In the past month, 360 Group has continuously released reports on the US National Security Agency (NSA) cyber attacks on the world and the mainland, demonstrating the normalization of US cyber attack activities and indicating that its potential threat is increasing. In this regard, Bian Liang, head of the Sun-chasing Laboratory of 360 Government and Enterprise Security Group, said in an exclusive interview with the Global Times reporter that once these threats are detonated, the harm will exceed the virtual world and cause major security incidents to the real world, and all departments must be aware of the urgency of network security and take immediate measures to prevent potential threats.
Global Times: For some time now, 360 has continuously released reports on the NSA's cyberattacks on the world and the mainland. How did we finally determine that the attacker was from the NSA?
Bian Liang: According to Wikipedia records, the N.S.A. has a top-secret unit, TAO (Tailored AccessOperations), called the Access Technology Operations Division, which is responsible for network surveillance, intelligence acquisition, and even remote sabotage of Internet facilities in other countries. The department has been active since at least 1998. Since 2008, 360 has integrated massive security big data through the security brain, captured and found a large number of abnormally complex network hacker attack program samples, and after long-term analysis and tracking, and collected evidence from multiple victim units, it was confirmed that a large number of hacker attack program samples belonged to the NSA.
U.S. National Security Agency (NSA) in Fort Meade, Maryland
Global Times: Do the cyberattacks carried out by the NSA have their own unique attributes?
Bian Liang: Unlike conventional hacking and sabotage activities, NSA hacker attacks are more refined, can control, analyze and destroy arbitrary network communications and file transmissions in normal network traffic, and can remotely shut down or destroy the critical information infrastructure and water, electricity, gas and other livelihood facilities of the target under certain circumstances.
Global Times: In 2020, 360 also publicly disclosed the attacks of the US CIA agency on the world, compared with the NSA, what is the difference between the two?
Bian Liang: From the perspective of attack tools, the US CIA is a series of attack activities using the core cyber weapon "Vault 7". The NSA cyber weapons disclosed this time are more numerous and more capable of attacking, and these cyber weapons have been automated, industrialized and artificially utilized by each other.
In terms of targets, the previously disclosed CIA organizations mainly targeted the mainland aerospace, scientific research institutions, oil industry, large Internet companies and government agencies, among which the more prominent is the targeted target of system developers of aerospace and scientific research institutions. The N.S.A.'s cyberattack is indiscriminate, targeting a global scale, even including U.S. allies. It launches indiscriminate cyberattacks against almost all Internet users of all kinds, such as emails, social networks, search engines, video websites, etc.
Global Times: In long-term follow-up studies, are there any new features in the US cyberattacks on the mainland?
Bian Liang: There have indeed been some changes, some new features, which we have summarized as "six major changes". First, the adversaries have grown: from the previous individual hackers to the large and organized cyber army led by the NSA and CIA. Second, the areas in which attacks are carried out are getting bigger and bigger, and the battlefields are getting bigger: from internet computers and information networks to various critical information infrastructures such as military and civilian use. Third, the means have become larger and more diverse: from Trojans and viruses to vulnerabilities, backdoors, counterfeit servers, etc. Fourth, the opponent's target has become larger: from the previous showmanship and black industry to the development of the country's critical information infrastructure, major state secrets. Fifth, the challenge becomes greater: threats are difficult to prevent in advance and are pervasive. Sixth, the harm becomes greater: stealing state secrets in peacetime, becoming the preferred form of war in wartime, important sources of intelligence, and creating turmoil.
Global Times: You just mentioned that one of the characteristics of the cyberattacks carried out by the NSA is that the harm is getting bigger, so what kind of harm will it bring to the mainland?
Bian Liang: According to the data mastered by 360, the NSA has carried out secret hacking activities for more than ten years against leading enterprises in various industries in the mainland, governments, universities, medical institutions, scientific research institutions and even important information infrastructure operation and maintenance units related to the national economy and people's livelihood, stealing a large amount of important data, including population data, medical and health data, education and scientific research data, military defense data, aerospace data, social management data, traffic management data, infrastructure data, etc. By implanting backdoors in the continent's numerous information systems, the actual harm and potential threats caused are difficult to assess. NSA cyberattacks involve areas that are related to national livelihoods and lifelines, intended to affect national security, public safety, and the security of citizens' personal information, and for every organization on the mainland, it may face the risk of cyber threats that may damage critical infrastructure, affect basic services, and affect public safety. These threats, once detonated, will transcend the virtual world and cause major security incidents in the real world.
