Handout B: Command & Control (C2) Connection Log

Firewall egress log showing persistent outbound HTTPS connections to Gh0st RAT command and control servers. These connections allowed remote attackers to maintain access and exfiltrate data over weeks.

Firewall Egress Connection Log

Firewall Egress Log - HTTPS Outbound Connections (Port 443)
Embassy Network Perimeter
Log Period: March 14 - April 30, 2009

Source IP      | Source Port | Destination IP | Dest Port | Protocol | Duration | Bytes Out | Bytes In | Status | Comments
──────────────┼─────────────┼────────────────┼──────────┼─────────┼──────────┼───────────┼──────────┼────────┼─────────────

192.168.1.27   | 52341       | 219.145.116.65 | 443      | TLS/1.0  | 3:24 hrs | 2.1 MB   | 4.8 MB   | EST   | [INITIAL INFECTION]
192.168.1.27   | 52342       | 219.145.116.65 | 443      | TLS/1.0  | 25 min   | 180 KB   | 1.2 MB   | EST   | [COMMAND RECEIVED]
192.168.1.27   | 52343       | 219.145.116.72 | 443      | TLS/1.0  | 14:02    | 14.3 MB  | 18.2 MB  | EST   | [DATA EXFIL PHASE 1]

[... continuing March 15-17 ...]

192.168.1.27   | 52567       | 219.145.116.68 | 443      | TLS/1.0  | 15:30 hrs| 3.2 MB   | 8.1 MB   | EST   | [PERIODIC BEACON]
192.168.1.27   | 52568       | 219.145.116.68 | 443      | TLS/1.0  | 48 min   | 420 KB   | 2.4 MB   | EST   | [DATA EXFIL PHASE 2]
192.168.1.27   | 52569       | 219.145.116.68 | 443      | TLS/1.0  | 6:15 hrs | 7.8 MB   | 12.1 MB  | EST   | [LARGE FILE TRANSFER]

[... continuing March 18-31 ...]

192.168.1.27   | 52890       | 219.145.116.70 | 443      | TLS/1.0  | 22:45 hrs| 18.4 MB  | 31.2 MB  | EST   | [SUSTAINED C2 SESSION]
192.168.1.27   | 52891       | 219.145.116.70 | 443      | TLS/1.0  | 8:12 hrs | 5.6 MB   | 9.3 MB   | EST   | [ARCHIVE/BACKUP TRANSFER]
192.168.1.27   | 52892       | 219.145.116.70 | 443      | TLS/1.0  | 12:30    | 2.1 MB   | 5.8 MB   | EST   | [C2 COMMAND POLLING]

[... continuing April 1-30 ...]

192.168.1.27   | 53100       | 219.145.116.65 | 443      | TLS/1.0  | 6:48 hrs | 1.2 MB   | 2.9 MB   | EST   | [FINAL SESSION - MARCH 31]
192.168.1.27   | 53101       | 219.145.116.66 | 443      | TLS/1.0  | 48 hrs   | 4.3 MB   | 11.2 MB  | EST   | [APRIL CONTINUOUS SESSION]
192.168.1.27   | 53102       | 219.145.116.72 | 443      | TLS/1.0  | 72 hrs   | 9.8 MB   | 24.6 MB  | EST   | [APRIL SUSTAINED - BEFORE DISCOVERY]

IM NOTES (Do Not Show to Players): Key forensic observations:

Multiple C2 Servers: Connections to different IPs (219.145.116.65, 68, 70, 72) suggest the attacker used multiple C2 nodes for redundancy and load distribution. All are in Hainan Province, China.
Persistent Connections: Rather than rapid on/off access, Gh0st RAT maintained multi-hour connection sessions. This “low and slow” approach avoids triggering threshold-based network alerts.
HTTPS Encryption: All traffic is encrypted over TLS 1.0, which is legitimate for secure communication. But the encrypted traffic to external IPs (219.145.116.x) should have been suspicious.
Data Exfiltration Volume: Notice the pattern of small outbound transfers (commands) and large inbound transfers (stolen data). Phase 1 shows 14.3 MB exfiltration in one session, Phase 2 shows 7.8 MB, etc.
Sustained Access: The attacker maintained connections from March 14 (infection date) through end of April (discovery date). This is 6+ weeks of persistent unauthorized access.
Command Polling: Regular small transfers (2.1 MB out, 5.8 MB in) suggest the attacker was polling for commands and downloading results.

