[Global Times-Global Network Report Reporter Fan Lingzhi Cao Siqi] Global Times reporter recently learned exclusively from 360 company that since 2008, 360 Cloud Security Brain has integrated massive security big data, independently captured a large number of advanced and complex attack procedures, through long-term analysis and tracking and field forensics from multiple victim units, combined with global threat intelligence, and continuous tracking of the Snowden incident and the "shadow broker" hacking organization. It was confirmed that these attacks against leading companies in a series of industries that have lasted for more than a decade belong to the National Security Agency (NSA) organization.
The Global Times reporter learned that in addition to serious threats to key infrastructure such as electricity, water conservancy, transportation, and energy, the NSA also regards the communications industry as a key target for attack, long-term "voyeurism" and collection of a large number of personal information stored in the communication industry and key data of the industry, resulting in a large number of netizens' citizenship, property, home address, and even call recordings and other privacy data facing the serious threat of malicious collection, illegal abuse, and cross-border outflow. Under the surveillance of the N.S.A., hundreds of millions of citizens around the world have nowhere to hide their privacy and sensitive information.
The mainland is one of the key targets of the US National Security Agency organization, and the number of infected units may reach the order of one million
The U.S. National Security Agency is subordinate to the U.S. Department of Defense, specializing in electronic communications reconnaissance, and its main task is to collect information from various countries, expose the communications and liaison activities of latent espionage, and provide the U.S. government with various processed intelligence information. For a long time, in order to achieve the purpose of US government intelligence collection, the NSA organization has launched large-scale cyber attacks against the world, and the mainland is one of the key targets of the NSA organization.
In 2013, Edward Snowden, a former CIA employee and NSA outsourcing technician, exposed the scandal of the U.S. government's collection of user data and information to the world, and leaked a large number of confidential documents of the N.S.A. organization's cyber warfare, the worst leak in U.S. history. As a result, concepts such as "cyber warfare" and "national cyber threats" have been recognized by the whole world.
Later, in 2016 and 2017, the hacking organization "Shadow Broker" published samples of cyber weapons applied by the NSA organization, and the NSA organization exposed the large-scale high-risk network combat weapons and supporting components one by one. 360 company related people told the Global Times reporter that 360 is the first batch of security companies in China to consciously track high-level network threats, and took the lead in proposing the concept of APT (advanced sustainable threat attack). During this period, the 360 team relied on the intelligence vision of massive security big data to see that all walks of life had fallen under the NSA cyber weapon attacks, and actively launched various supporting protection tools, including the Eternal Blue Arsenal Defense Program and vulnerability patches, to fully resist the NSA Arsenal attacks.
The Global Times reporter learned that for a long time, in order to achieve the purpose of intelligence collection of the US government, the NSA organization launched a large-scale network attack against the world, the mainland is one of the key targets of the NSA organization, the NSA organization attacks on targets in China such as the government, finance, scientific research institutes, operators, education, military industry, aerospace, medical and other industries, important sensitive units and organizations have become the main targets, accounting for a relatively large proportion of the high-tech field.
The National Security Agency (NSA) has developed numerous battle plans for monitoring global goals, 360 security experts told the Global Times reporter, through the statistical analysis of the NSA's exclusive Validator backdoor configuration field, it is speculated that the potential attack volume of the NSA against China is very large, "The most conservative estimate of the number of infections in Validator alone should be tens of thousands, hundreds of thousands or even millions are possible." ”
At the same time, the Global Times reporter learned that according to the FOXCID server code described in the NSA confidential documents, it can be found that it has launched attacks against 47 countries and regions around the world, such as the United Kingdom, Germany, France, South Korea, Poland, Japan, and Iran, and 403 targets have been affected, and the incubation time has been as long as ten years.
Detailed Demystification: What are the NSA's cyberattack tactics?
The Global Times reporter learned that the 360 security team named the NSA and its affiliates APT-C-40 separately, and jointly built the APT Advanced Threat Research Laboratory with a series of industry leaders, and found that the US National Security Agency targeted leading enterprises in a series of industries for more than a decade. Through forensic data analysis, it was found that these attacks actually began in 2010, combined with network intelligence analysis and judgment, the attack activity and the NSA's network warfare plan implementation time before and after the connection, the attack activity involved many key network management servers and terminals of enterprises, its attack methods are diverse, secretive and harmful, the specific methods are as follows:
(1) QUANTUM attack system
The QUANTUM attack system is a general term for a series of cyber attack and exploitation platforms developed by the NSA, which contains several sub-projects, all named after QUANTUM. It is the N.S.A.'s most powerful Internet attack tool and one of the N.S.A.'s most important capability systems for conducting cyber intelligence warfare, with the earliest projects being created since 2004.
It is not difficult to see from the documentation that in the NSA's three main cyber warfare directions (CNE, CNA, CND), QUANTUM has related projects. NSA uses the core position of the United States in the global network communication and Internet system, using advanced technical means to achieve the monitoring, interception and automatic utilization of network signals, the essence of the QUANTUM project is to achieve a series of data analysis and utilization capabilities on this basis.
(2) FOXACID (Acid Fox) 0Day vulnerability attack platform
QUANTUM attacks are often accompanied by systems code-named FOXCIDs. FOXACID is a powerful 0Day vulnerability attack platform designed by the NSA, and it can automate the main steps of vulnerability attacks, even involving operators with little experience in cyberattacks, becoming a powerful "large-scale intrusion tool". According to confidential NSA documents, foxACID servers use various browser 0Day vulnerabilities, such as Flash, IE, and Firefox vulnerabilities, to implant Trojans into computer targets.
