24
Oct 11

Who Else Was Hit by the RSA Attackers?

facebooktwittergoogle_plusredditpinterestlinkedinmail

The data breach disclosed in March by security firm RSA received worldwide attention because it highlighted the challenges that organizations face in detecting and blocking intrusions from targeted cyber attacks. The subtext of the story was that if this could happen to one of the largest and most integral security firms, what hope was there for organizations that aren’t focused on security?

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. But so far, no one has been willing to talk publicly about which other companies may have been hit.  Today’s post features a never-before-published list of those victim organizations. The information suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.

Since the RSA incident was disclosed, lawmakers in the U.S. Congress have taken a renewed interest in so-called “advanced persistent threat” or APT attacks. Some of the industry’s top security experts have been summoned to Capitol Hill to brief lawmakers and staff about the extent of the damage. The information below was shared with congressional staff.

Below is a list of companies whose networks were shown to have been phoning home to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010.

A few caveats are in order here. First, many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit. Second, it is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims. Finally, some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.

Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, Motorola Inc., Northrop Grumman, Novell, Perot Systems, PriceWaterhouseCoopers LLP, Research in Motion (RIM) Ltd., Seagate Technology, Thomson Financial, Unisys Corp., USAA, Verisign, VMWare, Wachovia Corp., and Wells Fargo & Co.

At the end of the victim list is a pie chart that shows the geographic distribution of the command and control networks used to coordinate the attacks. The chart indicates that the overwhelming majority of the C&Cs are located in or around Beijing, China.

302-DIRECT-MEDIA-ASN
8e6 Technologies, Inc.
AAPT AAPT Limited
ABBOTT Abbot Labs
ABOVENET-CUSTOMER – Abovenet Communications, Inc
ACCNETWORKS – Advanced Computer Connections
ACEDATACENTERS-AS-1 – Ace Data Centers, Inc.
ACSEAST – ACS Inc.
ACS-INTERNET – Affiliated Computer Services
ACS-INTERNET – Armstrong Cable Services
ADELPHIA-AS – Road Runner HoldCo LLC
Administracion Nacional de Telecomunicaciones
AERO-NET – The Aerospace Corporation
AHP – WYETH-AYERST/AMERICAN HOME PRODUCTS
AIRLOGIC – Digital Magicians, Inc.
AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
AIS-WEST – American Internet Services, LLC.
AKADO-STOLITSA-AS _AKADO-Stolitsa_ JSC
ALCANET Corporate ALCANET Access
ALCANET-DE-AS Alcanet International Deutschland GmbH
ALCATEL-NA – Alcanet International NA
ALCHEMYNET – Alchemy Communications, Inc.
Alestra, S. de R.L. de C.V.
ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd.,Alliance Gateway AS,Broadband Services Provider,Kolkata,India
ALMAZAYA Almazaya gateway L.L.C
AMAZON-AES – Amazon.com, Inc.
AMERITECH-AS – AT&T Services, Inc.
AMNET-AU-AP Amnet IT Services Pty Ltd
ANITEX-AS Anitex Autonomus System
AOL-ATDN – AOL Transit Data Network
API-DIGITAL – API Digital Communications Group, LLC
APOLLO-AS LATTELEKOM-APOLLO
APOLLO-GROUP-INC – University of Phoenix
APT-AP AS
ARLINGTONVA – Arlington County Government

