Russian Infrastructure, Domestic Threats

Let’s take a look at a curious thing in RiskIQ – the October 22nd registration for the 0hour1[.]com domain.

0HOUR1 Registration
0HOUR1 Registration

The nameservers at westcall[.]ru are part of a large ISP in St. Petersburg. The registrant’s trail is an intentional mess, but lets see what we can find on Brian Durant. It’s helpful to know his birth name –  Fiore DiPietrantonio.

Durant came to my attention because his crew are bothering a CVE researcher I know, and threatening a man in Brooklyn that they mistakenly identified as them. There is a decent Threadreader on Durant from @trebillion that provided me a starting point.

Achtung! If you choose to pursue this, you must turn your OSINT tradecraft up to eleven. The name change is an attempt to leave behind a shady past, there is intentional deception at work prior to the politics, and don’t chase after a pretty face on a largely empty persona.

As a sign of how much of a hassle this backtrail was, take a look at my hunch.ly case for it. And this is the second one – the first draft had so much crud in it I found it easier to just start over and revisit the stuff I confirmed.

Brian Durant Investigations
Brian Durant Investigations

About that empty female persona … here is where it starts.

rowdypolitics[.]com
rowdypolitics[.]com
Which of these do you think are legitimate?

Meghan Thompson
Meghan Thompson

If you picked only #1 and #2, which a faint urge to check #3, give yourself a gold star.

Three Domains & Hosting
Three Domains & Hosting

I got distracted writing this and spent half an hour playing with the RiskIQ response to the Maltego Domain Analysis transform. GoDaddy is a terrible swamp that typically reveals nothing, so I collapsed it to a point to better see the other things. The westcall[.]ru nameserver mistake only showed in the registration, they caught it before it started turning up in  passive DNS. So what are these three other things we see?

192.169.82.86 is part of The Swamp – the tiny allocations in 192.0.0.0/7 that were handed out for free back in the eighties. RiskIQ shows over 9,000 names for it, Maltego finds 552, ARIN says it’s a point to point link from Limestone Networks to a customer. It’s been passed around for thirty years or more and I don’t think it tells us much. The reverse lookup is the last one someone carded to enter and those don’t seem to matter much on shared servers. Make a mental note to come back, only if all else fails.

86.106.93.230 is a European address, you can tell just by the leading octet, and with a little poking we find it’s in AS44901 – BelCloud Hosting, but it’s listed with over 10,000 other names.

What about 149.56.202.49? Looking at the times it was active we find that it had the system to itself, running what looks to be WordPress under cPanel.

magaforamerica[.]com
magaforamerica[.]com
This is turning into a common theme – people trying to do their own hosting and then giving up after a couple days.  The DNS tab provided another interesting clue that I just noticed as I was drafting this article.

videowhispers@gmail.com
[email protected]

And what’s going on here? Every time I look at this thing I find another eastern European/Russian link.

videowhispers[.]com
videowhispers[.]com

 

So … I thought this was going to be a declaration and instead it’s a problem statement – there is more digging to do here. But there is one piece of digging that is done – the ID of Brian Durant’s associate who threatened me when I first started probing is within easy reach. Check the DM that @NetwarSystem received on October 17th and the menacing voicemail from October 27th.

This “very reasonable dude” is @MistaBRONCO, which has been a stable alias for him for at least six years. It was on his Flickr account, where a close inspection of cat photos turned up this gem. Handsome boy, isn’t he?

BRONCO, International Cat Of Mystery
BRONCO, International Cat Of Mystery

So our internet tough guy who cleverly pressed *69 before he left me a message on a Google Voice number that hasn’t a phone attached to it in five years is laid low by the ol’ surname & multiple phone numbers on a pet’s nametag. Amateur hour here – stable name, personal details all over the place. This is all recorded in hunch.ly and the good bits of the YouTube channel that put the voice with this cat are safe, too.

So I’ve got a voice threat, another guy that this genius misidentified as Ca1m has received threats, the source lives on Long Island, the target is in Brooklyn. Since these are both covered by the NYC FBI field office and I was pointedly told to “come correct”, I had the following exchange with the counter-terrorism SA in that office, whom I’ve known since Occupy days.

Alerting Agent Smith
Alerting Agent Smith

That’s as correct as I can play it in the wee hours of a Friday right before a midterm in which Russian influence is certainly still a problem.

How’d I do?