Recently, the United States has exposed another main battle equipment for monitoring and stealing secrets around the world through the Internet, which is the CIA's dedicated "hive" malicious code attack control weapon platform (hereinafter referred to as the "hive platform"). Researchers from the National Computer Virus Emergency Response Center told the Global Times reporter in an interview that the global Internet and important information infrastructure around the world have become the "intelligence station" of the US intelligence department, from the analysis of technical details, the existing backbone network equipment of the International Internet and the important information infrastructure around the world, as long as it contains the hardware, operating systems and application software provided by the American Internet company, it is very likely to become the target of attacks and secrets of the US intelligence agencies. All activity on the global Internet, all data stored, or "truthfully" in front of U.S. intelligence agencies.
Recently, China's cybersecurity agencies have successively unveiled the true face of the US National Security Agency's (NSA) "telescreen operation", "APT-C-40", "NOPEN" and "quantum" cyber attack weapons. In comparison, what are the new features of the "Hive" platform exposed this time? What are the new tips for global web users? Researchers from the National Computer Virus Emergency Response Center were interviewed by the Global Times to give further explanations.
According to the introduction, the "Hive" platform is jointly developed by the subordinate departments of the CIA and the company of the famous American military enterprise Northrop Grumman (NOC), which is a special cyber attack weapon for the CIA, which has five major characteristics.
First of all, the "Hive" platform is highly intelligent. The weapon is a typical US military product, modular, high degree of standardization, good scalability, indicating that the United States has realized the "integration of production, education and research" of network weapons. These weapons can independently determine the attack method and launch network attack according to the hardware, software configuration and existence of the target network, vulnerability situation, and can rely on artificial intelligence technology to automatically increase permissions, automatically steal secrets, automatically hide traces, and automatically send back data to achieve fully automatic control of the target. Its powerful system functions, advanced design concepts and advanced operational ideas fully reflect the CIA's capabilities in the field of cyber attacks. Its network weapons cover the whole chain of network attack activities such as remote scanning, vulnerability exploitation, covert implantation, sniffing and stealing, file extraction, intranet infiltration, system destruction, etc., and have unified command and control capabilities, and have basically realized artificial intelligence. At the same time, it can also prove that the weapon systems of the CIA to launch cyber hacker attacks on other countries have been systematized, scaled, incognito and artificially artificial.
Secondly, the "Hive" platform is highly hidden. The platform adopts C/S architecture, which is mainly composed of four parts: the main control, the remote control platform, the generator, and the controlled terminal program. CIA attackers use generators to generate customized controlled-side malicious code programs, and after the server-side malicious code program is implanted into the target system and operates normally, it will be in a silent lurking state, listening in real time for packets with trigger characteristics in the network traffic of the controlled information system, waiting to be "woken up". CIA attackers can use the client to send "code words" to the server to "wake up" the lurking malicious code program and execute the relevant instructions, after which the CIA attacker uses a console program called "cut throat" to manipulate the client (as shown in Figure 1). In order to evade intrusion detection, after sending a "secret message" to wake up the malicious code program of the controlled end, an encrypted communication channel is temporarily established according to the target environment to confuse network monitors and circumvent technical monitoring methods.
In addition, in order to further improve the concealment of cyber espionage operations, the CIA has carefully deployed the network infrastructure associated with the Hive platform around the world. From the data analysis that has been monitored, the CIA has set up a multi-layer dynamic springboard server and VPN channel between the main and the controlled end, which are widely distributed in Canada, France, Germany, Malaysia and Turkey, effectively hiding their own whereabouts, and even if the victim is found to have suffered from the cyber attack of the "hive" platform, it is extremely difficult to carry out technical analysis and traceability.
Figure 1 Description of the main command-line arguments for "cutthroat"
After the host establishes a connection with the host, the corresponding control commands can be executed (as shown in Figure 2):
Figure 2 Remote command control
In order to evade intrusion detection, the main control wakes up the malicious code program of the controlled end by sending a "code word", and then imitates HTTP over TLS to establish an encrypted communication channel to confuse network monitors and circumvent technical monitoring methods (as shown in Figure 3).
