China Infiltration of U.S. ISPs Creates Beachhead for Cyber Attacks


At no time since the Bay of Pigs Missile crisis, has our nation ever crept closer to the brink of nuclear war.  With North Korea launching missiles to try to demonstrate their capacity and the U.S. responding in kind, the risk of nuclear outbreak increases with each passing month.  Added to this concern is the discovery that many U.S. based Internet Service Providers and Webhosts (“ISPs”) appear to be Chinese connected and ready to server as remote outpost beachheads for launching further cyber attacks against the U.S. from within the national borders.  Just today, news agencies announced that North Korea fired a second medium range ballistic missile capable of reaching U.S. military bases at allies in the Pacific region.  The second launch yesterday closely follows a launch earlier last week on May 14th, 2017.  This places the USS Carl Vinson naval vessel within range of a retaliatory strike should the U.S. escalate the situation into a provocation of North Korea.  Allies including South Korea and Japan are irate over North Korea’s actions escalating the situation.

Cyber war is certain to be a venue of attack by North Korea should tensions escalate further.  Unfortunately for the U.S., there are still almost a half million computers within the U.S. borders that are ripe for takeover by North Korean hackers.  Many of these vulnerable targets appear to have made their way to the U.S. courtesy of Chinese connected ISPs.  This risk can be contained and mitigated by our government proactively taking over vulnerable computers and closing port 445 before our enemies take control of them.

US CERT Issues Several Warnings That Have Not Been Implemented By Some ISPs

Earlier this week, I reviewed and profiled some of the top Cities in the US that have exposed and vulnerable computers on their networks by allowing inbound traffic to SMB Port 445.

US CERT Issued a warning to the public about the importance of blocking publicly and behind firewalls SMB Port 445 back in January of 2017.

A second advisory was issued by US CERT restating the importance of blocking SMB v1 in March of 2017.  Microsoft also released updates in March 2017 that helped to lock this down.

Later this month, US CERT issued an advisory regarding exploitation of the SMB Port Vulnerabilities in their third advisory about this exploit vector.

Despite more than three separate advisories being issued, some ISPs didn’t take it upon themselves to make sure that devices on their networks had the SMB v1 Port 445 blocked.  This then allowed for broader dissemination of the WannaCrypt aka Wanna Cry malware to infect many U.S. based computers.

Computers Have Vulnerabilities On the Motherboard that Allow for Persistent Root Kit Compromises

My concerns extend well past Wanna Cry.  I am concerned about the hardware based compromises that can occur and allow for persistent infection and eavesdropping long after computer technicians believe they have “fixed” the compromised computers.  I provided the Keynote Speech at this year’s IIT Forensecure Cyber Security Conference on April 27th, 2017 and had shared my research about Intel Microprocessor chips being vulnerable to compromise by remote attackers.  A few days later and following the release of my presentation to Youtube.com, see http://glforensics.wpengine.com/nation-state-malware-forensecure-2017-presentation/ for the video [12 minutes in I talk about the root level motherboard compromises, 24 minutes in I talk about Intel’s boot load process], Intel Issued a statement acknowledging the vulnerabilities on board “some” Intel Microprocessors that allowed for compromise and remote control of most business computers before the loading of the operating system off the computer hard drive.  Intel claims that the compromise didn’t impact consumer computers, which I find highly doubtful.

Malware that can spread without user actions to any computer device with port 445 open could be a vehicle to deliver a permanent root kit compromise that installs a base of drones ready to attack other nearby computers via Bluetooth, WiFi, Infrared, Open Sound Control or Radio Frequency (“RF”).  How will we ever know how many computers are silently part of a remote enemies army waiting to attack our infrastructure?

Further Analysis of Top Cities Most Vulnerable to Exploitation Reveals Chinese Connections and Nearby Military Air Facilities

I performed further analysis of the apparently vulnerable and exposed ISPs this past week and discovered some interesting findings.

One obvious, and not too surprising discovery was that the single most vulnerable City to the army of exposed computing devices was Los Angeles followed by the much smaller Cheyenne Wyoming.  When I first learned this, I was surprised that Cheyenne made number 2 given its much smaller population size compared to many other cities, but then performed some additional research and realized that the adjacent Francis E. Warren Air Force Base includes the 90th Missile Wing that is equipped with the intercontinental LGM-30G Minuteman III Missiles and serves as the Air Force Global Strike Command. I drilled down further on the vulnerability search engine shodan.io and saw that most of the vulnerable machines originating from Cheyenne were all using IP addresses connected to a single entity named CloudRadium L.L.C., a Chinese foreign entity based out of Sichuan China that setup shop in 2012.

