and/or incident responders for pivot points against other indicators to find additional files dropped, parent/child processes launched, unusual IP addresses contacted, URLs accessed, etc. after the initial discovery of the threat. 

Note:  The Ukraine Related Domain Lure risk rule is continuously evolving and driven by Recorded Future Data Science & Research teams for newly registered domains with improvements in automating verdicts of malicious convictions from third party sources.