ARMENTEL Armenia Telephone Company
AS INFONET
AS3215 France Telecom – Orange
AS3602-RTI – Rogers Cable Communications Inc.
AS4196 – Wells Fargo & Company
AS702 Verizon Business EMEA – Commercial IP service provider in Europe
ASATTCA AT&T Global Network Services – AP
ASC-NET – Alabama Supercomputer Network
ASDANIS DANIS SRL
ASGARR GARR Italian academic and research network
ASIAINFO-AS-AP ASIA INFONET Co.,Ltd./ TRUE INTERNET Co.,Ltd.
ASIANDEVBANK – Asian Development Bank
ASN852 – Telus Advanced Communications
AS-NLAYER – nLayer Communications, Inc.
ASTOUND-CABLE – Wave Broadband, LLC
AT&T Global Network Services – EMEA
AT&T US
ATMAN ATMAN Autonomous System
ATOMNET ATOM SA
ATOS-AS ATOS Origin Infogerance Autonomous System
ATT-INTERNET4 – AT&T Services, Inc.
AUGERE-AS-AP Augere Wireless Broadband Bangladesh Limited
AVAYA AVAYA
AVENUE-AS Physical person-businessman Kuprienko Victor Victorovich
AXAUTSYS ARAX I.S.P.
BACOM – Bell Canada
BAHNHOF Bahnhof AB
BALTKOM-AS SIA _Baltkom TV SIA_
BANGLALINK-AS an Orascom Telecom Company, providing GSM service in Bangladesh
BANGLALION-WIMAX-BD Silver Tower (16 & 18th Floor)
BANKINFORM-AS Ukraine
BASEFARM-ASN Basefarm AS. Oslo – Norway
BBIL-AP BHARTI Airtel Ltd.
BBN Bredbaand Nord I/S
BC-CLOUD-SERVICES
BEAMTELE-AS-AP Beam Telecom Pvt Ltd
BEE-AS JSC _VimpelCom_
BELINFONET Belinfonet Autonomus System, Minsk, Belarus
BELLSOUTH-NET-BLK – BellSouth.net Inc.
BELPAK-AS BELPAK
BELWUE Landeshochschulnetz Baden-Wuerttemberg (BelWue)
BENCHMARK-ELECTRONICS – Benchmark Electronics Inc.
BEND-BROADBAND – Bend Cable Communications, LLC
BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
BIGNET-AS-ID Elka Prakarsa Utama, PT
BLUEWIN-AS Swisscom (Schweiz) AG
BM-AS-ID PT. Broadband Multimedia, Tbk
BN-AS Business network j.v.
BNSF-AS – Burlington Northern Sante Fe Railway Corp
BNT-NETWORK-ACCESS – Biz Net Technologies
BORNET Boras Energi Nat AB
BREEZE-NETWORK TOV TRK _Briz_
BSC-CORP – Boston Scientific Corporation
BSKYB-BROADBAND-AS BSkyB Broadband
BSNL-NIB National Internet Backbone
BT BT European Backbone
BT-ITALIA BT Italia S.p.A.
BTN-ASN – Beyond The Network America, Inc.
BTTB-AS-AP Telecom Operator & Internet Service Provider as well
BT-UK-AS BTnet UK Regional network
CABLECOM Cablecom GmbH
CABLE-NET-1 – Cablevision Systems Corp.
CABLEONE – CABLE ONE, INC.
CABLEVISION S.A.
CACHEFLOW-AS – Bluecoat Systems, Inc.
CANET-ASN-4 – Bell Aliant Regional Communications, Inc.
CANTV Servicios, Venezuela
CAPEQUILOG – CapEquiLog
CARAVAN CJSC Caravan-Telecom
CARRIER-NET – Carrier Net
CATCHCOM Ventelo
CCCH-3 – Comcast Cable Communications Holdings, Inc
CDAGOVN – Government Telecommunications and Informatics Services
CDS-AS Cifrovye Dispetcherskie Sistemy
CDT-AS CD-Telematika a.s.
CE-BGPAC – Covenant Eyes, Inc.
CELLCO-PART – Cellco Partnership DBA Verizon Wireless
CENSUSBUREAU – U. S. Bureau of the Census
CERNET-ASN-BLOCK – California Education and Research Federation Network
CERT – Computer Emergency Response Team (CERT) – Coordination Center
CGINET-01 – CGI Inc
CHARLES-SCHWAB – Charles Schwab & Co., Inc.
CHARTER-NET-HKY-NC – Charter Communications
CHINA169-BACKBONE CNCGROUP China169 Backbone
CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
CHINA169-GZ China Unicom IP network China169 Guangdong province
CHINANET-BACKBONE No.31,Jin-rong Street
CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation
CHINANET-SH-AP China Telecom (Group)
CIPHERKEY – Cipherkey Exchange Corp.
CISCO-EU-109 Cisco Systems Global ASN – ARIN Assigned
CITEC-AU-AP QLD Government Business (IT)
CITelecom-AS
CITYNET – CityNet
CLARANET-AS ClaraNET
CLIX-NZ TelstraClear Ltd
CMCS – Comcast Cable Communications, Inc.
CMNET-BEIJING-AP China Mobile Communicaitons Corporation
CMNET-GD Guangdong Mobile Communication Co.Ltd.
CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited
CNCGROUP-GZ CNCGROUP IP network of GuangZhou region MAN network
CNCGROUP-SH China Unicom Shanghai network
CNIX-AP China Networks Inter-Exchange
CNNIC-DSNET-AP Shanghai Data Solution Co., Ltd.
CNNIC-WASU-AP WASU TV & Communication Holding Co.,Ltd.
CO-2COM-AS 2COM Co ltd.
COGECOWAVE – Cogeco Cable
COGENT Cogent/PSI
COLO4 – Colo4Dallas LP
COLOMBIA TELECOMUNICACIONES S.A. ESP
COLT COLT Technology Services Group Limited
COLUMBUS-NETWORKS – Columbus Networks USA, Inc.
COMCAST-33490 – Comcast Cable Communications, Inc.
COMCAST-33491 – Comcast Cable Communications, Inc.
COMCAST-36732 – Comcast Cable Communications, Inc.
COMCAST-7015 – Comcast Cable Communications Holdings, Inc
COMCAST-7725 – Comcast Cable Communications Holdings, Inc
COMCAST-HOUSTON – Comcast – Houston
COMHEM-SWEDEN Com Hem Sweden
COMNET-TH KSC Commercial Internet Co. Ltd.
Completel Autonomous System in France
COMSAT COLOMBIA
COMSTAR COMSTAR-Direct global network
CORBINA-AS Corbina Telecom
COVAD – Covad Communications Co.
CPMBLUE-AS-BD CPM BLUE ONLINE LTD.Transit AS Internet Service Provider, Dhaka
CRRSTV – CRRS-TV
CSC Computer Management and CSC Denmark
CSC-IGN-AUNZ-AP Computer Sciences Corporation
CSC-IGN-EMEA – Computer Sciences Corporation
CSC-IGN-FTW – Computer Sciences Corporation
CSLOXINFO-AS-AP CS LOXINFO PUBLIC COMPANY LIMITED
CSP-AS CSP
CSUNET-NW – California State University Network
CSXT-AS-1 – CSX Technology
CTIHK-AS-AP City Telecom (H.K.) Ltd.
CTS-MD I.S. Centrul de Telecomunicatii Speciale
CXA-ALL-CCI-22773-RDC – Cox Communications Inc.
CYBERVERSE – Cyberverse, Inc.
CYPRESS-SEMICONDUCTOR – Cypress Semiconductor
CYTA-NETWORK Cyprus Telecommunications Authority
DARLICS-AS Darlics ltd. provides IP transport and Internet
DATAGRUPA SIA _Datagrupa.lv_ Marijas 7 – 412a Riga, LV-1050, LATVIA
DCI-AS DCI Autonomous System
DECHO – Decho Corporation
DFINET DFi Service SA
DHL-AS DHL Systems Inc.
DHSINETNOC – DEPARTMENT OF HOMELAND SECURITY
DIGCOMM Digital communications, LTD
DIGITAL-TELEPORT – Digital Teleport Inc.
DIL-AP DIRECT INTERNET LTD.
DIN-AS TOMSKTELECOM AS
DINAS-AS PE Kuznetsova Viktoria Viktorovna
DINET-AS Digital Network JSC
Diveo do Brasil Telecomunicacoes Ltda
DK-ESS-AS Syd Energi Bredbaand A/S
DMSLABNET – DoD Network Information Center
DNC-AS IM Data Network Communication SRL
DNEO-OSP7 – Comcast Cable Communications, Inc.
DNIC-ASBLK-00721-00726 – DoD Network Information Center
DNIC-ASBLK-27032-27159 – DoD Network Information Center
DOGAN-ONLINE Dogan Iletisim Elektronik Servis Hizmetleri
DOMAINFACTORY domainfactory GmbH
DOMAINTOOLS – DomainTools, LLC
DONTELE-AS Telenet LLC
DOPC-AS
DOPC-AS-NGN
DOPC-AS-US
DREAMHOST-AS – New Dream Network, LLC
DREAMX-AS DREAMLINE CO.
DRWEB-AS Doctor Web Ltd
DSE-VIC-GOV-AS Department of Sustainability & Environment,
DSIJSC-AS DSI Autonomous system
DSLEXTREME – DSL Extreme
DTAG Deutsche Telekom AG
DWL-AS-IN Dishnet Wireless Limited. Broadband Wireless
DYNDNS – Dynamic Network Services, Inc.
EASYDNS EasyDNS Technologies, Inc.
EASYNET Easynet Global Services
EBAY – eBay, Inc
ECI-TELECOM-LTD ECI Telecom-Ltd.
EDGECAST – EdgeCast Networks, Inc.
EIRCOM Eircom
ELISA-AS Elisa Oyj
EMBARQ-WNPK – Embarq Corporation
EMBIT-AS BURTILA & Co. ELECTRON M.BIT SRL
EMC-AS12257 – EMC Corporation
EMCATEL
EMIRATES-INTERNET Emirates Internet
EMOBILE eMobile Ltd.
ENTEL CHILE S.A.
EPM Telecomunicaciones S.A. E.S.P.
EQUANT-ASIA Equant AS for Asian Region covering Japan
EQUINIX-EDMA-ASH-ASN – Equinix, Inc.
ERICSSON-APAC-MY-AS Ericsson Global Services. BUGS N&V APAC
ERX-SINGNET SingNet
ESRI – Environmental Systems Research Institute
ESS-PR-WEBMASTERS – ESS/PR WebMasters
EthioNet-AS
ETISALAT-MISR
ETPI-IDS-AS-AP Eastern Telecoms Phils., Inc.
ETSI Autonomous System
EURONET Online Breedband B.V. Global AS
European Space Agency
EUSKALTEL Euskaltel S.A.
EXCELL-AS Excellmedia
EXIM – Export Import Bank of the U.S
FACEBOOK – Facebook, Inc.
FANNIEMAE – Fannie Mae
FasoNet-AS
FASTMETRICS – Fastmetrics, LLC
FAST-TELCO Fast Telecommunications Company W.L.L.
FASTWEB Fastweb SpA
FAWRI-AS
FDA – Parklawn Computer Center / DIMES HQ
FIBREONE-AS fibre one networks GmbH, Duesseldorf
FITC-AS – FITC – FedEx International Transmission Corporation
FMAC-I-BILLING – Freddie Mac
FMI-NET-AS – Freeport-McMoran Inc.
FORATEC-AS Foratec Communication AS at Sverdlovsk, Tyumen, Perm regions
FORTINET-CANADA – Fortinet Inc.
FPT-AS-AP The Corporation for Financing & Promoting Technology
FRONTIER-AND-CITIZENS – Frontier Communications of America, Inc.
FRONTIER-FRTR – Frontier Communications of America, Inc.
FR-RENATER Reseau National de telecommunications pour la Technologie
FULLRATE Fullrate A/S
FX-PRIMARY-AS FX Networks Limited
GBLX Global Crossing Ltd.
GET-NO GET Norway
GHANATEL-AS
GIGAINFRA Softbank BB Corp.
GLOBAL-SPLK – Sprint International
GLOBE-TELECOM-AS Globe Telecoms
GOLDENLINES-ASN 012 Smile Communications Main Autonomous System
GOLDENTELECOM-UKRAINE Golden Telecom
GOOGLE – Google Inc.
GRAMEENPHONE-AS-AP GrameenPhone Ltd.
GSA-GOV – General Services Administration
GT-BELL – Bell Canada
Gtd Internet S.A.
GYRON ====
