Surge of attacks

Since mid-November 2014, HKCERT has been monitoring a surge of attacks from a network (AS network number 63854) belonging to a company called ”Hee Thai Limited” which claimed to be located in Hong Kong. The attacks from this network involved at least its 50 IP addresses. The attack pattern is not of a victim network being compromised with a few victim servers on a network being used for attack. It looks as if someone who can control the network is using it to abuse the Internet.

International attentions on Hee Thai Limited

The aggressive way of the attacks caused a surge in the number of incident reports. HKCERT notified 'Hee Thai Limited' of the incident reports but this company did not respond to our requests. By the end of November, this network had caught the attention of international security researchers. HKCERT received reports from at least 5 countries, citing exceptionally high frequency of attack attempts (one IP address of the network had attempted 460,000 times of brute force login according to our information) originated from such network had targeted servers worldwide. FireEye later published a report dedicated to this company: Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited.

Seeking assistance from APNIC

Due to the frequency and broadness of the attack, and also the unresponsiveness of the network owner, we decided to find alternative means to stop the attacks. Actually from the WHOIS information of the AS registrant, we believed that this company did not really operate in Hong Kong, since the registration address is not complete. Since we could not contact the registrant directly, we sought assistance from the Asia Pacific Network Information Centre (APNIC), the organization responsible for assigning AS number and IP address range in the Asia Pacific region and maintaining the WHOIS database¹. We pointed out the flaws in the registration information: region being CN, address being in HK and having a phone number in Cambodia (Figure 1).

Figure 1

At the end of March 2015, APNIC has reclaimed the network assignment of AS63854. It means that this network will disappear from the network assignment database and network providers will not provide routing service for it (Figure 2). Since then, this network disappear from the Internet and we stop receiving reports from other organizations about this network.

Figure 2

Abuse of Internet resources

In recent years, some service providers acquire new AS number by claiming to be located in Hong Kong, but actually use some 'mobile office' address or even an incomplete address like 'Hee Thai'. Though they have provided email address and phone number (usually not Hong Kong number), they are not easily reachable by HKCERT or law enforcement in case of security incidents. This has increased the difficulty of efficiently resolving or containing information security incidents. HKCERT is committed to help ensuring the security the cyber space and protecting the reputation of Hong Kong. This was the first time that HKCERT needs to escalate the incident reports of network security attacks to the APNIC. We will continue to work closely with APNIC to ensure smooth incident response operation in Hong Kong.

Note:

1. https://www.apnic.net/