Attributing the attacks against media and human rights websites in the Philippines


Stockholm, 29 March 2019 10:18 AM

March 29, 1994, 10:18 a.m.: “We’re in,”

Executive summary

No less than 20 regime critical media and human rights websites in the Philippines have been under DDoS attack since late December 2018. Since end of January 2019, a handful of those websites have progressively migrated to Qurium’s Secure Hosting infrastructure and we have had the opportunity to review the forensic information coming from hundreds of attacks targeting the websites. This report focuses on attributing the attacks and finding out who is behind the attacks, and which companies enable them.

This report summarizes our technical findings and explains how we traced the attacker to a set of networks routed to hide the location of the attacker.

The networks that have been used to control the attacks appear to be advertised in Hong Kong by the providers IP-Converge Data Center, Inc (AS23930 ) and Hong Kong Broadband Network Ltd (AS10103 ), but are in fact “network traffic tunnels”, a special type of VPN used to hide the traffic’s origin.

During our research that involved the analysis of several Terabytes of logs and attack data, we discovered that the infrastructure from which the attacker was ordering and performing intrusion attempts against the sites is an overlay network of multiple network tunnels acting as a VPN hub that ultimately terminate their connections in the same physical router (103.104.100.66).

The router responsible of hiding the networks is part of the infrastructure of Suniway Group of Companies Inc (AS137184 ), a company with registration both in Hong Kong and the Philippines with the public mission of provide network support to Chinese and Filipino companies in the Philippines“.

The investigation also reveals that the attacker is based in the Philippines, is most probably a Mandarin native speaker, and uses the Telegram nick “P4p3r“.

Most of the attacks have been bought from “booter” services such as “booter.pw” that provides him the necessary support to perform the “stress tests” against several sites that he obviously not administer.

P4p3r also engaged with other sellers of DDoS infrastructure and purchased private botnets.

This report is divided in several sections that documents the steps followed to attribute the attacks:

  • Phase I (VPN): Finding all traffic coming from VPNs and linking them to the attacks.
  • Phase II (Hidden networks): linking the obscure VPN networks to the company “Suniway”
  • Phase III (Locating the hidden networks): Are the networks really located in Hong Kong?
  • Phase IV (Motivation): linking the attacks to a political motivation
  • Phase V (DDOS market): identifying the attack infrastructure “booter.pw” and other botnet markets
  • Phase VI (Finding the attacker): “P4p3r”
  • Phase VII (Reaching out to the national CERT and carriers)

Phase I – Finding all traffic coming from VPNs

How did we link the addresses 125.252.99.146 and 61.244.184.133 to the attacks?

Evidence 1: Tracking the attacker using a VPN

During the review of the web log files we identified a set of “web requests” coming from a VPN service within 5 minutes of the start of several waves of attacks. These requests came from the servers with the domain name:

hk70.nordvpn.com and hk78.nordvpn.com

We could soon conclude that the attacker was using different servers from the same supplier (.e.i NordVPN) we therefore decided to monitor the status of the attacker queries hiding behind this VPN service. During one week we monitored the traffic logs from all IP addresses (2,000+) belonging to NordVPN.

The attacker frequently used the VPN using Hong Kong as exit. Two network ranges were often used:

  • AS53889 Micfo, LLC in the IP range: 69.161.195.67-69.161.195.105
  • Lease Web Asia Pacific IP: 209.58.184.111

Reviewing old traffic logs of former hosting providers of several targeted organizations, we found that multiple requests coming from the same VPN service were also present in these logs.

Evidence 2: Search requests from the VPN are later used as part of the attacks

Special and unique search requests done by the VPN’s user, such as the below, were later used during the attacks.

life /(?s=life) , xddd, (?s=xddd), xd (?s=xd) or duterte (/?s=duterte) 

Evidence 3: Attacker kept trying to reach old hosting

On January 28th, days after migrating the first website to our infrastructure at Qurium, the attacker was still placing web requests to the old hosting provider’s IP addresses. The attacker assumed that the hidden webserver was still in the same old location and that Qurium acted as a mere “DDoS protection proxy”. During the same day, the same VPN IP was used to place requests to both the old and the new website IP address.