H3G-AS H3G S.p.A.
H3GUKNIE Hutchison 3G UK and Ireland Core AS
HANARO-AS Hanaro Telecom Inc.
HATHWAY-NET-AP Hathway IP Over Cable Internet
HETZNER-AS Hetzner Online AG RZ
HHES – HAMILTON HYDRO ELECTRIC SYSTEM
HINET Data Communication Business Group
HKNET-AP HKNet Co. Ltd
HKTIMS-AP PCCW Limited
HNS-DIRECPC – Hughes Network Systems
HOPONE-GLOBAL – HopOne Internet Corporation
HOSTEUROPE-AS AS of Hosteurope Germany / Cologne
HP-INTERNET-AS Hewlett-Packard Company
HTCL-IAS-HK-AP Hutchison Telephone Company Limited
HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd
HURRICANE – Hurricane Electric, Inc.
HUTCHISON-AS-AP Hutchison Global Communications
HUTCHVAS-AS Vodafone Essar Ltd., Telecommunication – Value Added Services,
IADB-NETWORKS – The Inter-American Development Bank
IAM-AS
IBM E-business Hosting Delivery
IBMCCH-RTP – IBM
IBMCCH-SBY – IBM
IBMDES-AS – IBM Dallas Engineering & Scientific
IBSNAZ Telecom Italia S.p.a.
IBURST-GH
ICONNECT-BD Planners Tower
IDK-NETWORK CJSC Interdnestrcom AS
IEUNET BT Ireland Backbone
IFX-NW – IFX Communication Ventures, Inc.
IHNET – IHNetworks, LLC
IINET iiNet Limited
IJ-NET – Internet Junction Corp.
ILX-ASN – THOMSON FINANCIAL
IN2CABLE-AP AS Number of In2cable.com (India) Ltd.
INDONET-AS-AP INDO Internet, PT
INDOSATM2-ID INDOSATM2 ASN
INEA-AS INEA S.A.
INET-AS-ID PT. Inet Global Indo
INETCOMM-AS INET LTD
I-NETPARTNER-AS I-NetPartner GmbH ASN
INETTEHNO Inet Tehno
INFINEON-AS Infineon AG
INFINEON-SG 8 Kallang Sector
INFLOW19294 – Inflow Inc.
INFOSPHERE NTT PC Communications, Inc.
INFOSTRADA Infostrada S.p.A.
INIT7 Init7 Global Backbone
INS-AS – AT&T Data Communications Services
Instituto Costarricense de Electricidad y Telecom.
Instituto Tecnol??gico y de Estudios Superiores de Monterrey
INTEGRATELECOM – Integra Telecom, Inc.
INTELSAT Intelsat Global BGP Routing Policy
INTEL-SC-AS – Intel Corporation
INTERNAP-2BLK – Internap Network Services Corporation
INTERNAP-BLK – Internap Network Services Corporation
INTERNAP-BLK – Internap Network Services Corporation
INTERNAP-BLK3 – Internap Network Services Corporation
INTERNAP-BLOCK-4 – Internap Network Services Corporation
INTERNETIA-AS Netia SA
INTERNET-PATH – Internet Path, Inc.
INTERNET-PRO-AS Internet-Pro Ltd
INTEROUTE Interoute Communications Ltd
INTERPHONE-AS Interphone Ltd.
INTERTELECOM Intertelecom
IPASAULE-AS _Interneta Pasaule_ SIA
IPG-AS-AP Philippine Long Distance Telephone Company
IPGOMA – THE INTERPUBLIC GROUP OF COMPANIES, INC.
IPNXng
IPO-EU IP-Only Telecommunication Networks AB
IQUEST-AS – IQuest Internet
IRONPORT-SYSTEMS-INC – Cisco Systems Ironport Division
IRS – Internal Revenue Service
IS
ISC-AS1280 Internet Systems Consortium, Inc.
ISKON ISKON INTERNET d.d. za informatiku i telekomunikacije
ISKRATELECOM-AS ISKRATELECOM ZAO
ISP-KIM-NET Kalush Information Network LTD
ISSC-AS – ISSC
ISW – Internet Specialties West Inc.
ITNS ITNS. NET SRL
ITSCOM its communications Inc.
JAWWAL Jawwal will be multihoming with us AS15975 and AS12975
JAZZNET Jazz Telecom S.A.
Jordan Data Communications Company LLC
JUNIPER-NETWORKS – Juniper Networks, Inc.
KABELBW-ASN Kabel Baden-Wuerttemberg GmbH & Co. KG
KAISER-NCAL – Kaiser Foundation Health Plan
KAMOPOWER – KAMO Electric Cooperative, Inc.
KAZTELECOM-AS JSC Kazakhtelecom
KHERSON-TS Kherson Telecommunication Systems Ltd.
KIXS-AS-KR Korea Telecom
K-OPTICOM K-Opticom Corporation
KSNET KSNet
KSNET-AS Kyivstar GSM
KVH KVH Co.,Ltd
LANTELECOM-AS Lan-Telecom AS Number
LATISYS-ASHBURN – Latisys-Ashburn, LLC
LATNETSERVISS-AS LATNET ISP
LDCOMNET NEUF CEGETEL (formerly LDCOM NETWORKS)
LEASEWEB LEASEWEB AS
LEVEL3 Level 3 Communications
LGCNS-AS – LG CNS America Inc.
LGDACOM LG DACOM Corporation
LGH-AS-KR LGHitachi
LGNET-AS-KR LG CNS
LINKdotNET-AS
LINKLINE – LinkLINE Communications, Inc.
LINKNET-ID-AP Linknet ASN
LOQAL-AS Loqal AS
LUCENT-CIO – Lucent Technologies Inc.
LUGANET-AS ARTA Ltd
LVBALTICOM-AS _Balticom_ JSC
LVLT594-598 – Level 3 Communications, Inc.
LYSE-AS Altibox AS
MAGNUS-AS TOV _Magnus Limited_
MANGOTELESERVICE-AS-BD Only private Owned IIG in Bangladesh
MAP Moscow Network Access Point
MASERGY-US Masergy US Autonomous System
MASSCOM – Massillon Cable Communications
MAXIS-AS1-AP Binariang Berhad
MBL-AS-AP Micronet Broadband (Pvt) Ltd.
MCAFEE – McAfee, Inc.
MCAFEE-COM – McAfee, Inc.
MCC OJSC _Moscow Cellular Communications_,
MCI-ASN – MCI
MCT-SYDNEY Macquarie Telecom
MDITNET-AS ITNET (ITPAY SRL)
MEDIASERV-AS Mediaserv
Mega Cable, S.A. de C.V.
MEGAPATH2-US – MegaPath Networks Inc.
METROTEL REDES S.A.
MF-KAVKAZ-AS Caucasus Branch of OJSC MegaFon AS
MF-NWGSM-AS North-West Branch of OJSC MegaFon Network
MFNX MFN – Metromedia Fiber Network
MICRON21-AS-AU-AP Micron21 Melbourne Australia Datacentre. Co-Location Dedicated Servers Web Hosting
MICROSOFT-CORP-AS – Microsoft Corp
MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp
MISD-NET – Macomb Intermediate School District
MIT-GATEWAYS – Massachusetts Institute of Technology
MOLDCELL_AS Moldcell SA Autonomous System
MOLDDATA-AS Administrator of the top level domain .MD,
MOLDTELECOM-AS Moldtelecom Autonomous System
MORENET – University of Missouri – dba the Missouri Research and Education Network (MOREnet)
MOTOROLA – Motorola, Inc.
MOTOROLA-PHX – Motorola, Inc.
MP-ELEKTRONIKA-AS MP ELEKTRONIKA Autonomous System
MPX-AS Microplex PTY LTD
MTNL-AP Mahanagar Telephone Nigam Ltd.
MTS-INDIA-IN 334,Udyog Vihar
MTSNET OJSC _Mobile TeleSystems_ Autonomous System
N9E7X5E3N1I2N4C – Nexen Inc.
NAWALA-AS-ID Asosiasi Warung Internet Indonesia (AWARI)
NAWRAS-AS Omani Qatari Telecommunications Company SAOC
NBLNETWORKS-AS Nebula Oy Autonomous System
NC-FUNB-AS – WACHOVIA CORP
NCNET-AS National Cable Networks
NEOLINK CJSC _ER-Telecom Holding_ Izhevsk branch
NERIM Nerim SAS
NET-ACCESS-CORP – Net Access Corporation
NET-AIG – American International Group (AIG) Data Center, Inc.
NETCOM-AS NetCom as Autonomous system
NETELLIGENT – Netelligent Hosting Services Inc.
NEWCOM-AS NEWCOM mirror object from ARIN
NEWCOM-ASN New Com Telecomunicatii SA
NEWEDGENETS – New Edge Networks
NEWSKIES-NETWORKS SES WORLD SKIES ARIN AS, for routing RIPE space.
NEWTT-IP-AP Wharf T&T Ltd.
NEXTGENTEL NEXTGENTEL Autonomous System
NEXTTELL-VRN-AS LLC NextTell-Voronezh AS Number
NG-AS NextGen Communications SRL
NIANET-AS nianet is a Danish carrier and Internet Service Provider
NO_NAME
NOC – Network Operations Center Inc.
NOKIA Nokia Internet
NOKIA-AS NOKIANET APAC Data Centre network
NOKIANET_DALLAS NOKIANET Dallas office
Nominum Global NameServer network
NOMINUM-SKYE1 – SKYE
NORDLINKS-AS S.C. _NordLinks_ S.R.L.
NORMA-PLUS-AS TOV Norma Plus
NORTHROP-GRUMMAN – Northrop Grumman
NOVELL – Novell, Inc.
NTL Virgin Media Limited
NTT do Brasil Telecomunicaoes Ltda
NTT-COMMUNICATIONS-2914 – NTT America, Inc.
NUMERICABLE NUMERICABLE is a cable network operator in France, offering TV,VOICE and Internet services
NUVOX – NuVox Communications, Inc.
NV-ASN 013 NetVision Ltd.
NYFX-RTR – NYFIX, INC
O1COMM – O1 COMMUNICATIONS
OCN NTT Communications Corporation
OFIDEN – OppenheimerFunds, Inc.
OMD-FNO Orange Moldova Fix Network Autonomous System
OMNITURE ====
OPENDNS – OpenDNS, LLC
ORANGE-BUSINESS-SERVICES-SOUTHEUR Equant Inc.
ORANGE-BUSINESS-SERVICES-UK Orange Business Services (formerly Equant) AS for UK
OSIS-PACOM – Joint Intelligence Center Pacific
OVH OVH
P4NET P4 Sp. z o.o.
PACIFIC-INTERNET-INDIA-ASN Pacific Internet India Pvt. Ltd.
PACIFIC-INTERNET-IX Pacific Internet Ltd
PACNET Pacnet Global Ltd
PAH-INC – GoDaddy.com, Inc.
PAIR-NETWORKS – pair Networks
PALTEL-AS PALTEL Autonomous System
PARTNER-AS Partner Communications Ltd.
PBTL-BD-AS-AP Pacific Bangladesh Telecom Limited.
PDX – PORTLAND INTERNETWORKS
PEER1 – Peer 1 Network Inc.
Pegaso PCS, S.A. de C.V.
PERSNET Korea Telecom Freetel
PI-AU Pacific Internet (Australia) Pty Ltd
PI-HK Pacnet Internet (Hong Kong) Limited
PIXNET-AS – Providers Internet Exchange
PKTELECOM-AS-PK Pakistan Telecom Company Limited
PLUSSERVER-AS PlusServer AG, Germany
POLYCOM – Polycom, Inc.
POWEREDCOM KDDI CORPORATION
Prima S.A.
PRIMORYE-AS Open Joint Stock Company _Far East Telecommunications Company_
PRINCETON-AS – Princeton University
PROBENETWORKS-AS Probe Networks
PRONET_LV SIA _PRONETS_
PROXAD Free SAS
PS-NETPLEX-AS – Perot Systems
PT KPN Internet Solutions
PTK-CENTERTEL-DSL-AS PTK Centertel Sp. z o.o.
PTLP-CORE – People_s Tel Limited Partnership
PTPRIMENET PT PRIME – Solucoes Empresariais de Telecomunicacoes e Sistemas S.A.
PUBNET1-AS KT
PUSAN-AS-KR Pusan National University
PWC-AS – PriceWaterhouseCoopers, LLP
Q9-AS – Q9 Networks Inc.
Q9-AS-BRAM – Q9 Networks Inc.
QNETCZ QNET CZ s.r.o.
QSC-1 QSC AG
QUALCOMM – Qualcomm, Inc.
QUALCOMM-BLR-AS-AP Qualcomm Inc. Bangalore AS, Developer of CDMA Technology India
QWEST – Qwest Communications Company, LLC
RACKSPACE – Rackspace Hosting
RADIOGRAFICA COSTARRICENSE
RAPID-LINK-AS RAPID LINK SRL
RAYA-AS
RCN-AS – RCN Corporation