Further searches for the vulnerable port 445 exposed computers connected to CloudRadium in the U.S. revealed locations at Cheyenne Wyoming near the 90th Missile Wing launch site, Thousand Oaks California, adjacent to the “former” nuclear defense launch site in the Santa Monica Mountains and Burbank California near Disney World and the Bob Hope Airport.

All of this becomes a lot scarier when you consider the idea that 35 thousand computers close to the Cheyenne Wyoming U.S. ICBM launch site could be taken over by someone from the other side of the world, and then used to emit Radio Frequencies (“RF”) in coordination exploiting with other compromised computers by utilizing some the possibilities of the emerging field of Software Defined Radio (“SDR”).

I am no expert on nuclear weapons targeting or signaling technology but can only dream up nightmarish situations where computers become a mass group of devices emitting RF with enough wattage as a result of their coordination in timing and RF emissions, such that they are able to interfere with the airport and military communication systems in a way that isn’t pretty.

Case in Point – Dallas Emergency Warning Sirens Hacked Last Month

A similar situation appears to have happened in Dallas Texas last month, where warning sirens throughout the city had to be manually turned off.  As of today, in Dallas Texas alone, there were almost 8,000 computers showing the port 445 vulnerable port as being open leaving those computers vulnerable to remote attack and possibly even silent permanent compromise.

Maybe what happened in Dallas was a test by a foreign enemy of its Cyber War capabilities and a sign of things to come…?

I can think of many things far worse than Tornado Sirens that are controlled by computers.  Dams, Bridges, Water Treatment Plants, Pharmaceutical Pill Production, Air Traffic Control, Traffic Lights, Cell Phone Networks, Utility Companies, Automobiles, Trains, Planes, Elevators, Shipping Companies that deliver food and more.  Imagine malfunctions happening at once across many of these devices or facilities and it is easy to lose sleep at night.

Is CloudRadium, a Chinese Beachhead Outpost?

A search for the registration information shows CloudRadium L.L.C. was established in October of 2012.

A search on Google Maps shows the close proximity of CloudRadium’s U.S. listed office adjacent to the Francis E. Warren Air Force Base in Cheyenne Wyoming.

Searches for information about CloudRadium reveals a history of abuse originating from this company.  See http://lists.arin.net/pipermail/arin-ppml/2014-October/029247.html as an example.

There could be much more at play here.  Maybe the name was meant to be a subtle joke and sign of future intentions?  I certainly wouldn’t want a Cloud of Radium following me around, especially since isotopes of radium are highly radioactive!

I performed research and analyzed the top most vulnerable ISPs, and learned that the super-majority of the companies with the greatest exposure to the Double Pulsar cyber threat were connected to China.  Two of these top most vulnerable ISPs even used the same MyNewCompany.com business registration service. Many of the ISPs I analyzed last week that were vulnerable had clear connections to China, or appear to be managed by people of Chinese descent (I am not being racists here, just making a factual observation)!

China Has Executed Many CIA Spies

If you think the Chinese aren’t effective with their intelligence gathering, read about what happened to our under cover spies in China.  Perhaps following the discoveries of CIA spies in China in the 2010-2012 period, China decided they would up the ante by taking over certain U.S. ISPs to enable interception of U.S. Intelligence communications?  CloudRadium after all was set up in October of 2012, according to the Wyoming Secretary of State, yet appears to not have a website used to market its services.

China is clearly connected to many of the top 25 most vulnerable ISPs as of today (5/22/2017).  Amazingly, the top ISPs on my list compiled represents 150,446 exposed computers out of 415,731 public computing devices not blocking port 445. That is more than 36% of the total exposure to port 445 exploits originating from only 4 ISPs.  I can only speculate that these apparently vulnerable devices are zombie like computers awaiting activation and control from some boogeyman around the world, possibly China, North Korea or even Russia.  Attribution of who may be in control of these zombie computers is difficult without obtaining more information.

I didn’t notice any apparently vulnerable ISPs run by Russians that made my top 25 list.  China manufacturers the majority of consumer electronics we have in our homes and businesses and could easily deliver computers and smart phones to us compromised on day 1.  Perhaps there is a reason related to these observations why Apple has setup a new factory in India to produce the iPhone?

NSA Should Take Out the Threat

The NSA should exploit and take over the remainder of these vulnerable computers before a foreign enemy does so.  Anyone that knows how to use MetaSploit can compromise computers quickly and from anywhere in the world if the target computer remains unpatched, has SMB Port 445 open and is not behind a firewall.  If they want to hire me to help, I am game!

