National Computer Virus Emergency Response Center: Northwestern Polytechnical University NSA Cyber Attack Investigation Report (One)

Source: CCTV news client

On June 22, 2022, Northwestern Polytechnical University issued a "public statement" saying that the university had suffered a cyber attack from abroad. The Beilin Branch of the Public Security Bureau of Xi'an City, Shaanxi Province, immediately issued a "Police Intelligence Circular", confirming that a number of Trojan horse samples originating from abroad were found in the information network of Northwestern Polytechnical University, and the Xi'an police have formally filed a case for investigation.

The National Computer Virus Emergency Treatment Center and 360 Company jointly formed a technical team (hereinafter referred to as the "technical team") and participated in the technical analysis of the case throughout the process. The technical team has extracted a number of Trojan samples from a number of information systems and Internet terminals of Northwestern Polytechnical University, comprehensively using existing domestic data resources and analysis methods, and receiving full support from partners in some countries in Europe and South Asia, comprehensively restoring the overall overview, technical characteristics, attack weapons, attack paths and attack sources of related attack events, and preliminarily determining that the relevant attack activities originated from the "Office of Specific Intrusion Operations" (Office of) of the US National Security Agency (NSA). Tailored Access Operation, hereinafter referred to as TAO).

1. Overview of the attack

The survey found that in recent years, the US NSA's TAO has carried out tens of thousands of malicious cyber attacks on China's domestic network targets, controlled tens of thousands of network devices (network servers, Internet terminals, network switches, telephone exchanges, routers, firewalls, etc.), and stole more than 140GB of high-value data. TAO continues to expand its cyberattacks and scope by using its cyberattack weapons platform, "zero-day vulnerabilities" (0days) and the network devices it controls. After technical analysis and traceability, the technical team has now clarified the network attack infrastructure, special weapons and equipment and technical tactics used in the TAO attack activities, restored the attack process and stolen documents, and grasped the relevant evidence of the US NSA and its subordinate TAO to carry out network attacks and data theft on China's information network, involving 13 people who directly launched cyber attacks on China in the United States, and more than 60 contracts signed by the NSA with US telecom operators to build a network attack environment through cover companies. More than 170 electronic documents.

2. Analysis of attack events

In the network attack against Northwestern Polytechnical University, TAO used more than 40 different NSA-specific network attack weapons to continuously attack Northwestern Polytechnical University and steal core technology data such as key network equipment configuration, network management data, and operation and maintenance data of the university. Through forensic analysis, the technical team has cumulatively found that the attackers have infiltrated more than 1,100 attack links and more than 90 sequences of instructions in the northwestern polytechnical university, and located a number of stolen network device configuration files, sniffed network communication data and passwords, other types of logs and key files, and other major details related to the attack activities from the compromised network devices. The specific analysis is as follows:

(1) Relevant network attack infrastructure

In order to cover up its attack operations, the TAO will carry out a long period of preparatory work before starting the operation, mainly to build an anonymized attack infrastructure. Tao used its two "zero-day vulnerability" exploit tools for the SunOS operating system to target servers with high traffic for network applications such as educational institutions and commercial companies in neighboring countries in China. After the attack was successful, the OPEN Trojan was installed (see the relevant research report for details) and a large number of springboard machines were controlled.

TAO has used 54 springboard machines and proxy servers in the cyber attack against Northwestern Polytechnical University, mainly distributed in 17 countries such as Japan, South Korea, Sweden, Poland, ukraine, etc., of which 70% are located in China's neighboring countries, such as Japan and South Korea.

The function of these springboard machines is limited to instruction relay, that is, to forward the springboard instructions of the upper level to the target system, thus masking the real IP of the NSA launching a cyber attack. At present, TAO has at least four IP addresses to control the springboard machine from its access environment (domestic telecommunications operator in the United States), namely 209.59.36.*, 69.165.54.*, 207.195.240.*, and 209.118.143.*. At the same time, in order to further cover up the relationship between springboard machines and proxy servers and the NSA, the NSA used the anonymous protection service of the American Registrar Company to anonymize the traceable information such as relevant domain names, certificates and registrants, and could not be queried through public channels.