RDSNET RCS & RDS S.A.
Rede Nacional de Ensino e Pesquisa
REEDLAN-AS ISP REEDLAN
RELARN RELARN-MSK
RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI
RELIANCEGLOBALCOM – Reliance Globalcom Services, Inc
RENAM RENAM Association
RIML-CORP-AS-3 – Research In Motion Limited
RIPE-NCC-AS RIPE Network Coordination Centre
RISC-SYSTEM – Rockwell Scientific Company
RMH-14 – Rackspace Hosting
RMIFL RM Education PLC – Internet for Learning
ROGERS-CABLE – Rogers Cable Communications Inc.
ROSTELECOM-AS JSC Rostelecom
ROSTOV-TELEGRAF-AS Rostovelectrosviaz_ of Public Joint Stock Company
RTCOMM-AS OJSC RTComm.RU
RTD ROMTELECOM S.A
RUSTAVI2ONLINEAS Caucasus Online LLC
RU-SURNET Uralsvyazinform, Chelyabinsk branch
RWT – RagingWire Telecommunications
SAFELINES The network of ISP Safelines,includes POPs in various cities
SAFENZ-TRANSIT-AS-NZ SafeNZ Networks LTD
SAITIS-NETWORK Saitis Network, N.Desir
SAMSUNGNETWORKS-AS-KR Samsung Networks Inc.
SAN-JUAN-CABLE – San Juan Cable, LLC
SASUSA SunGard Availability Services USA
SAVVIS – Savvis
SBIS-AS – AT&T Internet Services
SCARTEL-AS Scartel Ltd.
SCOTTS-AS – CITY OF SCOTTSBURG
SCRR-10796 – Road Runner HoldCo LLC
SCRR-11426 – Road Runner HoldCo LLC
SCRR-12271 – Road Runner HoldCo LLC
SCV-AS-AP SCV Broadband Access Provider
SDL-20-AS – Smithville Digital, LLC
SEAGATE-USA-MN-1 – Seagate Technology
SEEDNET Digital United Inc.
SELECTNET-AS – SelectNet Internet Services
SERBIA-BROADBAND-AS Serbia BroadBand-Srpske Kablovske mreze d.o.o.
SERVICENET-AP Internet service provision to Western
SGNET-AS-AP Singapore Government Network AS
SHAW – Shaw Communications Inc.
SIBNETWORKS-AS Siberian Networks
SIFY-AS-IN Sify Limited
SIGMANET-NIC LU MII AS
SIKA-AS Sika Informationssysteme AG
SITA SITA
sixtelecoms-as
SKTELECOM-NET-AS SK Telecom., Ltd.
SKYNET-SPB-AS SkyNet Ltd.
SKYVISION SkyVision Network Services
SLTINT-AS-AP Sri Lanka Telecom Internet
SOFTLAYER – SoftLayer Technologies Inc.
SOFTNET-AS-AP Software Technology Parks of India – Bangalore
SOLNET BSE Software GmbH
SONICDUO-AS AS for MegaFon-Moscow
SONOMA – Sonoma Interconnect
SONY-APAC-AP Sony – ASN for Asia Pacific
SOVAM-AS OJSC _Vimpelcom_
SPBMTS-AS Mobile TeleSystems, OJSC, MR North-West
SPCS – Sprint Personal Communications Systems
SPEAKEASY – Speakeasy, Inc.
SPECTRANET FIRST FIBRE BROADBAND NETWORK IN NEW DELHI, INDIA
Sprint US
SPRINTLINK – Sprint
SPRINTLINK-HOSTING – SPRINT, Business Serices Group
SS-NOC-AS – Straitshot Communications, Inc.
STARHUBINTERNET-AS StarHub Internet Exchange
STARNET-AS StarNet Moldova
STATEL-AS Stavropol branch of Southern Telecommunications Company
STEADFAST – Steadfast Networks
STOMI – State of Michigan, DMB-CNOC
STSN-SLC-UT-US – STSN GENERAL HOLDINGS, INC.
SUDDENLINK-COMMUNICATIONS – Suddenlink Communications
SUMTEL-AS-RIPE Summa Telecom
SUNCOMMUNICATIONS-AS JV _Sun Communications_ Autonomous System
SUNRISE Sunrise Communications AG
SUPERNET-PAKISTAN-AS-AP Supernet Limited Transit Autonomous System Number
SURFCONTROL-US-ASN Websense Hosted Security Network
SURFNET-NL SURFnet, The Netherlands
SWEETNET-AS Private entrepreneur Bliznichenko Vitalij Volodumirovich
SWISSCOM Swisscom (Switzerland) Ltd
SWITCH SWITCH, Swiss Education and Research Network
SWKO – SOUTHWEST KANSAS ONLINE
TACHYON-AS-ID PT Remala Abadi
TATA-AS TATA ISP
TATACOMM-AS TATA Communications formerly VSNL is Leading ISP
TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
TC Radio Systems Autonomous System
TCH – TCH Network Services
TDC TDC Data Networks
TDDE-ASN1 Telefonica o2 Germany Autonomous System
TDN Tikona Digital Networks Pvt Ltd.
TEAM-CYMRU – Team Cymru Inc.
TE-AS TE-AS
TELCOMNET TelCom Ltd.
TELCOM-UA-AS _Telecomunikatsiina Companiya_ Ltd
TELE2
Telecom Argentina S.A.
TELECOMMD-AS ICS Networks Solutions SRL
Telecomunicacoes da Bahia S.A.
TELEFONICA CHILE S.A.
Telefonica de Argentina
Telefonica Empresas SA
TELEFONICA-DATA-ESPANA Internet Access Network of TDE
TELEKOM-AS TELEKOM SRBIJA a.d.
TELENERGO EXATEL S.A. Autonomous System
TELENET-AS Autonomous System of Teleset-Servis Ltd.
TELENET-AS Telenet N.V.
TELENOR-NEXTEL Telenor Norge AS
TELESC – Telecomunicacoes de Santa Catarina SA
TELESWEET-AS Telesweet ISP Autonomous System
TELETECH – TeleTech Holdings, Inc
Television Internacional, S.A. de C.V.
TELEZUG WWZ Telekom AG
TELIANET-DENMARK TeliaNet Denmark
TELIANET-SWEDEN TeliaNet Sweden
TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
TELKOMSEL-ASN-ID PT. Telekomunikasi Selular
TELLCOM-AS Tellcom Iletisim Hizmetleri
Telmex Chile Internet S.A.
Telmex Colombia S.A.
TELSTRA Telstra Pty Ltd
TEOLTAB TEO LT AB Autonomous System
TERREMARK Terremark
TFN-TW Taiwan Fixed Network, Telco and Network Service Provider.
TFO-BOSTON – THOMSON FINANCIAL
THEPLANET-AS – ThePlanet.com Internet Services, Inc.
T-HT T-Com Croatia Internet network
TINET-BACKBONE Tinet SpA
TISCALI-UK Tiscali UK
TISNL-BACKBONE Telfort B.V.
TKPSA-AS TKP S.A. is 3S.pl network operator.
TKT-AS JSC TKT
TMIB-BD-AS-AP TM International Bangladesh Ltd. ISP, Gulshan-1,Dhaka-1212
TMN-AS TMN Autonomous System
TMNET-AS-AP TM Net, Internet Service Provider
TM-NETSYS-ASH – TicketMaster
TOMLINE Tomsk telecommunication company Ltd
TOTNET-TH-AS-AP TOT Public Company Limited
TPG-INTERNET-AP TPG Internet Pty Ltd
TPNET Telekomunikacja Polska S.A.
TRANSTEL S.A.
TRAVELERS – Travelers Property Casualty Corp.
TRENDMICRO Global IDC and Backbone of Trend Micro Inc.
TRENDMICRO Trend Micro Inc.
TRUENORTHCOMM – True North Communications
TSF-IP-CORE TeliaSonera Finland IP Network
TSU-SM – Texas State University – San Marcos
TTCLDATA
TTNET Turk Telekomunikasyon Anonim Sirketi
TTSL-MEISISP Tata Teleservices ISP AS
TULIP Tulip Telecom Ltd.
TURKCELL-AS TURKCELL ILETISIM HIZMETLERI A.S.
TVCABO-AS TVCABO Autonomous System
TWTC – tw telecom holdings, inc.
UAEXPRESS EXPRESS Radio Network
UARNET-AS Ukrainian Academic and Research Network
UA-SEECH Seech-Infocom NCC
UA-SMART-AS Broadcasting company _Smart_ Ltd
UCOM UCOM Corp.
UCSB-NET-AS – University of California, Santa Barbara
UCSC – University of California, Santa Cruz
UDMVT-AS OJSC VolgaTelecom branch in Udmurtia Republic AS Number
UECOMM-AU Uecomm Ltd
UKRBIT-NET-AS SPD Bilopol Roman Leonidovich
UKRTELNET JSC UKRTELECOM,
ULTRADNS – Centergate Research, LLC.
UMANITOBA – University of Manitoba
UMC-AS UMC Autonomous System
UMICH-AS-5 – University of Michigan
UMN Ural-TransTeleCom Autonomous System
UNI2-AS France Telecom Espana SA
Uninet S.A. de C.V.
UNINETT UNINETT, The Norwegian University & Research Network
UNISYS-6072 For routing issues, email hostmaster@unisys.com
UNISYS-AP-UI-AS-AP Unisys AsiaPac Intranet Access to Internet
UNISYS-AS-E – Unisys Corporation
Universidad Nacional de Colombia
University de Los Andes
UNL-AS – University of Nebraska-Lincoln
UNSPECIFIED
UPC UPC Broadband
UPITT-AS – University of Pittsburgh
URAN URAN Autonomous system
USAA – USAA
USI Uralsviazinform
UUNET – MCI Communications Services, Inc. d/b/a Verizon Business
UUNET-INT – MCI Communications Services, Inc. d/b/a Verizon Business
VEGA-OD-UA DCS Ltd.
VERISIGN-CORP – VeriSign Infrastructure & Operations
VERSATEL AS for the Trans-European Tele2 IP Transport backbone
VIA-NET-WORKS-AS PSINet Europe / VIA NET.WORKS international AS
VIAPASS-FR VIAPASS SAS
VIDEOTRON – Videotron Telecom Ltee
VIETEL-AS-AP Vietel Corporation
VINAKOM – VINAKOM COMMUNICATIONS
VINS – ViaWest
VIRGINIA-AS – University of Virginia
VITSSEN-SUWON-AS-KR Tbroad Suwon Broadcating Corporati
VMWARENET-1 – VMWare, Inc.
VNET-AS VNET ISP Bratislava, Slovakia, SK
VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT)
VODAFONE_ICELAND Backbone Autonomous System
VODAFONE-IT-ASN Vodafone N.V.
VODANET International IP-Backbone of Vodafone
VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC
VOLKSWAGEN Volkswagen AG, Wolfsburg 1
VRIS-AS-BLOCK – Verizon Online LLC
VSI-AS VSI AS
VTX-NETWORK VTX Services SA
VZB-AU-AS Verizon Australia PTY Limited
VZGNI-TRANSIT – Verizon Online LLC
WATEEN-IMS-PK-AS-AP National WiMAX/IMS environment
WAYPORT – AT&T Wi-Fi Services
Webex Communications, Inc.
WEBSENSE Websense, Inc.
WELLSFARGO – Wells Fargo & Company
WESTHOST – WestHost, Inc.
WESTNET-AS-AP Westnet Internet Services
WESTPUB-A – West Publishing Corporation
WICAM-AS WiCAM ISP Cambodia Peering AS
WIDEXS ion-ip B.V.
WINDSTREAM – Windstream Communications Inc
WIRELESSNET-ID-AP WIRELESSNET AS
WITCOM- Wiesbadener Informations – und Telekommunikations GmbH
WN-AS Private enterprise Gorbunov A.A.
WORLDBANK-AS – WORLD BANK
WORLDCALL-AS-LHR Worldcall Broadband Limited
WORLDNET-AS World Net & Services Co., Ltd.
WOW-INTERNET – WideOpenWest Finance LLC
WXC-AS-NZ WorldxChange Communications LTD
WYOMING – wyoming.com
XO-AS15 – XO Communications
XS4ALL-NL XS4ALL
XTRA-AS Telecom XTRA, Auckland, NZ
YAHOO-BANGALORE-AS-AP Yahoo Bangalore Network Monitoring Center
YAHOO-US – Yahoo
ZIGGO Ziggo – tv, internet, telefoon
ZIPNETBD-DKB-AS-AP Zipnet Limited DKB AS number

