Snow Falling on Cedars

A closer look at a recently disclosed military internet operation in Florida suggests all is not well in the DoD's networks.

Snow Falling on Cedars

Recently there was an article in the Washington Post that pledged to explain a mysterious "shake up" in the global internet's IPv4 address distribution. The fact that such an article would appear simply to inform us, the reading public, about a major BGP routing change to dormant military networks was immediately suspicious.

Technical articles in general over the last decade have preyed on a non-technically informed public. Essentially they can say whatever they want without anyone to correct them save a few lone sysadmins. We also see, more and more, the pattern of the "cover-up article". Some event happens and people start asking questions. So to get in front of it, several articles will be published almost in unison to "explain" to the public what is going on.

An AP News article on the same topic I think demonstrated a great deal more skepticism and serious charged inquiry than the Washington Post did, and that investigation can be found below:

The big Pentagon internet mystery now partially solved
BOSTON (AP) — A very strange thing happened on the internet the day President Joe Biden was sworn in. A shadowy company residing at a shared workspace above a Florida bank announced to the world’s computer networks that it was now managing a colossal, previously idle chunk of the internet owned by t…

AS8003 - an overview:

The following is a screenshot of AS8003, the network which holds all the IPv4 addresses referenced in the above Washington Post article.

You can infer a lot about a network from who they connect to, and in this case, AS8003 only interfaces with one other peer. The infamous Hurricane Electric of Fremont, California. We previously wrote about the folks at HE.net when we called them a "transcontinental criminal fiber network" in a previous post.

The website BGPview also provides a good set of details for this network.

Again by checking the below image, you can see just how large this network is compared to...well anything else.

AS8003 - some domains:

What might be hosted within AS8003 you might ask? It's not exactly clear, but below I have attached a screenshot of the Top 100 (by Alexa rank) websites that appear to resolve within that range.

We can see lots of Chinese companies below, as indicated by the fact that many of them literally have their company registered names in Chinese characters.

GRSCORP:

We are told that the company Global Resource Systems, LLC is behind this change. I find that very interesting as they have a name that sounds a lot like Chinese front companies I've encountered over the years (they always go for the words "international", "global", or "worldwide"). More to the point, the address, so close to the water, near Cuba, in a place without significant data center resources (comparatively) is beyond weird.

Miami/Palm Beach, much like Long Island, has been a major focal point of espionage for decades and is an incredibly dangerous place to put anything that sensitive. Dozens of good data center options were possible instead along the 41st parallel, the Chicago fiber superhub, or data center alley in Ashburn, VA. Why here?

Directions between the address of GRS and Palm Beach, which passes through the Boca Raton neighborhood where IBM did research for so many years, can be found here.

The Washington Post article that began this blog post mentioned that Global Resource Systems, LLC doesn't have a website. That is partially true. But they do have a domain, "grscorp.com", and that leads to some interesting DNS records.

Their current DNS you will find below. Why a supposed top secret military cyber company is hosting on DigitalOcean (see mx.grscorp.com on the right) of course strikes one as unusual:

A records for the site, which no longer exist, have bounced around quite a bit. If this is truly a secret DoD cyber company, than one assumes its a shelf company that they've been in control of for some time. Which makes the bouncing around below even weirder:

Lastly I want to add that the DNS NS record for GrsCorp.com points to udns1.ultradns.net. Only about 13-14k other sites use that Name Server, which is actually quite small. See below for some of the largest Name Servers on the internet:

If we run a reverse NS check on that particular name server GrsCorp.com is using, we find something that makes it hard for me to believe anyone actually connected to the military uses this:

Most extraordinarily we find that the Dallas Cowboys, the New Zealand Federal Police, and The Great Courses all take advantage of this apparently military-grade Name Server.

TideWater:

In the AP News article that was linked to at the very beginning of this post, it is mentioned that Tidewater Laskin Associates is registered to one Raymond Saulino (who was previously written about a decade ago in this Wired article). Below is an excerpt providing some excellent background:

The only name associated with it on the Florida business registry coincides with that of a man listed as recently as 2018 in Nevada corporate records as a managing member of a cybersecurity/internet surveillance equipment company called Packet Forensics. The company had nearly $40 million in publicly disclosed federal contracts over the past decade, with the FBI and the Pentagon’s Defense Advanced Research Projects Agency among its customers.
That man, Raymond Saulino, is also listed as a principal in a company called Tidewater Laskin Associates, which was incorporated in 2018 and obtained an FCC license in April 2020. It shares the same Virginia Beach, Virginia, address — a UPS store — in corporate records as Packet Forensics. The two have different mailbox numbers. Calls to the number listed on the Tidewater Laskin FCC filing are answered by an automated service that offers four different options but doesn’t connect callers with a single one, recycling all calls to the initial voice recording.
Saulino did not return phone calls seeking comment, and a longtime colleague at Packet Forensics, Rodney Joffe, said he believed Saulino was retired. Joffe, a cybersecurity luminary, declined further comment. Joffe is chief technical officer at Neustar Inc., which provides internet intelligence and services for major industries, including telecommunications and defense.

If we check the DNS records for the site of Tidewater Laskin Associates, though it has no A record (and thus won't render a website), we still find NS and MX records. And in fact the NS record, udns1.ultradns.net, is the same as that for GrsCorp.com.

What is interesting and provides new info though is the mail server or MX record that is being used by Tidewater, mxout.net. It is apparently being shared by over 20 other domains as well. These are all likely connected to a single network of front companies.

It should be noted that as of only a couple of years ago mxout.net was being hosted in core Russian telecom IP space. While this blog is mostly focused on Chinese related cyber-espionage, we would be remiss not to mention it:


White Delivery:

Based on historical reverse WHOIS records, we can tell that whoever runs GRS also controls WhiteDelivery.com. This is backed up by the fact that, before it was edited out a few months ago, the DNS TXT records of GrsCorp.com contained a reference to 208.48.156.0/24, a network owned by "White Delivery".

What is Going On Here?

We had hoped to write more in this section and continue this blog post further. For now, due to the needs of another series we are working on, we will say this. We are skeptical that this is a legitimate DOD network. It very much could be, and perhaps there are deeper political forces and motivations than we are aware, but we think not. There have been past complaints about Army Cybercom that we have heard, and that, along with the amateurish setup of this entire ASN, leads us to suspect that someone got caught doing something, and tried to make a rush job of covering things up during the presidential transition. We saw the exact same thing with ICANN transferring control away from the United States a month before the 2016 election four years ago. We suspect something similar is afoot.