April 25, 2019
In our previous forensic report, we traced the attack against several media in the Philippines to networks: 126.96.36.199/24 and 188.8.131.52/24.
Until the middle of March 2019, the attacker was mostly using the IP address 184.108.40.206 to monitor his victims and later on changed to address 220.127.116.11.
Both networks terminate in Suniway Group of Companies’ routers that in turn route their traffic using IP Converge infrastructure (a Philippine Long Distance Telephone. Company)
Despite that the networks are operated by Suniway from the Philippines, they are registered as being present in Hong Kong.
- The first prefix 18.104.22.168/24 is a network allocation from Telstra that despite our reports to APNIC and IPC remains allocated to “IP-CONVERGE-DATA-SERVICES-HKG-NETBLK02” with the wrong abuse e-mail: email@example.com
- The second network 22.214.171.124/24 that also terminates in a router in Suniway network in the Philippines is registered to Hong Kong Broadband Network Ltd.
Both networks are “apparently located” in Hong Kong but in fact are connecting customers and services in the Philippines.
What is on those networks?
The networks host multiple routers and VPN devices (Sangfor) that seem responsible of moving the traffic from the Philippines to Hong Kong and from there into China.
Two IP addresses are specially interesting, 126.96.36.199 and 188.8.131.52.
The first IP hosted hundreds of gambling domain names.
And the second IP address 184.108.40.206 hosted ay033.com, ay370.com and the mail server of ay033.com: mail.ay033.com
What is ay033.com?
Checking the domain ay033.com we found an interesting Facebook post of “Thoi Anh Trinh” that uses the mails firstname.lastname@example.org and email@example.com. Thoi seems to recruit staff to work for what it seems a Philippine Offshore Gaming Operator or POGO.
The connection of ay033.com and Suniway, it is also visible when reviewing the 220.127.116.11/24 registered publicly in the name of Suniway. In that network we found infrastructure connected to the domain nyjt88.com
This domain nyjt88.com happens to be used for the e-mail support channel (firstname.lastname@example.org) of a gambling website. The website is also connected with ay033.com
Hundreds of domains pointing to one gambling portal
Linking the multiple gambling websites was relatively easy as all of them have a few things in common:
- A support phone number +85-281-979-662
- References to (c) AOYA GUOJI
- Many domains start by AY
- All the domains seem to be hosted at some point in the network 18.104.22.168/22
- A support email: email@example.com
Some of the domains sharing similar details include: (1) ay235.com, ay223.com, aygj15.com, aygj0.com or (2) 9661xz.com, 9661qs.com, 9661f.com
体育赛事SPORTS … 您好，请您用开户时候填写的电子邮箱，发邮件至公司邮箱ckeke9888@ay033.com 申请更改密码或者联系线上客服为您修改. 1：进行游戏对
that translates to:
Sports event SPORTS… Hello, please use the e-mail address when you open the account, send an e-mail to the company’s e-mail firstname.lastname@example.org to apply for a password change or contact online customer service for you to modify. 1: Play the game…
Aoya Guoji and Suniway
A simple search for 澳亚国际 (Aoya Guoji / Ào yà guójì / Australia Asia International) or phone number +85-281-979-662. returns dozens of domains pointing to the very same gambling website. Sites that either used Suniway infrastructure (both in their public registered networks (22.214.171.124) and the hidden prefixes (126.96.36.199)) to host the site or the mail server for the support and recruitment service.
At the time of this writing, we ignore if “Aoya Guoji” is a registered Philippine Offshore Gaming Operator (POGO) but due to the amount of domains that the organization operates, what it seems obvious it is that these gambling websites are constantly blocked and moving to different locations to stay online. It might also explain why many of the gambling portals use non standard port numbers as :8888, something typical in our experience when websites get blocked.
All these domains seems to be associated to one backend hosting provider at AS55303 that provides enough IP space to allow the websites to move to different IP address constantly.
A careful review of the ASN’s peering agreements shows the presence of several DDOS protection services that further reinforces our idea that the backend hosting provider seems to be specialized in hosting gambling sites. See: https://bgp.he.net/AS55303#_peers
How does it all sum up?
We speculate if some of the clients of Suniway are in the (online) gambling business in the Philippines. This might explain why Suniway resources are not fully public as their infrastructure might be used to connect websites that are blocked inside China.
Due to legal requirements in the Philippines, these websites should not be accessible by people in the Philippines. This might also explain the convoluted routing setup, cloud hosting, peering with Chinese carriers in Hong Kong and the “spooky silence” that we obtained as response when reaching to IPC and the National CERT.
When we reviewed suniway.ph website a few months ago weeks after the DDOS attacks started, we could not really understand their integrated business model (designing offices spaces, premium connectivity and cloud hosting and payment platforms)… “supporting offshore gambling business” might be the answer we were looking for.