From the existing intelligence, FOXACID has been in operation before 2007, and there are still traces of its use until 2013, which is estimated to be used for at least eight years. Relying on secret cooperation with American telecommunications companies, the NSA put FOXACID servers on the Internet backbone, ensuring that the response speed of FOXACID servers is faster than that of the actual website server. Using this speed difference, a QUANTUM injection attack can mimic the site before it actually reacts, forcing the target machine's browser to access the FoxAcid server.
(3) Validator backdoor
Validator, one of the main backdoors used in the FoxAcid project, is generally used for the NSA's initial intrusion, through which more complex Trojans, such as UnitedRake, are re-implanted, and each computer system being implanted is assigned a unique verification ID.
According to confidential NSA documents, Validator is primarily used in conjunction with FOXACID attacks, based on a basic C/S architecture that provides a backdoor to sensitive targets. Validator can be deployed remotely and through direct contact and offers 24/7 online capability. Validator is a very simple backdoor program that provides a queued mode of operation that can only support simple functions such as uploading download files, executing programs, obtaining system information, changing IDs, and self-destructing.
(4) UNITEDRAKE (joint rake) rear door system
UNITEDRAKE (Joint Rake) is an advanced backdoor system developed by the NSA. 360 security experts through the analysis of the leaked related documents, the overall structure of UNITEDRAKE is roughly divided into 5 subsystems, namely the server, the system management interface, the database, the module plug-in set and the client, the relationship is as follows:
Server: The server is a CC server, the main function is to accept the client's connection request, and manage the communication between the client and other subsystems, the purpose of the system is to reduce the number of operation requests as much as possible. It is described in the documentation as a Listening Port, or Listening Port.
System management interface: The system management interface is a set of graphical user interfaces, through which the operator can directly view the status of the client, issue commands to the client, manage plug-ins and adjust the configuration of the client. It is described in the documentation as a UR GUI.
Plug-in module set: This part is the technical core of the whole suite OFITEDRAKE system, and the function plug-in makes the whole system have strong scalability and adaptability; a plug-in module is composed of one or more client plug-ins, one or more server-side plug-ins and one or more system management interface components, and the three work together to form a complete functional plug-in module; and for different actions, the plug-in module can flexibly select combination and installation according to task requirements.
Database: The UNITEDRAKE system uses a SQL database to store and manage the following information: system configuration information, client configuration information, various status information and collected data.
Client: The client program, that is, the Trojan horse program that is implanted for the issuance, can be covertly implanted in the target machine and provide support for further attacks, and the design focus of the client is to improve the concealment.
Hundreds of millions of citizens around the world have nowhere to hide their privacy and sensitive information like "naked running"
The Global Times reporter learned that the illegal intrusion of the comprehensive (APT-C-40 organization), that is, the NSA, its behavior may cause serious harm to the national defense security, critical infrastructure security, financial security, social security, production security and citizens' personal information of the mainland and even other countries.
360 security experts told the Global Times that in the face of these illegal cyber attacks, we should first be vigilant against the harm of national APT organizations to national security. Cyberspace has long become another important battlefield in the contest of great powers, "Looking back at 2020, 360 disclosed that the CIA (APT-C-39) has been infiltrating China for 11 years, and in the face of the aggressive strategic offensive of the cyber powers, the APT cyber attack and the global cyber war against the background of national power have once again sounded the alarm bell on our heads." ”
"Cyber warfare and the harm to national security caused by state-level APTs are multifaceted." The expert told reporters that the invading organization not only carried out continuous surveillance and espionage activities against the national government and key departments, but even deepened the threat to a country's politics, economy, society, national defense and military. Once the APT organization attacks the entire national social system, it may lead to the collapse of the transportation, banking, aviation, and hydropower systems, and cause immeasurable harm to the country's political stability and economic lifeline.
360 security experts said that in addition, we should also be vigilant about the harm of national APT organizations to critical infrastructure, "critical infrastructure has gradually become the preferred target of network warfare, network confrontation between countries, network warfare with critical infrastructure as the goal is becoming more and more frequent, network attacks are no longer just to steal intelligence, but also can attack key infrastructure such as electricity, water conservancy, telecommunications, transportation, energy, etc., thus causing catastrophic consequences for public data, public communication networks, public transportation networks, public services, etc. It seriously affects the public safety of the people's livelihood and undermines the nerve center of the whole society. ”
"At the same time, the harm of national APT organizations to the security of personal information should not be underestimated." According to the long-term monitoring data of the 360 cloud security brain, the Global Times found that the NSA regards the communications industry as a key target of attack, long-term "peeping" and collecting a large amount of personal information and industry-critical data stored in the communications industry, resulting in a large number of netizens' citizenship, property, home address, and even call recordings and other private data facing the serious threat of malicious collection, illegal abuse, and cross-border outflow. The government and politicians behind the scenes only pay attention to political self-interest, completely disregard the individual rights of citizens, and citizens' human rights have become chips in the political game, and their invasion has seriously infringed on the legitimate interests of mainland and global citizens. 360 security experts said.
Experts remind that according to public cyber intelligence, the global intrusion of the National Security Agency (NSA) is inseparable from its subordinate departments and its affiliates to provide data and attack weapon support, and the backdoor program UnitedRake (joint rake), QUANTUM (quantum) attack system, counterfeit server Foxacid, etc. mentioned in the article are representative attack suite combinations. "In the follow-up analysis of more intelligence data and combat cases on the US NSA arsenal, we will further analyze and judge."
Source: Global Times - Global Network