Evidence 4: Attacker leaks new IP addresses

During the first days, the attacker leaked new IP addresses also geo-located to Hong Kong when restarting or changing his VPN service. Allthrough the attacks, two IP addresses leaked to us:

  • 125.252.99.146
  • 61.244.184.133

As the attacks continued and increased in time and size, the attacker became less careful and started to work until late at night (~ 2 AM) and used the IPs (listed above) to track the status of the sites.

Several times, the attacker changed from the NordVPN service to the two addresses 125.252.99.146 and 61.244.184.133 to verify if the websites were offline during the attacks.

Requests from 125.252.99.146 and 61.244.184.133

Evidence 5: The attacker reviews Qurium’s real time forensic reports

Due to the nature of these attacks, we decided to disclose some of our technical findings in real time on our website. We soon realized that the attacker reviewed our real time forensic reports and adapted his attack strategy accordingly.

Possibly unaware that his IPs were already identified, or trusting that it would be difficult to link the IPs with a location of the networks, the attacker kept visiting the frequent updates about the attacks that we provided.

Evidence 6: The attacker leaks his mobile IP address at Globe

On January 27th, a day with attacks non-stop, the attacker used his mobile phone to check the status of the targeted website. At 04:42:52 UTC we traced his IP address “110.54.223.67” using a Samsung Android Phone.

Evidence 7: User agents in old and new hosting are consistent

User Agents associated to the IP addresses 125.252.99.146 and 61.244.184.133 in the old hosting provider’s access logs, matched the User Agents used by the attacker visiting the site hosted in Qurium.

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 OPR/57.0.3098.106
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134

Evidence 8: IP addresses are linked with server using “hacker” name

Activity of IP address 125.252.99.146 is connected to “Xen Citrix Server 7.6.0” with IP address 125.252.99.147. The server contains a SSL Certificate with alternative name “bl4nk z3r0“. This nomenclature is often used by hackers, and resembles with the nickname of the attacker (P4p3r).

Server using alternative name “bl4nk-z3r0”.

Conclusion Phase I

By the end of January, we had strong forensic evidence proofing that:

  • The attacker was using the VPN service (NordVPN) and was also orchestrating the attacks from “a different type of VPN service” with IP address 125.252.99.146 and 61.244.184.133 in Hong Kong.
  • The attacker used his Android phone with address 110.54.223.67 the 27th January 2019:04:42:52 UTC from operator Globe Telecom (GMCR,INC).

Summary of Suniway Network Monitoring activity since 19th January 2019

Phase II: Finding the “hidden” networks

The networks from where the attacker was ordering the attacks are advertised in Hong Kong by AS23930 IP-Converge Data Center, Inc and AS10103 Hong Kong Broadband Network Ltd.

A careful look into the traffic traces of the IP 125.252.99.146 inside of IP-Converge (AS23930) revealed the presence of some suspicious “extra hops” not present in other traces.

The “special VPN networks” did not host any public hosting services with the exception of Sangfor NGFW firewalls and Cisco routing equipment.

We decided to make latency tests between Hong Kong and Manila and the increase of 22-25 ms seemed consistent with what it seemed as traffic tunnels between Philippines and Hong Kong.

Attacker is traced by means of router “SSH key fingerprinting”

The first thing that caught our attention was that despite the presence of different networks and upstream providers in Hong Kong, all these networks happened to be served by the very same version of SSH server in the router “SSH-1.99-Cisco-1.25”.

All the routers had the “SSH (remote access)” service open and by reverse fingerprinting the “SSH public key” we could confirm our suspicions: the networks were “tunnels”.

Using the services Censys and Shodan with the signature obtained from IP addresses 125.252.99.145 and 61.244.184.129 we obtained very interesting results.

The two IPs shared the same SSH server signature (272e86a5a874efd82d3c5fc18992ba977d3118aad12804a14769312fd7ae3bac) that other addresses 103.104.100.66 and 103.119.129.1 that are announced by two ASNs: ASN 137990 and ASN 137184.

