How cybersecurity experts use sinkholing to detect threat actors, identify victims

What happens to an advanced persistent threat (APT) group’s command-and-control server after they abandon it?

Rafe Pilling, the director of threat intelligence in the counter threat unit at Sophos, said that the company takes over the infrastructure that threat actors have used in order to see where victims are coming in from. Pilling said that the strategy “gives you a different picture of a campaign or attack.”

Through collecting, taking over, or being given an IP address, Pilling said the organization can get something akin to a pattern that “shows us roughly where the clusters of infections are from.”

“You can do a bit of tracking back, sometimes to individual organizations, that kind of stuff,” Pilling said.

Palo Alto points to sinkholing specifically as it pertains to the domain name system (DNS)—which the company describes as a “technique used to redirect DNS queries for malicious domains to a controlled IP address.”

“By capturing and redirecting DNS traffic into a sinkhole, organizations can gain visibility into potential threats, prevent malware infections, and disrupt malicious activities.”

How sinkholes are made. Pilling said that a few years ago the company was able to take over ownership of a domain being used by Iranian groups—one that was meant to look like a “legitimate Google theme domain.” He said that the team “knew [the domain] had been used in a campaign where…malicious documents were being sent to targets.”

When the campaign was over, and the group did not renew the domain, the company noticed.

“Then you can look at what connects into that domain, and because there’s no legitimate purpose for it, anything that connects in is usually either victims of that campaign or other researchers who are monitoring that campaign,” Pilling said.

The team noticed that the traffic coming into the domain was all based in Saudi Arabia. 

The threat actors, in this case, were using a watering hole attack, which is when a group finds a website that their community of interest visits and then the group compromises the website by putting malicious code in the script. The bad actors compromised the site to profile website visitors and send the results back to their controlled domains, which Pilling and his team later took control of.

“We were able to trace that code back from an online persona that had been talking about similar code on an Iranian programming forum, and then back to a real-world identity of that individual,” Pilling said.

Correction 07/22/2025: This article has been updated to reflect that Rafe Pilling is director of threat intelligence in the counter threat unit at Sophos, which acquired SecureWorks earlier this year.