Darkness at Noon 01 - WAYTITAN

Why was the National Security Agency targeting Netsential, the major hosting provider for the Department of Homeland Security? Who is behind the IP address 64.9.146.208?

Darkness at Noon 01 - WAYTITAN

Why was the National Security Agency targeting Netsential, the major hosting provider for the Department of Homeland Security? Who is behind the IP address 64.9.146.208?

IP Address #16, WAYTITAN, and the YHC Corporation

As part of the Edward Snowden leaks, a single document was made available that showed the top 16 IP addresses the NSA was targeting in North America.

At the very bottom of the list, address #16, was 64.9.146.208.

IP address 64.9.146.208 is at the bottom of the list. NSA Codename "WAYTITAN"

This IP address belongs to the same party then as it does now, the mysterious "YHC Corporation". A few things turn up on the internet for the acronym YHC, but nothing that we've seen shows or describes a "YHC Corporation". Except for one place.

ICANN maintains WHOIS, the database that documents ownership of domain names and IP address blocks. This is the only place "YHC Corporation" seems to turn up, and it is as owner of 64.9.146.208.

I can only find one place on the internet where this was discussed, a single Reddit thread made by a poster who only posted this, and nothing else, 11 months ago.

They also own something else.

BlueLeaks and Netsential -> YHC Corporation

Several days ago, every DHS Fusion Center, numerous local police agencies, and intelligence sharing groups that report to the DEA were hit in an extremely professional hack followed by document leak.

All of these groups, which was at least 200 different agencies, were hosted by Netsential.com. When we say "hosting" we mean managing the physical servers (think Dell blade computers for instance) that these websites ran on top of. Each website was essentially a SaaS application for each agency. You would sign in, get intelligence, upload data, etc. Because the source code was dumped, we also know that Netsential developed the very applications themselves.

The below result shows an interesting award from former FBI director Robert Mueller to Stephen Gartrell of Netsential. One of the few records available of this company anywhere. This result appears to be deindexed by Google interestingly, and was only sent to us by another researcher.

Netsential seem to do quite a bit, developing software and managing data center servers isn't an easy business.

Things get very concerning though when we look at Passive DNS records and WHOIS data for Netsential. Below is a screenshot from the wonderful service, SecurityTrails.com, that brilliantly aggregates this - and more services like Certificate Transparency logs - in a single dashboard.

Had we been able to use Farsight Security this week, I'm sure the data would have been even better. Another post will follow with data from that company, whose founder helped co-invent the DNS over three decades ago.

Also by extracting all of the domain names from the various name servers Netsential ran (ns1.netsential.com and ns2.netsential.com) it seems their only customers were government law enforcement agencies across local, state, and federal groups.  The full list can be viewed below or at this link.

The two Netsential name servers from which all websites they hosted were extracted. This screenshot also shows their ownership by the "YHC Corporation". Netsential was first recorded August of 2008, but could have existed before.

They in turn we can see were part of, according to WHOIS data they would have filed and on record with ICANN, the YHC Corporation.

So in addition to having what looks like one owner (YHC), they also have what looks like a single customer, law enforcement intelligence groups/fusion centers. And Netsential has almost as little about it on the internet as YHC. What is going on here?

A 2013 Hack That Came From Netsential Servers

As a quick aside, this isn't the first time Netsential has been implicated in malicious events.

The IP address of 104.244.30.220, part of a whole /22 block Netsential owns, was implicated in several hacks - after the Snowden leak as well we should mention. So this wasn't the original reason the NSA targeted them.

A manual whois query made from the Terminal showing Netsential ownership of the 104.244.28.0/22 block.

A screenshot from the service BGPview.io

This is partly documented here on an Otava blog post titled "Recommendations To Combat CryptoLocker Malware". Netsential's name turns up, along with the National Fusion Center Association.

Netsential was a Fraud Meant to Conceal Illegal Actions

First, Netsential is a front company meant to hide law enforcement data, but particularly Department of Homeland Security data, from legislative bodies and American citizens.

That is the only reason they would have made to forgo vastly cheaper options with dozens of more features like AWS, Azure, or even the San Antonio, Texas based Rackspace. Any reason they would have would be deception based.

I should also mention at this point that it was illegal to host data at most points in the last decade with Netsential because of something known as "CJIS". More on this later though.

Again, all the classic signs of fraud are there. Obvious different companies that could have been chosen that would have been much better solutions, less expensive, and definitely more clearly lawful. A single major customer. A single owner that in turn likely has another owner (a chain of shell companies essentially). And so on.

Anytime DHS has been asked to hand over records, they don't hand over Netsential records. And they never will. The fact that a certain government agency has hidden (via robots.txt) an award presented to the owner of Netsential in 2011 by a major figure in the Justice Department is not a good sign. We will post this later.