SSH reverse fingerprint shows SUNIWAY hosting attacker networks

We concluded that the attacker was operating from network infrastructure operated by “Suniway” as both ASNs are maintained by hr-admin@suniway.net and noc@suniway.net

What is Suniway doing?

It is difficult to fully understand what “Suniway Group of Companies Inc” actually does. Their website includes vague information and their domain is protected by private whois. No personal details of the owners can be found.

We also verified that the network resources that they use to tunnel traffic are not properly registered in APNIC. The networks are registered in the name of “IP-CONVERGE-DATA-SERVICES-HKG-NETBLK02” but they are fully used by Suniway.

After some digging we found out that suniway.net and suniway.ph are both hosted in the same server and registered in the name of 江宗晔 Jiang Zongye with e-mail andyxyz@gmail.com.

Social media reveals that the director is known as “Sir Andy” and Linkedin profile uses the name “Andy Jiang” CEO of Suniway for 14 years.

CEO of Suniway.net (Andy Jiang Zongxi / Zong Ye)

According to the Hong Kong company registration, the branch of the company was registered the 5th December 2016 with reference CR 2459748. In Hong Kong the company is using a virtual office address at: 20th Floor, Central Tower, 28th Queen’s Road and shares “Fax number” with dozens of other companies.

In Philippines the company announces its location at Unit 1708-T, “SM Aura Office Tower” in McKinley Parkway, Fort Bonifacio, Taguig and was registered in 2017.

Senior members of the staff includes Josef D. Legaspi, a former ICT Operations Head at PLDT Global Corporation that is now working as senior IT engineer in the company and as a business director of “Grandbo”.

Despite that the company is two years old, their network prefixes were first announced in January 2018 and late 2018 into China Unicom.

Offering “fast methods for browsing”

On the website of Suniway.net it can be read:

“Suniway Group of Companies is providing a network support to Chinese and Filipino companies in the Philippines. We established our very own unique network resources that can offer a fast methods for browsing.”

Looking at their network setup, it seems that Suniway is specialized in tunnelling network traffic to Hong Kong and from there to a CDN into China by carrier China Unicom and network 103.119.128.0/22. The company uses Sangfor VPN technology for their setup.

A deeper look into 125.252.99.146 – “the attacker VPN”

  • The network 125.252.99.0/24 that was used by the attacker to control the attacks is registered to IP-CONVERGE-DATA-SERVICES as their Hong Kong hub, a network segment that was allocated initially to Pacnet-Telstra.
 inetnum:        125.252.99.0 - 125.252.99.254
netname: IP-CONVERGE-DATA-SERVICES-HKG-NETBLK02
descr: IP Converge Data Services, Inc #2
descr: PACNET HKG HUB

  • These network resources are in fact used by “Suniway” to run their interesting tunnelling network setup.
  • Suniway even made a routing mistake an announced the attacker network prefix the 1st of November 2018 for a few minutes on behalf of their upstream carrier IP-Converge Data Center. One more evidence that 125.252.99.0/24 is in fact operated by the Suniway Group of Companies Inc
  • Using RIPE stats and Dyn-Oracle BGP monitoring service, we could determine when the prefix was first used. According to Dyn-Oracle the network was stable the first week of November 2017, consistent with RIPE information that reports that 125.252.99.0/24 was first ever seen announced by AS23930 on 2017-11-07 08:00:00 UTC.

Conclusion Phase 2

The two hidden networks used by the attacker are operated by Suniway Group of Companies.

Phase III: Where is the attacker IP really located?

From a normal analysis point of view, the attacker seemed to be located all the time in Hong Kong. The attacker used the NordVPN service with nodes in Hong Kong and also networks routed by Suniway’s “special VPN service” that also seemed to be located in Hong Kong..

To find out where the network in fact is located, we looked into all routers hosted in the networks operated by Suniway. The following networks are allocated to Suniway:

103.119.131.0/24SUNIWAY GROUP LIMITED
103.119.130.0/24SUNIWAY GROUP LIMITED
103.119.129.0/24SUNIWAY GROUP LIMITED
103.119.128.0/24SUNIWAY GROUP LIMITED
103.119.128.0/22SUNIWAY GROUP LIMITED
103.104.100.0/22Suniway Group of Companies Inc.