Figure 3 Wake up and establish an encrypted communication channel
Third, the "Hive" platform attack involves a wide range of issues. In order to meet the attack requirements of multi-platform targets, the CIA has developed similarly functional "hive" platform adaptation versions for different CPU architectures and operating systems. According to the current situation, the "Hive" platform can support the existing mainstream CPU architecture, covering general operating systems such as Windows, Unix, Linux, Solaris, and special operating systems for network devices.
Fourth, the "Hive" platform is set with key targets. In terms of the type of target, the CIA pays special attention to the MikroTik series of network equipment. MikroTik's routers and other network equipment have a high popularity in the world, especially its self-developed RouterOS operating system, which is adopted by many third-party router manufacturers, so the potential risk brought by the CIA's attack capabilities on this operating system is difficult to estimate. The CIA specifically developed a MikroTik router exploit tool called "Chimay-Red" and compiled detailed instructions for its use. This exploit exploits a stack-conflicting remote code execution vulnerability that exists in MikroTik RouterOS 6.38.4 and later to achieve remote control of the target system.
Fifth, the "Hive" platform has a strong ability to penetrate and prevent, which should arouse the vigilance of Internet users around the world. The "Hive" platform is a "lightweight" network weapon, and its tactical purpose is to establish a hidden foothold in the target network, secretly target the release of malicious code programs, and use the platform to centralize control of a variety of malicious code programs, creating conditions for the subsequent continuous delivery of "heavy" network attack weapons. As the "vanguard officer" and "commando" in the CIA's attack weapons, the "Hive" platform assumes the important function of breaking through the target defense line, and its extensive adaptability and strong penetration capabilities have issued a major warning to Internet users around the world.
The researcher noted that, like the U.S. cyberattack weapons previously exposed by the NSA, the CIA implements indiscriminate attack control and espionage on high-value targets around the world. The targets of the CIA's hacking and cyber espionage activities involve governments, political parties, non-governmental organizations, international organizations and important military targets around the world, dignitaries, public figures, celebrities and technical experts, education, scientific research, communications, and medical institutions, stealing a large amount of secret information from the victim countries, obtaining a large number of control of the important information infrastructure of the affected countries, grasping the personal privacy of citizens around the world, and serving the United States in maintaining its hegemonic status. Moreover, the global Internet and vital information infrastructure around the world have become "intelligence stations" for U.S. intelligence services. "From the analysis of technical details, the backbone of the existing International Internet and the important information infrastructure around the world (servers, switching equipment, transmission devices and Internet terminals), as long as they contain the hardware, operating systems and application software provided by the American Internet company, it is very likely to contain zero-day (0day) or various backdoors (Backdoor), it is very likely to become the target of attacks and thefts by the US intelligence agencies, all activities on the global Internet, all the data stored or all'. The "truthfulness" is displayed in front of the US intelligence agency and becomes the "handle" and "material" for its attacks and sabotage of global targets. ”
In view of the highly intelligent and highly hidden characteristics of the "Hive" platform, how should Internet users find and respond to the threat of the "Hive" platform. The National Computer Virus Emergency Response Center reminds the vast number of Internet users that the cyber attack of the US intelligence department is an imminent real threat, and the attack on computer soft and hardware devices with the "gene" of the United States is secret. At this stage, the expedient way to avoid hacking by the US government is to use autonomous and controllable localization equipment. In addition, the center's researchers also recommend that Internet users update the operating system of network equipment and Internet terminals in a timely manner, and patch them in a timely manner, while closing unnecessary network services and ports, and doing a good job in network security protection in accordance with the requirements of laws and regulations such as the Cybersecurity Law of the People's Republic of China and the Regulations on Graded Protection of Network Security.
Source: Global Times - Global Network