We're not going to write a 90 page Department of Justice indictment here on the fraud angle. And when we say fraud, we mean more that it is defrauding others out of political power. Some form of financial deception is certainly here, but do not get distracted by it. It is a kind of fraud nonetheless, and the forensic evidence we leave to others. Finally we aren't going to waste time to entertain opinions that think these risks and sacrifices would have been made by those with good intentions. We hate to be this direct and aggressive with our language, but you would be either a fool or a shill, and certainly not a good engineer, to think this.

Netsential Was Illegally Hosting Data Because of CJIS:

First, we know a lot about CJIS, having directly managed thousands of servers for the Department of Information Resources in Texas. DIR provides IT for all 37 State of Texas agencies, and about 40% of all machines.  This includes working with AWS Gov Cloud, Azure Gov Cloud, and the now Atos-managed data centers in Austin and San Angelo.

In fact one of our founders, Dan Ehrlich, lives less than a mile from the only CJIS-compliant data center in all of Texas, Azure South.

This section we will update later to document in excruciating detail why they were not in CJIS compliance, which is a very big deal. Part of the reason Azure South was to be a CJIS compliant cloud - the very first in fact - and to have it in Texas, a state with a very large prison population.

One part of CJIS compliance they did have though. Logging of all IPs that ever accessed their data, stored in detail in CSV and Microsoft Word files. We will leave to others to make fun of this quite awful engineering decision, and we will grant that maybe this was done as an attempt to be "sort of" in CJIS compliance, which requires audit trails, at one time.

Of course these same logs now could also be used as evidence against Netsential to show a wide array of successful hacking attempts from across the world, consistent access from different government agencies, and exfiltration of all of their data - repeatedly - to a major foreign power the US stands in opposition to. This data will be analyzed in either a third of fourth post in this series. Some screenshots below have been posted as brief proof of their extensiveness and detail. We want to emphasize our deep respect for law enforcement, many of whom have served or co-serve in the military. They can write us at zephyrus@12security.com and we will respond to any at least partially reasonable sounding takedown requests within the hour.

The NSA Datacenter Right By Netsential

The fact that the NSA was so heavily targeting Netsential is very curious to us.

Azure South, a far better option where all this data could have been hosted, is of course also known as "NSA South". It is the 5150 Roger's Road, San Antonio, Texas Data Center. Since the NSA realized in the early 2000's how devastating an attack on the power grid would be, they have built data centers across the country that help to process their massive data stores along with providing alternative electricity sites. Texas has not only a separate electrical grid from all other states, it has some of the lowest electricity costs in the nation. When breaking an 2048-bit RSA key can cost (at one time) something like $1,000 a break, these costs add up quickly.

A screenshot from James Bamford's book "The Shadow Factory"

The 5150 Roger's Road Data Center. Also known as "NSA South"

What is most interesting to us however is that Netsential comes online seemingly right around when the data center is first confirmed in the news. The first A record from the DNS we could pull is August 2008 for Netsential. A little over 18 months after the official announcement from the City of San Antonio and only about 6 months from when shovel first hit the dirt in Central Texas.

Two more asides. Back then in 2008 their main IP address for Netsential.com was in the 209.0.0.0/8 space. This is very curious for a reason that a later blog post will get into. As a hint though it has something to do with the National 911 system as well as government SaaS providers like Granicus, GovDelivery, and Gov-I. That single /8 block is among the most contested on the internet, and has been for some time.

We should also note that where they host now, in 104.0.0.0/8, has long been associated with organized crime due to the large sections of it that Cloudflare owns. We'll just note that and move on.

Conclusion

  • Netsential was the victim of a major hack and subsequent documents release last week. These documents can be viewed partially here: blueleaks.io
  • Netsential is a company in Houston that developed applications and hosted them on the internet for hundreds of DHS, Law Enforcement, Department of Justice, and DEA intelligence sites.
  • The lack of history of behind this provider and the lack of CJIS compliance (which now jeopardizes perhaps tens of thousands of criminal cases) strongly suggest fraud.
  • That Netsential and their equally mysterious owner, YHC Corporation, were one of the top NSA targets in North America at the time of the Edgar Snowden leak is extremely damning. Their extensive IP records, which they kept commingled with police data, now suggest broad hacking from a variety of major nation states nearly continuously for the last few years.

Next Time

  • The Chinese Communist Party and their connection to CalCop.org, Fishtech.group, BlueLeaks, and BellTrox - WAYTITAN. Hint: look at the final screenshot
  • The extensive hacking of the .gov TLD over the last 18 months along with .gov.au and Microsoft.