Patterns of Malicious Infrastructure (Re)Use in Ukraine-Themed Domains

Aaron Gee-Clough, Senior Data Engineer, DomainTools
Tim Helming, Security Evangelist, DomainTools

At the 2021 Mandiant Summit, we presented the concept of “Domain Blooms,” patterns of large numbers of domains related to a specific theme, which rise rapidly, peak, then settle down to a background level. Some of these blooms show higher-than-average domain risk.

This presentation examines a bloom whose beginning coincided with the Russian invasion of Ukraine; the domain names in the bloom all contain the word “Ukraine” or variants of it. The analysis shows an elevated risk level compared to the Internet as a whole, but perhaps more importantly, we found “hotspots” of even more concentrated phishing, malware, and spam activity tied to certain features (IP address, name server, ASN, etc). Moreover, by analyzing connections found in some of these values, we identified other clusters of malicious infrastructure that extended beyond the Ukraine theme, pointing toward other campaigns centered on patterns such as cryptocurrency, spoofing of legitimate enterprises (technology companies, banks, gaming, etc). The work underscores the continuing value of infrastructure analysis as an approachable method for identifying and isolating harmful assets threatening protected environments.