Here are some of the top apparently vulnerable ISPs (based on my query of shodan.io for U.S. based computers that do not have port 445 closed according to US CERT recommendations) that remain a problem more than a week after my first post on this topic.

Top 25 Most Vulnerable ISPs in the U.S.

(Company name or domain, [Count of Vulnerable Devices as of 5/22/2017 blog post], apparent name of owner, base of operations.)

  1. Enzu.com – [64,985] – Steve Empie, 10120 S. Eastern Avenue #248Henderson, NV 89052 – Recently announced a partnership with China Mobile – Alleged Chinese Hacker ring Chinese Connection Exists
  2. CloudRadium LLC – [38,353] – Li Xuan (李轩) & Deng Xiu Ping (邓秀平)Li Heng – 1603 Capitol Ave., Suite 310, Cheyenne, WY 82001 (Parent Company based out of Sichuan China) registration by MyNewCompany.comChinese Connection Exists
  3. nobistech.net – [25,222 ] – Lex Boost – Recently acquired by Amsterdam, Netherlands based LeaseWeb which is a subsidiary of Ocom BV and also related to Ubiquity Server Solutions and possibly to CloudRadium – see https://www.abuseipdb.com/whois/108.177.186.129 that lists Jin Qi as the Organization contact for CloudRadium L.L.C. and Nobis Technology Group as related entities.Chinese Connection Exists
  4. SpeedVM Network Group LLC – [21,886] Lu Yan Hui – 5716 Corsa Ave., Suite 110, Westlake Village, CA 91362 (Near Santa Monica Mountains) – Email Spam Reports – Corporate registration by MyNewCompany.com suspect Chinese companyChinese Connection Exists
  5. ColoCrossing.com – [15,625] – Buffalo, NY – Alleged Chinese Hacker ring – Appears to be US privately held company, but may not understand their own risk vector.  They may have a policy that allows their clients to do as they see fit.
  6. Amazon.com – [13,277] – Mostly in Ashburn, Virginia & Boardman, Oregon (near the Boardman Air Force Range) Amazon has many clients in the cloud some of whom want port 445 open despite the recent US CERT Advisories.
  7. Peg Tech – [6,935] – 55 South Market Street, Suite 320 San Jose, California – incorporated by Zhi Liu – registered to do business in 2012 Alleged Chinese Hacker ringChinese Connection Exists
  8. Microsoft Azure – [6,559] – Vulnerable devices exist in Boydton Virginia, San Antonio Texas, San Jose California, and Des Moines Iowa.  Ibid comment re: Amazon.com
  9. SoftLayer Technologies – [6,457] – Acquired by IBM in 2013. Ibid
  10. globalfrag.com – [6,253] – Ai-Chin Wang – Global Frag Networks – 900 N. Alameda Street, Los Angeles, CA 90012 – a China  Telecom PartnerChinese Connection Exists
  11. Input Output Flood LLC – [6,057] – Las Vegas, NV – Gabriel Ramuglia & Janet Morss – Smaller ISP may not understand their own risk vector or may have a hands off policy with their clients.
  12. Energy Group Networks – [5,993] – James Chen (General Manager) – 55 S. Market St., Suite 1616 San Jose, CA 95113Chinese Connection Exists
  13. QuadraNet – [5,036] – Alleged Chinese Hacker ringChinese Connection Exists
  14. Take 2 Hosting – [4,091] – Lane Livingston CEO – Meghan Record initial incorporator in the State of California, now based in Orem, Utah, but servers located at Silicon Valley Telecom & Internet Exchange in San Jose California according to their website – Vulnerable computers on their network are largely in Thousand Oaks California near the Santa Monica Mountain just Northwest of Los AngelesChinese Connection Exists
  15. Ubiquity Server Solutions Los Angeles – [3,622] – Also a Nobistech.net / LeaseWeb Company
  16. ZenLayer – [3,946] Los Angeles & Fremont California, plus some in Cheyenne Wyoming – a Chinese company.Chinese Connection Exists
  17. SingleHop – [3,779] Chicago, Illinois – my attempts to notify this company fell on deaf ears
  18. Sun Network (Hong Kong) – [3,664] Los Angeles California, Cheyenne Wyoming and Newark New Jersey.  Clearly a Chinese company
    Chinese Connection Exists
  19. YHSRV – [3,651] – I believe to be affiliated with Energy Group Network since they listed the same US address – [Henderson, Phoenix, San Jose, Los Angeles, Burbank – yhsrv.com registrar is from China.Chinese Connection Exists
  20. Ubiquity Server Solutions Los Angeles – [3,622] – Also a Nobistech.net / LeaseWeb CompanyChinese Connection Exists
  21. Time Warner Cable – is now Spectrum – ibid
  22. Heng Tong – [3,393] – Boulder Colorado and Salt Lake City Utah are locations where their vulnerable computers are.  This company appears to be based out of Hong Kong.  There are many online posts showing cyber attacks originating from this telecom provider. Chinese Connection Exists
  23. psychz.net – [3,096 – they have made much progress since last week] – A profusesolutions.com company – William H Lu – 611 Wilshire Blvd., #300 Los Angeles, California – Alleged Chinese Hacker ring Chinese Connection Exists
  24. University of Washington – [2,682] – Seattle Washington – A great outpost to us in launching an attack against MicroSoft
  25. Sharktech – [2,270] – Vulnerable servers in Los Angeles, Las Vegas, Chicago, Denver, and Studio City California – Announced Partnership with China Telecom and China Unicom in 2015 Alleged Chinese Hacker ringChinese Connection Exists