Linking nyjt88.com support e-mail of Aoya Guoji and Suniway
Step 1. The e-mail support of the gambling sites
The mail is email@example.com
Step 2. Find the MX record of nyjt88.com. Where is the mail server?
MX record points to: 188.8.131.52
Step 3: Find the router of the mail server of nyjt88.com
The router of the mail server is 184.108.40.206
Step 4: Find the SSH fingerprint of the router
The SSH fingerprint is c8d873f7001db75975e0b63ec2d4760a3e2bde565fc2aad534f67194bf49fc59
Step 5: Use the fingerprint to find the rest of the IP of the router
Number of results: 22
220.127.116.11 | HKBN-AS-AP HK Broadband Network Ltd. (10103)
18.104.22.168 | HKBN-AS-AP HK Broadband Network Ltd. (10103)
22.214.171.124 | HKBN-AS-AP HK Broadband Network Ltd. (10103)
126.96.36.199 | HKBN-AS-AP HK Broadband Network Ltd. (10103)
188.8.131.52 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
184.108.40.206 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
220.127.116.11 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
18.104.22.168 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
22.214.171.124 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
126.96.36.199 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
188.8.131.52 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
184.108.40.206 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
220.127.116.11 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
18.104.22.168 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
22.214.171.124 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
126.96.36.199 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
188.8.131.52 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
184.108.40.206 | SUNIWAYTELECOM-AS-AP Suniway Group of Companies Inc. (137184)
220.127.116.11 | SUNIWAY1-AS-AP SUNIWAY GROUP LIMITED (137990)
18.104.22.168 | SUNIWAY1-AS-AP SUNIWAY GROUP LIMITED (137990)
22.214.171.124 | IPVG-AS-AP IP-Converge Data Center, Inc. (23930)
126.96.36.199 | ISP-AS-AP ISP (55355)
“Aoya Guoji” and AS55303 Eagle Sky Co IT
During our research we found out that the domain nyjt88.com that is used as one the support channel for “Aoya Guiji” is hosted in Suniway infrastructure.
Several gambling domains hosted in Suniway starts with the letters “ay” and most of the domain names are hosted in “AS55303”
The provider is registered with the name “Eagle Sky Co, Lt” with address 60 Market Square, P.O. Box 364 in Belize and e-mail contact aaa1490_@_gmail.com
A much older whois object from 2010, includes the company as country: PH
A look into RIPE database confirms that the ASN 55303 started to announce traffic in 2010 and currently advertises 288 prefixes = 73472 addresses. The provider focuses in gambling hosting with dozen of associated companies registered in India, Hong Kong, Taiwan, Brunei, Japan, Thailand, Korea.
Yes, all this setup associated to a “gmail account”.
Looking into the peering agreements we can see Prolexic/Akamai, Nexusguard, Dddosguard, Nsfocus, Incapsula, VL-AP major providers of DDOS mitigation from USA, Rusia, China and Israel.
The power of Big Query and Censys
Thanks to the help of Censys we could run a “Big Query” in their database and ask the question: from all the IP addresses active in Eagle Sky (AS55303) which organization is behind all the SSL certificates?
It took us a few hours to come up with the correct SQL request and for Google Big Query 6 seconds and 8.GB processed.
The result is that 1333 of the 1389 IPs with SSL certificates show “BB-IN” (96%)
So it seems clear that Eaglenet = Eaglesky that runs “Aoya Guoji” that is a BBIN International Limited gaming platform.
Where is Eaglesky and BBIN?
During the beginning of our research we found out the Fax number of Eagle Sky points to a number in Philippines linked to the company Eaglesky Technology Amusement and Gaming, Inc. According to public sources the company is connected to Clark Freeport’s taiwanese investors Jack Yang and Tony Wang and former president of Eaglesky Ireneo “Bong” Alvaro.
We believe that BBIN is registered in Taiwan as 中佑集團 (BBIN) as part of the Chung Yo Group but operates several offshore setups in Belize in the now famous P.O. Box 364
Recent documents from the Asian Domain Name Dispute Resolution Centre point to “State Leader Co, Ltd” and YANG JEN CHIEH as owners of BBIN.
In an article published back in 2006, YANG JEN CHIEH is again mentioned. This time as owner of British Grand Vision International Co and the airline TransGlobal Pacific Airways Inc. Back in that time, they were charged for illegal gambling in a plane hangar in Clark.
A year after, the National Bureau of Investigation lost the case as there was absence of real players in the alleged Internet gambling casino.
“One could not charge the dealer alone without indicting the supposed bettor.”
So the ultimate question is why someone at Suniway that run infrastructure connected with the BBIN and gambling activities in Clark decided to run months of Denial of service attacks against online media?
So far, we got no answers.