The following chart maps the location of more than 300 command and control networks that were used in these attacks. 299 of them were located in China.

The geographic location of the more than 300 control networks used in the attacks.

Tags: , , , ,

94 comments

  1. Brian

    Thank you very much for your diligent work and reporting of this list to us today.

  2. Something wrong with your chart because i see more than one russian C2 in the list

    • AKL – The chart and the list look at two different aspects of this attack. The list is a list of organizations that owned the Internet addresses that were seen calling home to the command and control (C&C) networks used by the attackers. The chart just shows the geographic breakdown of those C&C networks.

      • Dear Brian, thanks for the fun so far, but this needs clarification because some folks can’t estimate the impact:

        “The list is a list of _networks belonging to_ organisations that owned the IP addresses that were seen calling home to the command and control (C&C) networks used by attackers.”

        For example we find MICROSOFT-CORP—MSN-AS-BLOCK on the list, which AS8075 belongs to. And let’s assume if there were bots on this network chances are they still have infections…

        A quick check for AS8074 on UCEPROTECT shows that at least 9 of their IPs were seen spamming last week:

        65.52.145.245 6 Spamtrap-hit/s
        65.52.146.226 1 Spamtrap-hit/s
        65.52.153.209 8 Spamtrap-hit/s
        65.52.154.69 8 Spamtrap-hit/s
        70.37.65.32 65 Spamtrap-hit/s
        157.55.160.108 1 Spamtrap-hit/s
        157.55.161.209 1 Spamtrap-hit/s
        157.55.178.53 1 Spamtrap-hit/s
        157.55.193.31 2 Spamtrap-hit/s

        Let’s have a look at http://cbl.abuseat.org:

        65.52.145.245 listed / infected with trojan or proxy
        65.52.146.226 listed / infected with trojan or proxy
        65.52.153.209 listed / infected with trojan or proxy
        65.52.154.69 listed / infected with trojan or proxy
        70.37.65.32 not listed
        157.55.160.108 not listed
        157.55.161.209 not listed
        157.55.178.53 listed / infected with trojan or proxy
        157.55.193.31 not listed

        Seems like there are still some infected machines spooking around at some microsoft facility. But without an inside view and without knowing their security policies we can’t tell if those machines are of any risk for the company – even if those machines have high chinese traffic. ;-)

        Let’s check for another example: VOLKSWAGEN. – If you know how to use Senderbase.org you come to find that 194.114.76.23’s reputation is ‘Poor’ = A problematic level of threat activity has been observed…

        …but as 194.114.76.23 is part of Volkswagen’s Autostadt (“an amazing mixture of amusement park, museum and inner city relaxation area”) it’s likely people take their notebooks around. Any risk for the company? – Most likely not… even if a notebook belongs to a chinese visitor.

        Yes, every company should have their software, policies and admins up to date – and we all should bother Microsoft until they update all their windows installations worldwide free of charge – but a list of most of the internet networks because they’ve had some C&C traffic does just mean that. Cybercrime and is a threat to all of us. Chinese or not. ;-)

  3. looks like the great chinese Firewall is only wirking in one direction ;)

  4. Hi Brian,

    Good article. Please could you provide me with source of this data.