Using a public service like Censys we collected all the “host key” signatures of the SSH servers that run in those routers. The “host hey” of the SSH server is the public key of the crypto used during the “remote access” to the router, an identifier that is unique per router. In simple terms, we collected the “public accessible unique identifiers of the routers”

Three unique identifiers “signatures” were found

272e86a5a874efd82d3c5fc18992ba977d3118aad12804a14769312fd7ae3bac
eab0615fccb932fcf8ae74cbb57bac493d1e3b421ebebf386dce5c59f60983e1
c222a5ed850b22e7f6dcc68c6c0e6038be263665c4781356344747ce298d100

Using Censys again with these “signatures” we could obtain the “other IP addresses” hosted in the same routers

Tunnel Hub Suniway

Cluster 1 (3E1)
Sig: eab0615fccb932fcf8ae74cbb57bac493d1e3b421ebebf386dce5c59f60983e1
Number: 5

116.93.32.73 IPVG
116.93.49.129 IPVG
116.93.49.177 IPVG
103.104.100.253 SUNIWAYTELECOM PH
125.252.99.201 IPVG

Cluster 2 (BAC)
Sig: 272e86a5a874efd82d3c5fc18992ba977d3118aad12804a14769312fd7ae3bac
Number: 8

103.104.100.66 SUNIWAYTELECOM PH (towards .62)
125.252.99.145 IPVG <--- attacker network .146
61.244.184.57 HKBN <--- attacker network .133
59.148.200.225 HKBN
61.244.184.129 HKBN
61.244.184.1 HKBN
103.119.129.1 SUNIWAY1 HKG
103.119.128.125 SUNIWAY1 HKG

Cluster 3 (1003)
Sig: c222a5ed850b22e7f6dcc68c6c0e6038be263665c4781356344747ce298d1003
Number 3:

103.104.100.65 SUNIWAYTELECOM PH
103.104.100.81 SUNIWAYTELECOM PH
103.119.128.129 SUNIWAY1 HKG

To know where the attacker IP is located, we needed to discover where “Cluster 2” really is located

In order to identify the location of the “Cluster 2” (from which the attacker controlled the DDoS attacks), we performed traceroutes and latency tests to each of the IP addresses of “Cluster 2” from four different data centers in Hong Kong and Manila. The result is that “Cluster 2” is less than 2 ms away when we traced from an IPC data center in Manila.

Another interesting SSH key is: 0f3f106051d71f101e4113a888cd63f1c780ed633852969c93587b7f6f6a3890 as it shows for what it seems to full /24 networks terminated in Suniway Telecom router 103.104.102.253

Conclusion Phase 3

  • Latency tests show that the networks are all hosted in Manila under Suniway supervision and tunnelled back and forth to Hong Kong via a private network
  • Peering IP from IP-Converge are in the router and must be fully aware of Suniway network setup as it is announcing the 125.252.99.0/24 on behalf of his customer.

Phase IV: Motivation

During February we have been in touch with eight different organizations receiving attacks: alternative media, human rights organiztions, journalists associations, etc. All of them have received the same type of attacks in connection with their critical voices against the regime in the Philippines.

After reviewing 100 GB of logs coming from different organizations under attack, we found these interesting entries:


125.252.99.146 - - [06/Jan/2019:21:31:23 -0700] "HEAD / HTTP/1.1" 200 316 "-" "Microsoft Office Excel 2013"
125.252.99.146 - - [15/Jan/2019:07:43:35 -0700] "HEAD / HTTP/1.1" 200 316 "-" "Microsoft Office Excel 2013"
125.252.99.146 - - [15/Jan/2019:07:43:36 -0700] "HEAD / HTTP/1.1" 200 316 "-" "Microsoft Office Excel 2013"
85.10.51.86 - - [25/Jan/2019:00:48:46 -0700] "HEAD / HTTP/1.1" 200 0 "-" "Microsoft Office Excel 2014"
85.10.51.86 - - [25/Jan/2019:00:48:46 -0700] "HEAD / HTTP/1.1" 200 316 "-" "Microsoft Office Excel 2014"

The attacker, using Suniway VPN with IP 125.252.99.146, loads a “Excel Spreadsheet” and clicks to the victim’s website. Same type of behaviour can be found in a NordVPN connection from Croatia hr17.nordvpn.com with IP 85.10.51.86.

