EXCLUSIVE: Leaked "RSA dump" appears authentic
A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.
The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.
"My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved," the dump reads. "These attacks have targeted US and Canadian companies almost exclusively for at least five years... and continue to be extremely effective."
The dump claims the operation targets include private US defence firms.
The dump also makes the explosive claim that many of the IP addresses are monitored by private information security companies "...for the purpose of supplying stolen information back to the affected companies."
"Stolen data is effectively held hostage for the price of doing business with the company in the know," the dump reads.
The idea might sound like an unlikely conspiracy theory, but it's lent some serious credibility by a leaked HBGary analysis of some of the same IP addresses and domain names. That analysis appears to confirm their authenticity as espionage-linked callback IPs.
The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China. The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.
The vast majority of the leaked IP addresses are physically located in the US.
HBGary codenamed the operation "Soysauce".
"The soysauce group targets a large number of defense contractors who service the U.S.A," the analysis begins.
Alarmingly, the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.
Booz Allen Hamilton via bah001.blackcake.net, Mantech Corporation via mantech.blackcake.net and man001.blackcake.net.
So on, so forth.
This means each of the 850 entries in the dump potentially corresponds to a custom callback address for each successfully compromised victim.
To cut a long story short, if you find any of those IPs in your logs, you're likely owned by the Chinese government.
If you don't find them, you're probably owned anyway.
Risky.Biz has no reason to believe Pastebin data was actually leaked by an RSA employee.
Subscribe to the Risky Business podcast here.
Check out our podcast directory here.
Public satellite imagery yields a wealth of intelligence...1 day 18 hours ago
Awesome feature track this week. Check it out here!1 day 19 hours ago
Special guests The Grugq, Singe, Charl and Andrew...1 week 2 days ago
Pwnage! Malware! Cats and dogs living together!1 week 2 days ago
All your herp derps are belong to RPTs...3 weeks 2 days ago
- Love the Das Efx tribute.
10 weeks 3 days ago
- LOL so no comment by Adobe's
11 weeks 5 days ago
- Welcome back, great stuff as
14 weeks 1 day ago
- AEDs are very accurate and
20 weeks 4 days ago
- I did see that after we
21 weeks 18 min ago
- Great podcast, a small
21 weeks 5 days ago
- Peck of pickled peppers? We
24 weeks 3 days ago
- Link to Sophail: Applied
27 weeks 2 days ago
- Fixed. I got autocorrected...
29 weeks 3 days ago
- it's jduck, not duck
29 weeks 3 days ago