    Thanks

    Matt

  5. I’m with Matt: How -did- this data come about? The way you worded it, you implied it was searched for historically. That is, using what we knew in… January or so, we searched backwards in time to the prior November, to see who was communicating with what IP Addresses.

    How did that happen? I’d really like a congressman to inquire.

    One theory would be as part of the ‘Warrant-less Wiretapping’ program, the government could have a pen register on all the transatlantic cables. I’d like to think that isn’t the case… but it wouldn’t surprise me.

  6. Yes, Source please. Without source its just a bunch of senseless words.

    Furhtermore: Where all the connections C&C connections or may there be legit connections, i.e. the servers serving banners.

    I still doubt the APT in this attack, see here for a writeup: http://jeffreycarr.blogspot.com/2011/06/18-days-from-0day-to-8k-rsa-attack.html (not mine, just the first hit)

  7. Kind of a douchebag move without the the proper context isn’t it? I’m all for more information like this coming out, but this is steaming pile of FUD.

    This must have been all the information anyone was willing to give you, couldn’t you talk anyone into finishing the work for you?

    Good luck with the book!

  8. At least a couple of those “victims” probably aren’t.
    Traffic from WebSense and OpenDNS could as easily have been proxied on the their customers behalf.

    • If I could be more specific about the source of the data, I would, but I’m not at liberty to do so. I wouldn’t have posted this information if I didn’t think it was reliable data.

      Your points were addressed in this paragraph, from the story above:

      “A few caveats are in order here. First, many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit. Second, it is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims. Finally, some of these organizations (there are several antivirus firms mentioned below) may be represented because they intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.”

      • I doubt the AV firms mentioned are running ‘honeypot’ systems on their own publicly noted address space. Typically this is done through shell companies or address blocks so as not to have your honeypot’s cover blown to early.

        • I’m not an AV company, but I can attest that from 2006 to 2008 my perimeter gateway UTM pie charts looked similar to these offered in the story. Since then the Chinese have become a little less brazen, and the IPs started originating from “University ” addresses; but now are more obfuscated, and my ISP is gaining ground as well.

          After I supplied data to my ISP, they not only reduced this traffic, but the local back ground radiation as well. I really have to give them a lot of credit to this effort. I also believe attempts, that fail externally, are dropped when no success is reached in a certain amount of time. These charlatans can now rely more on success by interior infections, direct physical espionage, and social engineering attacks.

  9. Maybe interesting for you, to read a bit about root cause structural problems & Solution in the IT-Sec arena?

    quick start:
    http://www.qcic.nl/item.jsp%3Fnews=85.html
    http://www.qcic.nl/item.jsp%3Fnews=61.html

    • Thanks for posting these links at qcic.nl. The NL police need to point people with problems in the Netherlands towards them. The first link truly indicates why the list above exists.

      • Its a shame that most people prefer negative [Its Bad!] ‘news’,
        and can’t be bothered to learn about why those things became ‘bad’ and even more interesting how to actually Fix such common bad habits.

        Anyone knows why this is?

  10. Brian;

    I too am interested in what you are using as the basis for your list. Not who gave you the data, but what that data was based on. Was it based on nodes/hosts that were infected by malicious excel files using the same flash 0-day that infected RSA, or was it based on nodes/hosts that had the RAT beaconing out? If it is the later, then I think the information is suspect since the Poison Ivy RAT isn’t unique to this particular hack.

  11. You get an “F” on this homework assignment! You’ve listed every Internet Service Provider where this bot crossed their network. At a minimum, you could have called RSA and verified that these companies are even RSA customers. There are companies on this list that I know are NOT RSA customers.

    • You get an “F” for reading comprehension.
      “Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.”

      • Kudos RT. You have given the best summary of the problem I have observed. The detractors are saying they want where the data came from (which can not be revealed) and won’t believe it until it is revealed. They remind me of the proverbial Ostrich sticking their heads in the sand. They seem to argue thace since there is no disclosure of the source data that there is no problem. I suspect the problem is even larger than what Brian is showing. There are probably even more Fortune 500 companies affected than what he shows. Some of them would even claim they were still not infected even if they were informed by who it was that gave Brian the data that they had a problem. There is a growing anti-security stance which is gripping the entire world right now. Why do I say this? You known it is bad when the US Air Force doesn’t want to eradicate some malware in their drone systems. Ten years ago the Air Force wouldn’t have even tolerated it.

  12. The mystery of “NO_NAME” is going to keep me awake at night.

    Actually, this whole list is. At least my employer is not on it :D

  13. I see that Google, Microsft, and Yahoo are on the list. Could the above RSA-related compromises account for the continuing conscription of contacts in Yahoo and Live (Google?) accounts that result in the spewing of SPAM to said contacts? Seems somewhat far-fetched, but I thought I’d pose the question, anyway.

    Such a mail account compromise happened to me in early July. I found that my account was accessed by a node in some foreign island nation (forget which). My contacts must have been obtained at that point. Then SPAM sent on my behalf, but not through my account (I was able to examine the headers of one of the messages). My password was (is) not easily guessable. Yahoo groups to which I subscribe appear to still be under such attacks, daily. My machine was not compromised. I inspected the registry, the logs, and running programs. I removed the hard drive, mounted it on an external USB interface, and scanned it from a safe machine with multiple AV programs. Worst thing found was a spyware cookie. I use FF+NoScript. Never any behavioral indications that it was ever compromised. I can document most of this.

    Just last week, one of my users reported receiving similar SPAM from his brother, who uses a Live account. After examining his machine for most of the day, I concluded that FF+NoScript had blocked his PC from being infected when he clicked the SPAM link and visited the target website.

    • I have a client who is a Microsoft partner whose account has been compromised for months, and Microsoft doesn’t seem interested in doing diddly about fixing the problem. This client suspects it is an inside job; but I reserve judgment until I can train this person in basic local machine policy and security in general.

  14. If you can’t divulge the source, can you divulge the raw data that gives timeframes and explanations of the traffic that was seen?

    Without this information your article is irresponsible alarmism that damages the listed companies. The traffic could have just been a handful of packets before an IPS kicked in (i.e. normal controls are working), someone checking their own controls by contacting known C&C servers, or an actual infection. We will never know without the raw data.

  15. At this point it’s safe to assume that every company that competes with, buys from, or sells to China has been compromised and fully rooted.

  16. Maybe you can’t tell the source (who gave you the info) but what data is this based on? Actual connections from a backdoor or is this based on DNS lookups? I can make any company with an open DNS server look like they’ve been infected…

  17. Appreciate the info. I’ll ask the ? that affected organization’s are asking – does a mechanism exist for companies on this list to find out how / why they showed up on this list?

    Normally in situations like this there is a way for affected orgs to get an additional bit of insight in order to take remediation / incident response steps.

    Another question: the article states that the devices were calling home to some of the same phone home control infrastructure, is this infrastructure assessed to be sole purpose or there indications that it may have been used for or is affilated with other botnets, malware purveyors.

    Thanks …

  18. “Source!” “Burn the source!” “Kreeeebs, give us your source!” “SOURRRRRRCEEEE. MUST BURN THE SOURCE.”

    Jeez guys would you quit it with the obvious fishing expeditions?

    • To put it in a more eloquent way, there are many situations where you don’t expect or anticipate learning the source of some info.

      For instance you don’t go prodding someone who you buy drugs off of for their supplier. It’s called knowing your place. In this case ‘your place’ would be the reader. While having every bit of info cited is nice that’s just not how life works.

      For now be happy you are getting tidbits of info without paying a monthly subscription to some uber leet super secret forum of doom where people hash out their plans for world domination. Kthx.

      • Yeah, sorry, these aren’t juicy tidbits. These are assertions that various companies have been compromised — possibly libelous, even — with no backing.

        You’re not selling me drugs, you’re forcing drugs down my throat and then telling me not to question the supplier.

        • G,

          Unless you were subjected to a “Clockwork Orange” type treatment, nobody forced this down your throat.

          If you want to discount this information because Brian will not reveal his sources, that’s your prerogative.

      • I really admire your work Brian but I tend to agree with some of the folks who are a little critical of this data being posted without any context. How this data was gathered and how it was judged is critical to actual give it any veracity.

        That it was shared with the Government does not lend it anymore credibility to me than if it was shared with any random party. In fact people sharing stuff w/ Congress nearly always have an agenda. Especially if they are a security vendor or service provider of any description.

        I am indifferent to who the source is but a better understanding of their data, your caveats notwithstanding, I think is sorely needed here.

        al

  19. Brian, you know better. This is extremely reckless journalism on your part. This looks like it’s probably DNS related, and if so, ANY DNS lookup would cause a hit on your list. That means anyone doing a dig to see IP information, pinging to see if the site is still up, trying to hit it with a browser, etc. Unless you have solid visibility on the C2 itself there is no way to determine that these sites where “other places the RSA attackers hit” as your article title states.