The attacker has a list of websites to attack in a Spreadsheet

How many people are behind the attacks?

It is difficult to know how many people are behind the attacks, but we have seen that “User Agents” do not seem to change often for a given victim and it seems that each organization might be targeted by a certain individual (device). These are “User Agents” have been recorded in our network.

Conclusion Phase IV

  • Attacker seems to have a “Excel sheet” with all targets listed
  • Josef D. Legaspi former ICT Operations Head at PLDT Global Corporation is now working as senior IT engineer at Suniway and with Grandbo
  • Grandbo seems to operate a similar network setup that Suniway with IP Sangfor devices and space rented out (See: Appendix)
  • The number of devices behind Suniway VPN indicates that more than one person is monitoring the attacks.

Phase V: Finding the attack infrastructure

In order to find out which infrastructure(s) the attacker was using, we recorded and analysed hundreds of attacks and identified these concrete signatures associated to the largest attacks (in time and strength):

  • The booter was flooding the site with a “concrete mix of amplification” vectors simultaneously.
  • One specific DNS amplification method contained a set of domains that we knew come from “very specific booters”.
  • The attacker leaked that he was using “Telegram” to communicate and obtain support (See Appendix).

The attacker is using the service booter.pw to attack the target sites and qurium.org.

We also discovered that the attacker purchased several “private botnets” after contacting with botnet operators in the booter.pw support channel.

Phase VI: Who is “P4p3r”?

The attacker uses the Telegram Nick “P4p3r” and account “P4perl” and since late January seeks support in the underground booter market. Some examples of his messages:

[2019-01-20 16:23:11+00:00] P4perl: anyone here can help me down this website? https://xxxx
[2019-01-20 16:23:32+00:00] P4perl: please help me to figure out what option do I need for L7 attack
[2019-01-20 16:27:16+00:00] P4perl: oh you down it my friend
[2019-01-20 16:27:22+00:00] P4perl: are you using booter.pw?
[2019-01-20 16:27:27+00:00] P4perl: or you have your own?
[2019-01-20 16:28:07+00:00] P4perl: yes
[2019-01-20 16:28:17+00:00] P4perl: and how can I able to down it?
[2019-01-20 16:28:30+00:00] P4perl: ok thank you



[2019-01-20 16:43:19+00:00] P4perl: the server is still up
[2019-01-20 16:45:25+00:00] P4perl: I try js bypass, but the server up and down
[2019-01-20 16:45:40+00:00] P4perl: cant find method that can sustain to down it
[2019-01-20 16:47:14+00:00] P4perl: yes, for a while, I just attack 2 methods
[2019-01-20 16:47:23+00:00] P4perl: so my concurrent was used
[2019-01-20 16:52:16+00:00] P4perl: yes, I just disable the L4 attack
[2019-01-21 05:08:30+00:00] P4perl: anyone can help me to down this website?
[2019-01-21 05:08:39+00:00] P4perl: xxxxxxxx
[2019-01-21 12:30:05+00:00] P4perl: anyone can down this ip?
[2019-01-21 12:30:20+00:00] P4perl: 192.169.82.x
[2019-01-21 12:53:09+00:00] P4perl: any help?
[2019-01-21 13:16:16+00:00] P4perl: I want to renew my subscription
[2019-01-21 13:53:13+00:00] P4perl: still up


[2019-01-21 14:21:21+00:00] P4perl: @SerialTT I want to purchase again


[2019-01-22 06:28:33+00:00] P4perl: anyone can help me?
[2019-01-22 07:43:34+00:00] P4perl: guys I need some help from you.
[2019-01-22 07:44:11+00:00] P4perl: about the website I need to down


