EXCLUSIVE: Leaked "RSA dump" appears authentic

Written by

Patrick Gray
Patrick Gray

CEO and Publisher

A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.

The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by "RSA Employee #15666". The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.

"My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved," the dump reads. "These attacks have targeted US and Canadian companies almost exclusively for at least five years... and continue to be extremely effective."

The dump claims the operation targets include private US defence firms.

The dump also makes the explosive claim that many of the IP addresses are monitored by private information security companies "...for the purpose of supplying stolen information back to the affected companies."

"Stolen data is effectively held hostage for the price of doing business with the company in the know," the dump reads.

The idea might sound like an unlikely conspiracy theory, but it's lent some serious credibility by a leaked HBGary analysis of some of the same IP addresses and domain names. That analysis appears to confirm their authenticity as espionage-linked callback IPs.

The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China. The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.

The vast majority of the leaked IP addresses are physically located in the US.

HBGary codenamed the operation "Soysauce".

"The soysauce group targets a large number of defense contractors who service the U.S.A," the analysis begins.

Alarmingly, the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.

Booz Allen Hamilton via bah001.blackcake.net, Mantech Corporation via mantech.blackcake.net and man001.blackcake.net.

So on, so forth.

This means each of the 850 entries in the dump potentially corresponds to a custom callback address for each successfully compromised victim.

To cut a long story short, if you find any of those IPs in your logs, you're likely owned by the Chinese government.

If you don't find them, you're probably owned anyway.

Risky.Biz has no reason to believe Pastebin data was actually leaked by an RSA employee.

Subscribe to the Risky Business podcast here.

Check out our podcast directory here.