    You should probably take this down. If you don’t provide enough detail for independent verification, this is just FUD.

    • It’s DNS related to the extent that DNS is a low level of the Internet and AS are also a low level of the Internet. As it happens, I think it’s fairly safe to say that AS is a much *lower* level.

      What you’re probably looking at is:

      1. {victim} sends pattern of packets to {C&C}
      2. either someone hacks the {C&C} or someone observes the packets going to it.
      3. Let’s assume someone observes {C&C} (hacking {C&C} is boring, it obviously could have a log of whom sent it valid chatter)
      4. {observer} can easily only record instances where a proper stream of packets (understood to be “well formed chatter”) are sent by {victim} to {C&C}
      5. What should {observer} report?

      Choices:
      a. IP Addresses
      – problems: Dynamic ip addresses, too many ip addresses = totally useless
      b. DNS entries
      – problems: Dynamic, chaotic, meaningless, not necessarily round trippable, too many names (potentially nearly as many as ip addresses) = totally useless
      c. AS entries
      – problems: Not every company has an AS assigned, some companies have a couple
      – value: Big companies (and organizations) *do* have them, and at most only a couple, there are only a handful of AS Numbers out there (well, ok, maybe a couple thousand, but really it’s *much* better than IP addresses or dns entries)

      AS entries don’t solve every problem, obviously if an ISP hosts others then those it hosts will appear in an AS assigned to the ISP. However because ISPs are responsible for traffic from their ASN, it’s in an ISP’s best interest to make sure it can do something with ASN info, and general best practices say that you should give one ASN to yourself and one to what you host so that when someone yells at you, you can say “oh, that’s a customer, we’ll get on it”, instead of having someone say “oh, that ISP is evil/clueless/hacked, let’s block it”.

      It isn’t uncommon for “ASN” [1] to come up as a possible target of an Internet Death Penalty [2].

      [1] http://www.mail-archive.com/vox-tech@lists.lugod.org/msg08765.html
      [2] http://catb.org/jargon/html/I/Internet-Death-Penalty.html

  20. Sometimes information of a partial nature aims at precipitating further conduct from one’s adversaries.

    As in Sun Tzu’s Art of War, or even the 38 Stratagems of Ancient China.

    As regards issues of ‘defamation,’ the 3 caveats repeatedly noted would make such a claim ‘challenging.’

  21. This appears to be a list of AS (Autonomous System) network names. Look some of them up at “www.arin.net”.

    Back when Merit Network, Inc. ran the internet (with MCI and IBM – I was with Merit in the dialup business then), Merit was able to do network by network traffic statistics matrices – i.e.: how much traffic of what kind – DNS, FTP, UUCP, SMTP – went from one network to another network. This was back when the Internet was MUCH smaller – and even then, scaling of the network routing tables were a problem. This was about the time BGP and autonomous system numbers were invented to simplify the network routing problem of 255 class-A networks + 16535 class-B networks + 16777216 class-C networks.

    All I can think is that the Department of Homeland Security has it’s tentacles in enough ISPs that they can collect a cross-matrix of AS to AS traffic statistics on a historical basis (which is still probably gigabytes of data per. day – depending on how deeply they inspect the packets.) I think this is reasonable speculation of MINIMAL capabilities of the DHS/NSA – based on what’s already been revealed about the AT&T’s relationship with the US Federal government.

    Brian – not citing where the data comes from is fear mongering, plain and simple.

  22. Doesen’t anybody at these hacked companies check their *multilayered* outbound router logs 1/2 hourly for suspicious outbound traffic to strange IP addresses, or would that be too easy?

    • actually I suspect it would be too hard. at least not without a good toolset, and folks having a good toolset are less likely to be on that list. A big enterprise network will have so much traffic you won’t be able to tell what’s funky without some automated help, and that requires custom rulesets tuned for your network.

      To get your mind around the problem, consider this. Last week I heard an assetion that a typical browser these days can open hundreds of simultaneous connections for one simple view (last time I sniffed a session it was just a couple of dozen for a simple page load but that was awhile ago). So think about the noise from that with ads, google results prefetches, etc.

      These are not your home hobbyist or SOHO networks.

  23. Krebs has it backwards and this list actually communicates quite the opposite conclusion:

    Not appearing in this list implies that a given company’s security team did not investigate the RSA breach on their own network. Otherwise they would have generated investigative traffic to it and appeared as a FP in the above list. This is much easier to do than running malware in a sandbox, as Brian suggests.

    Brian – you may have accurate data – but you have come to an entirely inaccurate conclusion from it

    • I’m pretty sure that the data is based on observations of the C&C destinations (roughly inbound) and not based on origin (roughly outbound). Brian noted that there are around 300 destinations, which makes observing them or doing data gathering at that side *much* simpler than trying to do data gathering at all possible sources.

    • Krebs conslusion is flawed. Anderson is right — there is as much evidence that Bluecoat and others *were* intentionally investigating these servers as there is that the others *weren’t* looking into them as well.

      Just because we aren’t infosec companies, doesn’t mean we don’t know what we are doing.

  24. Why is everybody crying after source? It is irrelevant. The breaches happen more often and too easily. It has become clear that everyone can be victimized so why bother thinking who has been hit or not. Focus on fixing these problems before it is too late.

  25. Sorry if I missed that, but does anyone know the IP adresses of the C&C Servers? I would like to know them to do a search in our SIEM System…

  26. I think it’s interesting that Websense made the list. With there latest and greatest URL database and real-time threat scanning, one would think they would block or detect this type of threat unless they were reverse-engineering the attack.

    • Not sure why anyone is surprised or upset about being on the list. Also, why wouldn’t you expect security companies to be on the list (e.g. Websense)? They have security ignorant (couldn’t think of a more kind word) folks who work in accounts payable, accounts receivable, etc, etc just like the rest of us. Furthermore, none of those gateway security products do an adequate job of preventing these attacks. We have best of breed enterprise web gateway anti-x and best of breed client anti-x and best of breed mail gateway anti-x and stuff sails past it all on a daily basis.

  27. Somewhat Off Topic, but almost the last chance: The US government has issued a Request For Information (RFI) on malware and bots, see:

    http://www.federalregister.gov/articles/2011/09/21/2011-24180/models-to-advance-voluntary-corporate-notification-to-consumers-regarding-the-illicit-use-of#p-27

    The comment period ends 2011-11-04.

    A copy of my response is on my site at:

    http://www.ciphersbyritter.com/COMPSEC/ADVISING.HTM

    • Terry, I read your comments very carefully. The only difference between you and me is you are more optimistic than I am. So I will let your comments stand. But a discussion of bots and this are really the same thing. It boils down to one question – are there concrete things we can do to reduce the size of this problem (infected computers) to something manageable? I gave some of them which are more appropriate for this than the bots here (but they apply to both and at the same time also battle phish):

      http://securemecca.blogspot.com/2011/04/advanced-persisten-threat.html

      The problem comes in on that third bulleted item. At present there really isn’t a good STABLE, INEXPENSIVE replacement for Microsoft Windows.
      There could be if the Linux people could just stop thrashing around and make their changes far less revolutionary and more evolutionary. Example? Why did Ubuntu replace gnomeshell with a new GUI that creates hundreds of files on the desktop of my neighbors machine when he moves his mouse too fast? What was so deficient in gnomeshell that it had to be replaced? I know people that are still using VTWM (Virtual Tom’s Window Manager) because they got used to it and don’t want to change their GUI every 2-3 years. Fortunately they don’t have to manage right to left languages like Arabic or Perso-Arabic which some people need. I can only hope that Apple finally made it so you have to type a pass-phrase to install software into the privileged file system space. If they haven’t done it yet they have basically taken the Unix file system protection and thrown it out the door (probably permanently).

      http://securemecca.com/public/ChmodTable.txt

      Also, no matter who argues to the contrary, Macintosh is probably more expensive than Microsoft. It definitely is with up front and hardware costs. Any time you have a monopoly on where the hardware can come from the prices go up along with assurance of compatibility.

      I can’t even update my Ubuntu LTS system to use the latest flash player. Adobe does their best but with libraries that are too old (the OS has only been in place for slightly over one year) the new version of flash won’t work properly. Linux people need to stop thrashing around and make an OS with at least a three year life-span. You are NEVER going to get that with Linux. Expecting people to replace their OS every 3-6 months or even every year just isn’t practical. This is especially true when they take the GUI you got used to and throw it out the door. There better be a very good reason to take something that was working, throw it away, and replace it with something else. I for one am getting tired of change just for changes sake.

      I have had my web-site blocked not just once but twice because my ISP’s anti-bot service isn’t anywhere near good enough and neither are the people taking care of it to distinguish a FP from from the real thing. I can assure them my Linux machines are not bots. I even blow away my ~/.mozilla and ~/.opera folders at even the hint of a JavaScript infection and create fresh new ones. In fact I do it every three months whether they need it or not. This is your number one source for infections of desktop Linux systems. Servers have other problems. I also highly recommend NoScript for Firefox but everybody I know removes it.

