blueleaks

Netsential and Data Foundry

Were backdoors purposely placed in Netsential code? Is Data Foundry a front organization for the Chinese government? Why were officials from the Chinese embassy in Washington and security departments in mainland China visiting DHS fusion centers at one time?

Dan Ehrlich

5 min read
Netsential and Data Foundry

In previous posts we've talked about Netsential and how they constructed the websites for all of the DHS Fusion Centers.

Data Foundry though was the data center company that ran the computer server that literally hosted the 200+ websites.

Data Foundry has a few sister companies. Giganews, VyprVPN, Texas.net, Golden Frog, and Outfox.

The main claim these previous posts make, together with this one, is that Data Foundry is a front company for the Chinese government and military. Either in collaboration with or through deceit they managed to get Netsential to allow them to host all of the DHS Fusion Centers for the last decade.

There are so many things to be currently at 12 Security and with clients we are engaged with, so the following paragraphs will just be a quick roll of the evidence. Future posts will better organize a coherent narrative together, but at the very least these should raise substantial questions.

OSINT Evidence Pieces That We Currently Are Disclosing:

GoldenFrog / VyprVPN, sister companies of Data Foundry, have significant Chinese presence

Golden Frog / VyprVPN, the sister company of DataFoundry, has a significant China presence.
Again Golden Frog / VyprVPN, a sister company of Data Foundry, has a significant China presence.

Chinese Embassy and Data Foundry proximity:

Below is a map that shows the distance between the first Data Foundry data center, constructed in 1999, and the Chinese Consulate in Houston. Recently this consulate was implicated in a significant espionage case and the United States took the unusual and dramatic step of ordering it to close.

4.88 miles between the Data Foundry's Houston-1 data center (left), their original first property, and the Chinese Consulate in Houston (right).

DataFoundry, Texas.net, and YHC Corporation are all the same company as well:

Covered in a previous post - YHC Corporation is a front company / cut-out for Data Foundry. They technically own the IP subnetworks that Netsential was hosting under. 

Netsential web server globals file:

This is a major file and very important screenshot that I am doing no justice by posting in the middle of this post randomly. It is likely one of the most important pieces of evidence from the entire #BlueLeaks dump.

First, what does this file, global.asax, do? It is present in the configuration for every single Fusion Center, and dictates how the website for that Fusion Center will run and overrides all other configuration points. The screenshot below contains source code that is exactly the same, save one or lines, for all of the centers that were part of the #BlueLeaks dump.

We have highlighted two blocks of source code. The first block you see, in the middle about of each line, contains two IP address blocks. We will return to these in a post. For now all we will say is that they tie in a very unusual company out of Orem, Utah known as Security Metrics.

The second block of lines, about five total, all have websites from the Chinese internet listed in them.

What does it mean? What would it have done to the code? Were the sites hacked?

First you have to know that every time you send a web request via your browser, you also pass along variables known as HTTP Headers. These help the server process your data and send back a correct response for the computer you are using.

Second, for anyone that knows the history of the Windows operating system they will realize we are simplifying a little bit and giving a more "Linux-esque" answer, but that should be fine for the majority of our audience.

Finally, and for the real answer, this is a "backdoor". If one manually edited the HTTP Headers their browsing was sending to specific values that were placed in this file, they would be passed through the firewall and into specific sections of the site. Additionally this access would not be logged as well by the system.

We will pick this thread up again later in future writings where we actually deploy these sites on a Windows 10 Pro computer running IIS.

The source code for the globals.asax file that each Fusion Center site had and which contained several backdoors

Brief Analysis of Fusion Center server log files:

Log files showing access to the Atlanta HIDTA from China. We will go much in-depth here in another post.
More logs showing connections from China. the 223.247.0.0/16 IP space is based in mainland China
Many government officials were aware of the existence of these Fusion Centers and even used the Netsential website to at one time register for events.
Individuals working for the Chinese embassy in Washington D.C. have worked with these DHS Fusion Centers in the past.
As shown in previous posts, IPs that resolve back to Netsential websites have a history of being reported for malicious, random hacking behavior.
What appears to be part of the gun registry various Fusion Centers were attempting to build. Here is a screenshot of a section of the San Francisco Fusion Center's database files.
Screenshot from a larger PDF of gun data that the MIACX Fusion Center in Missouri was building off of
Why would LinkedIn recommend the above FBI Citizen Academies alongside Golden Frog and Data Foundry?

Leninist-Marxist Facebook Groups:

Communist agents living and working in the US while constantly hacking it from abroad was never a thesis statement any statement at 12 Security would have made, or even considered, two years ago. However we end this blog post by sharing active Leninist-Marxist groups, and even one North Korean Juche group, recruiting in the US on Facebook. Fascinating to look at:

Sign up for more like this.

Enter your email
Subscribe