[2019-01-23 13:19:41+00:00] P4perl: please help me to this site
[2019-01-23 13:19:42+00:00] P4perl: https://xxxx
[2019-01-23 13:19:52+00:00] P4perl: can’t down. I am using VIP
[2019-01-23 13:23:56+00:00] P4perl: cant down
[2019-01-23 13:29:04+00:00] P4perl: how?
[2019-01-23 13:44:12+00:00] P4perl: 😢
[2019-01-23 13:58:47+00:00] P4perl: can’t even down this fucking website. I really need to down it.
[2019-01-23 13:59:11+00:00] P4perl: ip address is xxxx
[2019-01-23 13:59:23+00:00] P4perl: ip address seems to be down, but the domain is not.
[2019-01-23 17:01:51+00:00] P4perl: @SerialTT please check PM
[2019-01-23 17:35:44+00:00] P4perl: can you help me? down this website using booter.pw?
[2019-01-23 17:37:29+00:00] P4perl: it can’t be down by VIP
[2019-01-23 17:39:05+00:00] P4perl: hahaha lol.. you want me to purchase your botnet then after I refuse you are like angry rolling egg. hahaha
[2019-01-23 17:39:31+00:00] P4perl: hahah sorry.
[2019-01-23 17:39:39+00:00] P4perl: I pm you.
[2019-01-23 17:39:43+00:00] P4perl: no no
[2019-01-23 17:40:01+00:00] P4perl: am i not saying you are mad.
[2019-01-23 17:40:23+00:00] P4perl: yeah, I dont have capability to down. that is why I need someones help
[2019-01-23 17:40:38+00:00] P4perl: no I didnt mean you mad at me


[2019-01-24 10:45:12+00:00] P4perl: can someone teach me how to use nova hub?

[2019-01-24 13:42:55+00:00] P4perl: already sent the money then replace the bitcoin address so that he can say that I was wrong sending the bitcoin to other address. nice scam
[2019-01-24 13:43:42+00:00] P4perl: my fault, I believe what he said.
[2019-01-24 13:47:56+00:00] P4perl: I pay him for other service sir @ex3x1,
[2019-01-24 13:48:22+00:00] P4perl: I do not pay for booter.pw service.
[2019-01-24 13:49:26+00:00] P4perl: but I just want to warn everyone here that this guy, @BypassYourFirewall is a scammer
[2019-01-24 13:49:55+00:00] P4perl: now he blocked me
[2019-01-24 13:50:19+00:00] P4perl: he blocked me.
[2019-01-24 13:50:51+00:00] P4perl:
[2019-01-24 13:51:18+00:00] P4perl:
[2019-01-24 13:51:40+00:00] P4perl:
[2019-01-24 14:13:56+00:00] P4perl: Thanks to @Gvktt and @ex3x1 for helping me on my target.

The expression “angry as a rolling egg” is a translation of Chinese 滚蛋 (gǔn dàn): “rolling egg”.

Phase VII: Reaching out to the national PH CERT and carriers

Since the 22nd of January 2018, we have made multiple attempts to contact the CSPCERT. We mailed several times to emergency@cspcert.ph to inform them about our findings and tried social media.

The first CERT to answer was PH CERT from DICT the 15th of January 2019 claiming they have never received our mails.

The last week of February 2019, we also mailed to Sherwin Torres, director of technical operations from IP Converge and their NOC and Internet response team. IP Converge has not yet responded.

The 25th of February we filed a complaint to APNIC as the information of the network 125.252.99.0/24 had bogus records. The record was updated the 26th of February to include Telstra as responsible of the abuse of the prefix. ip-noc@team.telstra.com

This email is also not valid and a new complain was filed.

12c12
< notify: ip-noc@team.telstra.com
notify: ip-noc@pacnet.net
17c17
< last-modified: 2019-02-26T09:14:36Z
last-modified: 2017-10-20T08:47:01Z
19d18
<

The 26th of February we sent another reminder to IP Convergence including Christian Villanueva and Cean Archievald Reyes that are responsible of Data Center and Cloud services. None of them have responded.

The 27th of February we sent a message to Hong Kong Broadband Network Ltd to ask for an abuse e-mail of the prefix 61.244.184.0/24 also involved in the attacks. No response.

The 14th of March we sent a message to George Tardio who we believe might be responsible of NCERT-PH. We received a response the 15th of March 2019, stating that none of our requests have been received. We provided the logs of the three mails sent to NCERT the 5th, 6th and 26th of February. We have not received any response since then.