      I don’t think there are easy answers and expecting Senators and Representatives, much less secretaries who are fearful of computers to be the biggest contributors to giving us more security is too much to expect. As Matt said, even with the best stuff they still have packets heading out the door. If you ask me, this particular problem – companies infected just like RSA, is probably even larger than what Brian shows.

  28. Brian:

    You need to provide a method for companies listed on this list to find the IP addresses that correspond to this data.

    • https://www.ultratools.com/tools/asnInfo

      Would let anyone on the list find out the range of ip addresses which could contain the sources.

      However, the data was clearly lossily compressed such that a company would have to do some work to figure out which computers on their network are affected.

      Given that in general ASs pair with other ASs at relatively well understood borders, any network admin would understand where to go to add (hopefully check) logging of their AS domain. Given that the vast majority of the C&Cs are in China, I’d bet one could merely have one’s AS exits look for traffic headed to Chinese ASs (again, countably few).

      However, people have noted that the precise method of identifying bad traffic wasn’t provided in Brian’s article (which doesn’t bother me), so I’m not quite sure what one should look for in Chinese bound traffic once one identifies it (to distinguish C&C traffic from valid traffic). Although one could take the simplistic approach of “if you’re talking to China, you go into a penalty box until you complain”. With that system, if you’re lucky, you get only a handful of complaints, and you can slowly inspect each system and then let it out…. — I really don’t want to be that Admin, I like working on Web Browsers, it’s a much more relaxed job (and yes, we have Firedrills too, and they can affect more people than any single poor admin, but still, we didn’t try to clean up all of our customers, just send out a fixed software package).

      • [quote]
        https://www.ultratools.com/tools/asnInfo – Would let anyone on the list find out the range of ip addresses which could contain the sources.

        However, the data was clearly lossily compressed such that a company would have to do some work to figure out which computers on their network are affected.
        [/quote]

        There are quite a few companies on this list that have multiple large aggregate blocks (off the top of my head I see down to /8’s in there) and multiple large backbone connections. Not having more specific information makes the name dropping useless.

        It would be nice to be able to do a lookup, based on ASN to identify infected IP addresses.

        • the reality is that the only people who could do something truly useful with ip addresses are IT admins *within* their given organization. Further, only people who are not clueless will be able to do necessary cleaning and forensic analysis. Also, some of these companies will be using NAT, so an ip address won’t correspond to a single computer, merely a point of presence.

          Giving out a list of actual ip addresses really doesn’t benefit the general public. And if the people who collected IP addresses happened to miss a C&C point and thus miss other infected addresses, we don’t want a company to say: “we’re clean, we checked all of those IPs”.

          Cleanup / Analysis involves much more than simply looking at exit points, someone has to determine what data was stolen and whose credentials were compromised. The public facing ip list won’t get you there at all. It’s *better* to just know if your systems as a class were affected. That’s what the AS says. And for the ISPs in the list, hopefully they have a team which is savy enough to determine which of their customers were affected and notify them (in case those customers don’t have proactive IT).

  29. The detractors to this post are frankly clueless, but what do you expect when they do not have all the facts? Brian posted callback domains for the perpetrator C2 systems months ago. Organizations that were identified as affected need only go back to their DNS logs at the time window of the hacks (assuming they have DNS logs, right?) and look for beaconing to the following URL’s posted by Brian back in March. Or they can use one of the passive DNS databases for the IP records that are available to the good guy community. Some of those 2nd level domains are active right now for current exploitation. If they are only looking now for something that happened back in March, won’t help much. Look for active exploitation, NOW.

    http://krebsonsecurity.com/wp-content/uploads/2011/03/unclassrsa.jpg

    • To humor myself I just ran them through DNS. Many are now mapped to MS localhost (0.0.0.0) with one to 127.0.0.2. www(dot)cz88(dot)net is an alias to a numbered host at myisp(dot)cn. hopto(dot)org is a DNSWCD – DNS WildCard Domain. Whether or not that host goes to anything (most likely it doesn’t) is immaterial to me. I finally blocked the hopto(dot)org domain in my PAC filter because of all the malware it redirects to. hopto(dot)org’s IP address is constantly changing. But all redirectors and URL minimizers have an inherent risk unless you can see in advance where you are headed.

  30. Disgruntled RSA customer

    When will RSA customers take this seriously – RSA got hacked, RSA pretended it didn’t matter then finally ‘fessed up that it was a major breach endangering their entire customer base. RSA customers get hacked – is there a point where the customers question RSA about all of this or are they just going to carry on drone like eating the BS story that they are told – oh great we get free replacement tokens that means we are ok…..c’mon people wise up the whole integrity of RSA is broken and here’s a bunch of paying organisations who are paying the price.

    • Many of the US DoD and NASA contractors dropped RSA and are using other company’s products. RSA is suffering permanent big time losses over their break in.

      • Why does this come back to RSA? If you believe those listed in this article you obviously don’t have any understanding of information security. This atricle only points out the fact that other organizations had machines that beaconed out to the same C2 servers as those that were used in the RSA attack. Have you heard any of these other organizations come forward?? You should take a few to really think what the adversary was after when they breached RSA and why they replaced tokens. With your wits, I am sure your organization is probably already owned.

        As far as people replacing tokens…you shoul probably check your facts abut the DoD and federal agencies walking away from RSA. As a consultant in the beltway, I can attest that not one of my customers has stopped using SecurID in both the classified and non-class environments. As someone else mentioned above, the federal governemtn and DIB (Defense Industrial Base) as long been impacted by these types of adversaries and have often fallen victim.

        I realize the desire to blame RSA, but all RSA has done as put the threat in the limelight and let people know it can happen to them.

        TJ

        • One of the editors at SANS said that cutomers did abandon RSA and that was over five months ago. Names of companies were of course not mentioned. So search the SANS digests and take your beef up with the SANS editor if you disagree with his statement. He knows some of the people at those companies personally. If you want to reply to Disgruntled RSA Customer for him bringing the subject up in the first place then do so. But reply to him rather than making this a personal attack against me. You basically called me stupid and I resent it. I suggest my real world experience of analyzing over 5,000 malware over the past six years with much of it being the the 3-4 hosts in sequence where the last one or two hosts go into DNS and drop out of DNS eight hours or less later only to be replaced by new hosts with updates of the malware used to steal you financial information has educated me far beyond my degrees in Psychology, Mathematics and Computer Science.

          Besides the problem is NOT just RSA. Don’t you think I know that? ALL companies should know by now that they may be attacked. What I am getting from some people here is that it isn’t even happerning at all. I even got the same email message that took Google down. It looked positively amateurish to me. But I wasn’t using Outlook on Windows. I was using Thunderbird on Linux. So even a nobody blocker can get attacked.

        • Disgruntled RSA customer

          Did you read what I read before posting this? RSA were breached they are to blame, it was unforgivable they didn’t tell us the truth about what happened so we could do something about it. Thanks for pointing out the obvious in your other comments that was profound.

          This is simple we paid them a fortune to protect us they failed – who else is there to blame?

          “I realize the desire to blame RSA, but all RSA has done as put the threat in the limelight and let people know it can happen to them.”

    • This should have been turned into a class-action, like Sony, months ago…

    • @ Disgruntled,

      You are conflating two issues,

      1, being hacked.
      2, losing confidential data.

      All companies with an Internet connection get a “knock on the door” several times a day.

      Some of those knocks find unlocked doors some don’t.

      The chance of a knock finding an open door depends on how well known it is. By definition a zero day attack is unknown on first use, and depending on what it does and how much it is used it eventually becomes known.

      So any company can be hit by malware, even with the best detection systems.

      Infact there is an old truism that “if you don’t occasionaly have malware then you need to replace your security team”.

      What RSA and many other companies have done is for business reasons assume that malware cann’t harm them (fail #1). Then implement systems that contain sensitive information without the necessary checks and preventative measures (fail #2).

      The problem with such measures is that they are nearly all obtrusive in use and thus have high costs associated with them.

      Somebody at RSA decided to take a gamble that it would not happen, or that if it did they could hide the problem, thus they could save money (fail #3).

      As it is RSA has taken a “reputational hit” with some immediate financial implications. However over time other of their customers will leave them depending on what the cost is.

      RSA may even repair their reputation and thus prosper by getting sufficient new customers, or atracting back customers they have lost, but this may take years to do.

      Another asspect to such problems is actually knowing what is and what is not sensitive data and where it is actually used within your organisation and how.

      One significant problem is the non revocation of access as people get different jobs or promotion within an organisation.

      Sometimes you will find some secretary or accountant who has worked in many parts of an organisation has access to just about every source of data within the organisation, without currently having the requirment to have access.

      There are two issues with this,

      1, the employee might go rouge.
      2, The employees account might be used by others.

      Either way the company has a problem, especialy when “used by others” is done via malware, which you (should) know you are going to get hit by at some point.


Read previous post:
Critical Java Update Fixes 20 Flaws

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software....

Close