It comes mainly from mapping the subdomains over time and analysis of the ASNs. This is key. You will often see a company with perhaps 200 or so subdomains, that only does business in the United States.
But then you will see one subdomain that maps to ASN 4803 or whatever, which then leads to “China Telecom xinjiang”. In fact I encourage you to type:
org:”China Telecom xinjiang” “NSFOCUS” into Shodan.
Also look at the capital expenditures psychz.net claims on their about page. There is no IaaS company in the world that can afford to lay down as much hardware as they are claiming.
Another thing btw is these sites never seem to have job openings. That is common pattern that applies to perhaps 60% of the firms listed.
So you're saying "typical intelligence analyst stuff" is the reasoning here?
Generally analysts produce questions which operations runs down to figure out if what they think is going on, is actually going on.
Correct me if I'm wrong here but you're basically saying that you have done the first part and found some suspicious links but not the second part do develop actual evidence one way or the other, is that a fair assessment?
I am writing this all on a phone and I am more than happy to produce a 5000 word report which will be posted in 96 hours. I will follow up via a comment here and also send to Michael Forsythe at the New York Times for additional review.
Check below for latest update. Wanted to comment so you got notification. My real name is in my profile with my email address so you’ve got me dead to rights on this one.
It’s coming. I’ve got butcher paper on the floor mapping out 2000 ASNs. My wife says I look like one of the detectives tracking down a serial killer with red string. I run my own consulting company, and actually lost my main client due to the above post being interpreted as “anti-China”. That has been an enormous setback.
Anyone can do this research I want to emphasize. Look at any suspicious VPN company. Now look at 10 of them. Now plug some of those names into Shodan.
Bear with me here, but if you then simply Ctrl-F for ASNs with the same name with the same LLCs, you will construct a perfect circle of peering that is an “internet within an internet”. What it seems to be is a poor man’s TOR. While the US gov built a Tor, this is an alternate Dark Web built by someone...you can pass through 1,000 servers on 500 different hosting companies none of which do legitimate business.
(Hope this counts as a mini blog post for now this must be 250 words).
They subcontract their support to India. William Lu is a scammer and a well known liar. He pays people on web hosting forums to keep it quiet about how he scams his customers. The guy has cockroaches in his data center. He has no money and has lost more than half his ip space in the past year. He even got recorded a few months back in a big conference call admitting he lies about everything and charges his customers for services he doesn't even provide. https://www.youtube.com/watch?v=PzHS4E2e8Bg there's also a dope ass diss track about how garbage their service is on there too. https://www.youtube.com/watch?v=mZBWd1Z2yY0
> org:”China Telecom xinjiang” “NSFOCUS” into Shodan.
I'm going to admit I didn't try putting this into Shodan because for whatever reason I don't have access to it right now. But won't this just show a list of servers running a NSFOCUS WAF? How do you connect that to ProtonMail or LeaseWeb?
Are you suggesting they are an "open secret"? EG, They are not "covert", but they are secretive in that they only sell to maybe western intelligence agencies, etc. Could be why they never have real "openings", they got a hot pipeline constantly exiting from the intelligence community looking to make some real money.
Back it up or nothin'.