Global Times: In fact, in the recent Outbreak of the Russo-Ukrainian War, cyber warfare has moved beyond the virtual world into reality. Could you please describe how cyber warfare will take?
Bian Liang: There is no doubt that cyber warfare will become the first choice in the digital age. With the interconnection of all things in the future digital city, the increase in the number of intelligent terminals and network users, the wide range of data sources, and the diversification of data and the complexity of data structures, it is difficult to maintain various key information infrastructures that carry urban operation data, resulting in network security construction and operational risks. At the same time, the vulnerabilities of various software and hardware systems in critical information infrastructure are also difficult to avoid exploit attacks.
This also means that cyber warfare attacks are not only to steal intelligence, but also to cause damage to transportation, energy, finance and other infrastructure, any node may become a springboard for attack, involving the whole body and causing serious consequences, so we must be aware of the severe situation of network warfare and face up to network warfare.
Global Times: How can we guard against this situation?
Bian Liang: We recommend upgrading network security to digital security, creating a digital security emergency response system covering all digital scenarios, and encouraging relevant institutions to take the initiative to report risks. This requires the establishment of regional and industry-level security brains, the creation of a national defense system - a national distributed security brain, to provide a capability basis for "seeing" network attacks. Big data analysis is the only way to prove effectively seeing attacks, and it can establish a global perspective of attack behavior from big data and see the whole picture of network attack behavior.
In addition, cities are the main targets of future cyber warfare. Previous attacks on a certain enterprise and a certain government department have become a crackdown on government services and critical infrastructure groups in a city, paralyzing the city and social instability. Therefore, the emergency response system of the city should be established, and a security infrastructure similar to the city-level "air defense and anti-missile" system should be established.
At the same time, it is necessary to strengthen the real network, real troops, and actual combat drills, and enhance the offensive and defensive capabilities of all units in actual combat. There is no unbreakable network, exploit vulnerabilities, and every system can be attacked. It is necessary to conduct real-combat offensive and defensive drills to enhance the offensive and defensive capabilities of cyberspace and critical infrastructure.
Fourth, the whole network should map and map the bottom line, and regularly carry out APT (Advanced Sustainable Threat Attack) investigations against critical infrastructure. It is necessary to assume that the enemy is already in china, dynamically promote the investigation of important information systems in real time, find out the bottom line, realize automatic threat identification, risk blocking and attack traceability, and improve the security defense level of domestic critical information infrastructure from the source.
Global Times: At present, we have made great progress in the construction of our cyber defense system, what aspects do you think still need to be further strengthened?
Bian Liang: First of all, improve the awareness of network security and confidentiality. Units establishing information systems, regardless of size, ensure that unit leaders are fully aware of the urgency of cybersecurity and take immediate steps to guard against potential threats.
At the same time, it is necessary to improve the network security protection capabilities of the unit. Due to the acceleration of the global digitalization process, the business links of the unit have become more complex, and network attacks may occur at any time, so each unit needs to continuously improve its network security capabilities, enhance emergency response capabilities, rapid recovery capabilities, and actively carry out offensive and defensive drills and formulate pre-plan measures.
In addition, reduce the likelihood of destructive network intrusions, such as multi-factor authentication for all remote access and privileged or administrative access to an organization's network, and employ multiple network security services, including vulnerability scanning, to help reduce the exposure of attacks.
The fourth point is to ensure that the enterprise or organization responds in a timely manner when it is invaded. For example, testing backup procedures to ensure that when the unit is subjected to ransomware or other network attacks, it can quickly recover critical data; in the event of ransomware or other network attacks, ensure that backups are isolated from the network.
Global Times-Global Network reporter Yuan Hong
Source: Global Times WeChat public account