APPENDIX


Feb 13: VPN used to retrieve links later on used in the DDOS attacks

The attacker uses Suniway VPN to fetch links before the floodings start

[remote_addr: 69.161.195.103, time_local: 13/Feb/2019:08:46:38 +0000, request_uri: /about-us/, http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36]

[remote_addr: 61.244.184.133, time_local: 13/Feb/2019:08:58:44 +0000, request_uri: /contact-us/, http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0]

[remote_addr: 61.244.184.133, time_local: 13/Feb/2019:12:39:47 +0000, request_uri: /contact-us/, http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0]

[remote_addr: 61.244.184.133, time_local: 13/Feb/2019:12:39:55 +0000, request_uri: /category/network-updates/, http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0]

The attacker starts to test with curl in Linux and Python before L7 attack using a pool of open proxies. Probably with the intention to add power to the L7 attacks.

[remote_addr: 125.252.99.146, time_local: 13/Feb/2019:07:20:27 +0000, request_uri: /, http_user_agent: PycURL/7.43.0.2 libcurl/7.47.0 OpenSSL/1.0.2g zlib/1.2.8 libidn/1.32 librtmp/2.3]

Change of IP addresses of attacker moving between NordVPN and Suniway VPN
Summary of list of IPs used by attacker ((1) .133 and .146 are suniway VPNs (2) 69.161.195.x Nordvpn pool in HK

Attacker in Suniway in communication with Israel via Telegram

During the denial of services that took place during the 13rd of February, the attacker was sharing the “URLs used in the attack” via Telegram with someone in Israel. The http referer leaked to us during the attacks, the addresses 125.252.99.146 and 188.64.206.4 were sharing attack links via android-app://org.telegram.messenger

[remote_addr: 125.252.99.146, time_local: 13/Feb/2019:01:33:41 +0000, request_uri: /contact-us/, http_referer: android-app://org.telegram.messenger]

[remote_addr: 188.64.206.4, time_local: 13/Feb/2019:05:16:38 +0000, request_uri: /category/network-updates/, http_referer: android-app://org.telegram.messenger, geoip_orgname: Pelephone Communications Ltd.]

Feb 16: Attacker keeps monitoring the websites

The 16th of February was a day without any attacks, after 32 days of hosting, 27 of them had denial of service or pen testing attacks.

The attacker loads the home page of the three sites every minute (16 February) from the Nordvpn IP in Korea: 210.217.18.73

Update Monday, 18th February 2019

The attacker changes VPN service and start to use the service from torguardvpnaccess.com 93.177.75.146 to conduct attacks. Two botnets were used during the early morning of the 18th February, one targeted altermidya.net and other other composed by tor-exits flooded qurium.org website for 10h.

Attack against qurium.org

Forensic evidence and data analysis

For the preparation of this report we have used the following sources of forensic evidence and analysis tools

  • From old hosting: Web logs from old hosting providers since late November 2018.
  • From Qurium infrastructure: load balancer logs, packet sampling for large UDP floods, DNS logs, netflow data
  • Analysis tools: Fairsight Passive DNS, RiskIQ Community Portal, Censys, Shodan, Dyn-Oracle Internet Intelligence, Paterva Maltego.

What is Grandbo Technology Development Corporation?

According to social media, Josef D. Legaspi, a former ICT Operations Head at PLDT Global Corporation is now working as senior IT engineer at Suniway and for Grandbo Technology Development Corporation.

The company has no website in the domain grandbo.com.ph and runs a simple page in the https://grandbotechnology.wordpress.com/

Grandbo has registered the prefix 154.211.8.0/22, allocated from a obscure South African provider cloudinnovation.org with contact details in Mahe, Seychelles. The IP space might be rented from Lu Heng a known actor trading with IP space. According to RIPE BGP peering sensors, the prefix was first seen announced by AS134687, on 2018-11-05 16:00:00 UTC.

The prefix is announced in Hong Kong by AS134687

According to Censys, the IP space mostly hosts Sangfor devices as the ones found in Suniway setup