Through threat intelligence data correlation analysis, the technical team found that the network resources used against the Northwestern Polytechnical University attack platform involved a total of 5 proxy servers, and the NSA purchased IP addresses from Terremark in the United States through two cover companies secretly established, and rented a number of servers. The two companies are Jackson Smith Consultants and Mueller Diversified Systems. At the same time, the technical team also found that TAO Infrastructure Technology Division (MIT) staff used the name "Amanda Ramirez" to anonymously purchase a domain name and a generic SSL certificate (ID: e42d3bea0a16111e67ef79f9cc2*****). Subsequently, the domain names and certificates were deployed on Foxacid, a man-in-the-middle attack platform based in the United States, to attack a large number of cyber targets in China. In particular, TAO has launched several rounds of continuous attacks and stealing secrets against Chinese information network targets such as Northwestern Polytechnical University.

(2) Relevant cyber attack weapons

In its cyber attack on Northwestern Polytechnical University, TAO has used 41 kinds of NSA's dedicated network attack weapons and equipment. And during the attack process, TAO will flexibly configure the same network weapon according to the target environment. For example, there are 14 different versions of the cyber weapons used in the cyberattack on Northwestern Polytechnical University alone, the "cunning heretic" (named after the NSA). The technical team divided the categories of tools used by TAO in this attack into four categories, including:

1. Vulnerability attack breakthrough weapons

Tao relies on such weapons to carry out attack breakthroughs on border network equipment, gateway servers, office intranet hosts, etc. of Northwestern Polytechnical University, and is also used to attack and control overseas springboard machines to build an anonymized networks as a cover for action. There are 3 types of such weapons:

(1) "Razor"

This weapon can carry out remote vulnerability attacks against the X86 and SPARC architecture Solariser systems with specified RPC services open, and can automatically detect the openness of the target system services and intelligently select the appropriate version of the exploit code to directly obtain complete control over the target host. This weapon is used to attack springboard machines in Japan, South Korea and other countries, and the controlled springboard machines are used in cyber attacks on Northwestern Polytechnical University.

(2) "Island"

This weapon can also perform remote overflow attacks against Solaris systems that have designated RPC services open, directly gaining complete control over the target host. Unlike the "shaver", this tool does not have the ability to autonomously detect the openness of the target service, and the user needs to manually configure the target and related parameters. The NSA used this weapon to attack and take control of Northwestern Polytechnical University's border servers.

(3) "Acid Fox" weapon platform

Deployed in Colombia, this weapon platform can be used in conjunction with the "second date" middleman attack weapon, and the vulnerability payload can be intelligently configured to carry out remote overflow attacks against mainstream browsers on IE, FireFox, Safari, Android Webkit and other platforms to obtain control of the target system (for details, see: National Computer Virus Emergency Response Center "National National Security Agency (NSA" "Acid Fox" Vulnerability Attack Weapon Platform Technical Analysis Report"). Tao mainly uses the weapon platform to hack into the office intranet host of Northwestern Polytechnical University.

2. Persistent control weapons

Tao relies on such weapons to carry out covert and lasting control of the Northwestern Polytechnical University network, and the TAO action team can send control instructions through encrypted channels to operate such weapons to carry out infiltration, control, theft and other acts of infiltration, control, and theft of secrets on the Northwestern Polytechnical University network. There are 6 types of such weapons:

(1) "Second Date"

This weapon resides in network border devices and servers such as gateway servers and border routers for a long time, and can accurately filter and automatically hijack massive data traffic to achieve man-in-the-middle attack functions. Tao placed the weapon on a border device at Northwestern Polytechnical University, hijacking the traffic flowing through the device and directing it to the "Acid Fox" platform to carry out a vulnerability attack.

(2)'NOPEN'

This weapon is a remote control Trojan that supports a variety of operating systems and different architectures, which can receive instructions through encrypted tunnels to perform file management, process management, system command execution and other operations, and has the ability to upgrade permissions and persist (for details, see: National Computer Virus Emergency Response Center ""NOPEN" Remote Control Trojan Analysis Report). Tao mainly uses this weapon to implement persistent control of core business servers and key network equipment within the Northwestern Polytechnical University network.

