Insikt Group has observed the recurring use of common traits by TAG-53 when curating its infrastructure, including the use of domain names employing a specific pattern construct along with Let’s Encrypt TLS certificates, the use of a specific cluster of hosting providers, and the use of a small cluster of autonomous systems.

TAG-53’s infrastructure revealed that it is using a cluster of hosting providers which have been named “Threat Provider Group A”. It was also observed that this infrastructure is hosting a significant number of additional interesting domains including services used in Russia’s professional disinformation operations and cybercrime, as well as infrastructure linked to Russia-aligned threat actors.

TAG-53 also employs Let’s Encrypt TLS certificates to host domains in its infrastructure, which are registered under common names “ssl.threatexpertgroup.com” and “ssl1.threatexpertgroup.com”. The use of these domains allow for the seamless management of its infrastructure, as the domain names can be pointed to the most optimal server at any given time through DNS records, without needing to reconfigure or update any of the associated TLS infrastructure or assets.

‍

Source:Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations - AlienVault - Open Threat Exchange