Cloud Radium

Radio Free Asia, Cloud Radium, and the Voice of America.

Cloud Radium

Summary:

Cloud Radium is an internet / website hosting company that acts as a front for the Chinese government. It allows hackers based in the PRC to host malicious websites inside the US to perform multiple types of cybercrime.

The real name of Cloud Radium is “CN Servers LLC” with registration in China. It’s ASN number, which has never changed, is AS40065. It also has a sister company in Los Angeles, Cera Networks.

It appears that traffic from the NCAR supercomputer and Hurricane Electric feed into Cloud Radium along with about 25 other front ISPs around the US. From there the traffic targets individual users or corporate networks to attack and make attribution to China very difficult.

Because of strange connections to an event in Wyoming in 2014 where the Chinese internet passed through Cheynne, comments made in certain newspapers, and links to Hurricane Electric, it appears many Voice of America software initiatives are or have become malicious and are tied to Cloud Radium.

Part 1

Initial Discovery in 2017:

In May of 2017, Lee Neubaker, a cybersecurity specialist out of Chicago, wrote this fascinating article accusing a Cheyenne based hosting company of being a beachhead for Chinese cyber attacks in the West.

FE Warren AFB and Nuclear Missiles:

Due to the proximity of this hosting company from one of America’s main nuclear missile facilities (just over a mile) this obviously was very alarming.

Chinese Connections are Obvious:

Business data for Cloud Radium LLC proves that it has a Chinese connection and ultimately outright ownership:a

Part 2

The 2014 Incident:

One would have to be very naive to think this isn’t somehow related to the 2014 internet incident where significant Chinese traffic was directed to Cheyenne, Wyoming. A DNS cache poisoning attack caused all browsers in China to return the same IP address for over an hour, no matter what domain was entered.

A more in-depth article, by the NY Times, can be found here. That article also references a helpful blog post by Greatfire.org, a group that monitors censorship in China.

The Curtain of 65.49.2.178:


All traffic in China briefly went through a single IP address 65.49.2.178. That IP address is property of Hurricane Electric and is part of the ASN AS6939. Hurricane Electric was covered previously here, and is part of a bridge or “tunnel” the Chinese use a superhighway to hacking the United States.

Returning to the previously mentioned NY Times article though, we want to focus on a couple of paragraphs:

Qihoo 360 Technology, said the problems affected about three-quarters of the country’s domain-name system servers. ‘I have never seen a bigger outage,’ said Heiko Specht, an Internet analyst at Compuware, a technology company based in Detroit. ‘Half of the world’s Internet users trying to access the Internet couldn’t.’With so much Internet traffic flooding Sophidea’s Internet address, Mr. Specht said he believed it would have taken less than a millisecond for the company’s servers to crash.

More interestingly we find that:

Until last year, Sophidea was based in a 1,700-square-foot brick house on a residential block of Cheyenne. The house, and its former tenant, a business called Wyoming Corporate Services, was the subject of a lengthy Reuters article in 2011 that found that about 2,000 business entities had been registered to the home. Among them were a company controlled by a jailed former Ukraine prime minister, the owner of a company charged with helping online poker operators evade online gambling bans, and one entity that was banned from government contract work after selling counterfeit truck parts to the Pentagon.

Finally we learn that Gerald Pitts is the president of Wyoming Corporate Services, that the director of Sophidea is a “Mark Chen”, and that there was actually a second major misconfiguration in China’s internet later on the day of this incident. That second incident led to mass amounts of traffic being redirected not to Sophidea, but another firm called Dynamic Internet Technology.

We will look into Dynamic Internet Technology, or DIT, shortly. But first, who is Qihoo 360 Technology?

Qihoo 360 Technology:

It is strange that the NY Times would cite Qihoo 360 for information, without noting its reputation as a front for the Ministry of State Security or the many controversies it had been involved in and since.

We don’t have time in this article to cover the suspicious soft coverage, lack of reporting, and large omissions so many outlets have made over the years regarding Chinese cybercrime. Still I want to cover the bizarre legacy of Qihoo to show how strange it was for the NY Times to cite it. In another post we will go into detail as to whether this whole event was staged and the coverage of it prepared in advance for the press (not as straightforward a question as it sounds).

Going back to Qihoo, it chose to delist rather than be removed from the NASDAQ a year after the NY Times article as well. Below is a snapshot from their Wikipedia page of other controversies to give some idea of the firms infamous reputation:

More recently the firm’s reputation became so bad recently that the US has now blacklisted the whole company. It has also been accused of aiding the mass detention and organ harvesting of Uyghurs in Xinjiang:



Additionally their founder, born in 1970, is the world’s 135th richest person and one of the earliest Chinese internet entrepreneurs. He graduated from the extensively military connected university Xi’an Jiaotong as well:

Dynamic Internet Technology:

Dynamic Internet Technology (DIT), which is sponsored by VOA, is one of many firms that claim to help Chinese dissidents and residents in the PRC. Nearly anyone who makes that claim is usually being deceitful, having long ago given in to the money and the bribes. To their credit the financial rewards were often enormous, and some certainly held out longer than others. Perhaps they should be commended for that, but when weighed against the suffering of the Chinese people perhaps not.

DIT is most well known for developing the software “Freegate”. Wikipedia gives some background on the program:

Freegate is a software application enables internet users from mainland China, North Korea, Syria, Vietnam, Iran, United Arab Emirates, among others, to view websites blocked by their governments. The program takes advantage of a range of proxy servers called Dynaweb. This allows users to bypass Internet firewalls that block web sites by using DIT's Peer-to-peer (P2P)-like proxy network system. FreeGate's anti-censorship capability is further enhanced by a new, unique[2] encryption and compression algorithm in the versions of 6.33 and above. Dynamic Internet Technology estimates Freegate had 200,000 users in 2004.





Voice of America:


To be updated later...

Part 3

Back to Cloud Radium:

CloudRadium’s real name is “CN Servers LLC”, or “China Servers LLC”. We know this because their “ASN” or Autonomous System Number, AS40065, has never changed over the years. ASN’s are simply numerical ids that various internet consortiums use to track ISPs.

The amount of malicious traffic, spam, DDOS attacks, and phishing that comes from AS40065 is extensive. Below we screenshot some various posts on the internet over the years as befuddled sysadmins try to understand the bad traffic that they seem come from AS40065:


Not for the below tweet. Cera Networks out of Los Angeles appears to be a closely related front, if not just another subdepartment, of Cloud Radium:

We saw in one of the first screenshots of this post that CloudRadium has business registration details in Wyoming that literally pointed back to China. Checking their WHOIS records we again find a Chinese origin for the business.

We were also able to identify PDXX.net as either a related front or simply the identical company but with a different name in China:

Simply put, Cloud Radium is a hosting company front organization for the PLA to hack and cause havoc in the United States. It is one of several dozen ISPs that receive traffic from the NCAR supercomputing facility, along with HurricaneElectric, that is fans out to targeted sites and individuals across the country. By doing this the Chinese obscure the ultimate origin of the internet attacks being conducted.

A very basic diagram that omits a few steps can be found in the previous post that covered strange going-ons in Cheyenne:

One pathway malicious traffic takes from China to the United States

Who is Cera Networks?

And what do they have in common with Pershing Square in Los Angeles? To be continued