This demonstrates the patience of APT operations – slow, methodical, sustained access rather than smash-and-grab attacks.

C2 Server Analysis

GhostNet Command & Control Infrastructure (Reconstructed)

Primary C2 Servers (All hosted in Hainan Province, China):

219.145.116.65  - Primary controller (infected March 14-17)
  ASN: AS23724 (China Netcom Group)
  Hosting Provider: Hainan Telecom
  Reverse DNS: [none]
  Services: Malware C&C, data staging
  Uptime: ~99% (well-maintained infrastructure)
  Traffic Pattern: Initial infection coordination

219.145.116.68  - Secondary controller (infected March 18-31)
  ASN: AS23724 (China Netcom Group)
  Hosting Provider: Hainan Telecom
  Services: Command distribution, response collection
  Peak Concurrent Sessions: 50+ simultaneous infected hosts
  Traffic Pattern: Operational commands, status polling

219.145.116.70  - Data staging server (April 1-30)
  ASN: AS23724 (China Netcom Group)
  Hosting Provider: Hainan Telecom
  Services: Large file transfer, data archival
  Estimated Storage: Terabytes of exfiltrated data
  Traffic Pattern: Massive inbound exfiltration (diplomatic files)

219.145.116.72  - Backup/redundancy (throughout period)
  ASN: AS23724 (China Netcom Group)
  Hosting Provider: Hainan Telecom
  Services: Failover controller, continuous monitoring
  Traffic Pattern: Sustained low-level beaconing

Operational Pattern:
  - Attackers rotate between C2 servers
  - If one server is disabled, traffic shifts to next
  - All servers maintained by same provider in same region
  - Suggests organized operation with resource commitment
  - Estimated ~1,295 infected computers globally; each maintained for weeks

IM NOTES (Do Not Show to Players): Historical context from Citizen Lab:

Hainan Province Hosting: All GhostNet C2 servers were located in Hainan, China, a region with significant telecommunications infrastructure but limited law enforcement oversight.
Shared Infrastructure: All servers use the same ISP (China Netcom) and hosting provider (Hainan Telecom). This suggests close coordination and suggests state-level infrastructure access (not civilian hackers).
Concurrent Infections: The C2 infrastructure suggests hundreds of simultaneously controlled infected hosts – consistent with the 1,295 computers documented by Citizen Lab’s analysis.
Professional Management: The rotation between servers, failover mechanisms, and sustained uptime indicate professional infrastructure management. This is not a hastily-assembled botnet; it’s a carefully maintained intelligence operation.
Attribution Implications: While attribution is never definitive, the infrastructure, targeting pattern (Tibetan organizations and foreign ministries), and coordination point toward a nation-state actor with interest in Tibet and geopolitical intelligence gathering.

Citizen Lab’s report explicitly discusses the infrastructure and concludes it’s consistent with Chinese state-sponsored activity, though they emphasize that technical attribution has limits.

Key Discovery Questions

What is suspicious about outbound HTTPS traffic to unfamiliar IP addresses?

Legitimate business traffic typically goes to known vendors (Microsoft, Google, etc.). Regular encrypted outbound traffic to obscure IP addresses in unknown geographic locations should trigger network monitoring alerts.

Why would an attacker maintain persistent connections for weeks rather than downloading everything at once?

Multiple reasons:

Avoid Detection: Sustained low-rate exfiltration is less noticeable than massive downloads
Data Integrity: Files can be verified and retransmitted if corrupted
Operational Flexibility: New targets can be identified and compromised while maintaining access
Backup Redundancy: Large files can be stored on multiple C2 servers
Intelligence Collection: New data can be prioritized based on what the operator wants next

How would traditional firewall rules have detected this traffic?

Outbound HTTPS traffic is generally allowed (needed for legitimate business). But:

Whitelisting would block unknown C2 servers
Behavioral analysis might flag sustained connections to unknown servers
DNS monitoring would show suspicious domain lookups (if not using IPs directly)
Egress filtering of high-volume transfers would catch large exfiltration
But in 2009, most organizations didn’t have these capabilities

IM Facilitation Notes

This handout shows:

Patient, sustained C2 access patterns
Low-and-slow data exfiltration to avoid detection
Redundant C2 infrastructure for resilience
Multi-week compromise duration typical of APT operations