What is clear from reviewing this list of still vulnerable ISPs is that the Chinese play a significant factor in our national cyber vulnerabilities presently and they may even be compromising some of the ISPs listed previously, with no readily apparent connection to China.

Historical Inaction to Hold ISPs Accountable

Despite many of these ISPs having been identified as part of past Chinese hacking attempts on U.S. Health Care Provider Anthem, and other entities, there seems to be no apparent notification by the U.S. government (to my knowledge) and enforcement to shut down ISPs that don’t respond to Cyber Security threats effectively. Read more about past reports involving “Alleged Chinese Hacker ring“.  News Reports and online complaints connected to many of the aforementioned ISPs, the U.S. Government and the FCC all have yet to do anything to notify, fine or shut down irresponsible ISPs based on the latest vulnerabilities reported.  Maybe this will change under the new President’s leadership.

NOTE:  I have attempted to notify many of the vulnerable hosts, but would appreciate anyone with contacts to forward this story.  It is likely that some of these ISPs are unaware of their own or their clients’ exposure.  I have seen a reduction of around 85K vulnerable hosts since my post last week, but there still are many ISPs that need to take corrective action to secure their clients and keep U.S. networks safer.  Some of these ISP’s may be ignorant of the risk exposure, misinformed or unaware that their clients have vulnerabilities.  A Laissez-faire approach to allowing clients of ISP’s to remain obviously vulnerable is a situation society shouldn’t tolerate. Certainly, some of these ISP’s must be playing a deliberate role in the infiltration of domestic communication networks.

CALL TO ACTION:

  • The FCC should begin notifying ISPs when they have obvious vulnerabilities that compromise national cyber security such as the Port 445 SMB Vulnerability described previously.
  • Failure to take correction action following notification by the FCC should result in a first time minor penalty or fine.
  • Repeated failures to respond and take corrective measures should result in confiscation of the ISPs’ IP ranges.

The new cyber war fields have expanded onto U.S. soil.  ISPs that fail to secure their networks adequately should lose their franchise to connect to the Internet from within the US.  Many of these Chinese ISPs act as beachheads, knowingly or not, to launch domestic attacks against U.S. companies and institutions.  If this were a war with troops on the ground, we would have captured and detained the invaders, yet we seem to be doing nothing as a nation to secure against the present threat associated with Chinese backed ISPs attacking the U.S. from within the nation’s borders.  Forget about the wall for a moment.  We can cut the cord on any of the 25 ISPs listed that fail to respond to the current threats and take control of their networks responsibly.  We should start with informing the ISPs, then turn up the volume for any that ignore that problem.  I recommend that we hold ISPs accountable and take away their Internet IP leases if they fail to respond and secure their networks adequately.  ISPs are best suited to be able to notify their clients, both individuals and businesses, if there is a security issue that needs attention.  Many small businesses are clueless about their online cyber risk vector and lack access to qualified Cyber Security professionals to help keep their networks safe and secure.  More leadership is needed in this area to help strengthen the nation’s security.  Companies and organizations need to take seriously the need to patch their computers monthly and take proactive steps such as adopting the U.S. Government’s NIST Cyber Security Framework.

What do you think?  I would love to hear your comments and reactions.  Please share this page on Facebook, Twitter, Linkedin.com etc… if you think your friends and colleagues might be able to help get the word out on what is happening with the state of U.S. Cyber Security.

Facebook Comments

Be the first to comment on "China Infiltration of U.S. ISPs Creates Beachhead for Cyber Attacks"

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.