(3) "Fury Spray"

This weapon is a remote control Trojan based on the Windows system that supports a variety of operating systems and different architectures, and can be customized to generate different types of Trojan servers according to the target system environment, and the server itself has strong anti-analysis and anti-debugging capabilities. TAO mainly uses this weapon to cooperate with the "Acid Fox" platform to implement persistent control of personal hosts inside the office network of Northwestern Polytechnical University.

(4) "Cunning heretics"

This weapon is a lightweight backdoor implant that self-deletes when running, has privilege-enhancing capabilities, resides on the target device for a long time, and can be activated with the system. Tao mainly uses this weapon to achieve a permanent stay, in order to establish an encrypted pipeline to upload a OPEN Trojan at the right time, ensuring long-term control of the northwestern polytechnical university information network.

(5) "Stoic Surgeon"

This weapon is a backdoor for 4 types of operating systems such as Linux, Solaris, JunOS, FreeBSD, etc., which can be persistently run on the target device, hiding specified files, directories, processes, etc. on the target device according to instructions. TAO mainly uses this weapon to hide the files and processes of the OPEN Trojan from being detected by surveillance. Technical analysis found that TAO used a cumulative total of 12 different versions of the weapon in its cyberattack on Northwestern Polytechnical University.

3. Sniffing and stealing secret weapons

Tao relies on such weapons to sniff the account password and command line operation records used by Northwestern Polytechnical University staff when operating and maintaining the network, and steals sensitive information and operation and maintenance data inside the Northwestern Polytechnical University network. There are two types of such weapons:

(1) "Drinking tea"

This weapon can reside in the 32-bit or 64-bit Solaris system for a long time, and obtain the account password exposed under various remote login methods such as ssh, telnet, rlogin and other remote login methods by sniffing inter-process communication. TAO mainly uses this weapon to sniff the account passwords, command line operation records, log files, etc. generated by the business personnel of Northwestern Polytechnical University when implementing operation and maintenance work, and compresses and encrypts the storage for the OPEN Trojan to download.

(2) "Operation Behind Enemy Lines" series of weapons

This series of weapons is a tool specifically designed for the specific service system of the telecommunications operator, and the "operation behind enemy lines" is used in conjunction with different parsing tools depending on the type of service equipment being charged. Tao used 3 types of attacks against telecom operators, such as "Magic School", "Clown Food" and "Cursed Fire", in its cyber attacks on Northwestern Polytechnical University.

4. Concealed detracking weapons

Tao relies on such weapons to eliminate traces of its behavior inside the Northwestern Polytechnical University network, hide and disguise its malicious operations and espionage, and provide protection for the above three types of weapons. 1 such weapon has been identified:

"Toast Bread", this weapon can be used to view and modify log files such as utmp, wtmp, lastlog, etc. to clear traces of operations. Tao mainly uses the weapon to remove and replace various log files on the internet equipment of the accused Northwestern Polytechnical University and hide its malicious behavior. Tao's cyberattack on Northwestern Polytechnical University used a total of 3 different versions of "toast bread".

3. Trace the source of the attack

Combined with the above technical analysis results and traceability investigation, the technical team preliminarily judged that the cyber attack operation against Northwestern Polytechnical University was carried out by the TAO (code S32) department of the Information intelligence department (code name S) of the Information intelligence department (code name S) of the National Security Agency (NSA) Data Investigation Bureau (code name S3). Founded in 1998, the division's forces are deployed primarily through the National Security Agency's (NSA) cryptographic centers in the United States and Europe. The six cryptocenters that have been announced so far are:

1. NSA headquarters in Fort Mead, Maryland, USA;

2. NSA Hawaii Cipher Center (NSAH) on Oahu, Hawaii, USA;

3. NSA Georgia Cryptography Center (NSAG) in Fort Gordon, Georgia, USA;

4. NSA Texas Cryptography Center (NSAT) in San Antonio, Texas, USA;

5. NSA Colorado Code Center (NSAC) at Mackley Air Force Base in Denver, Colorado, USA;

6. NSA European Cryptography Center (NSAE) at the US military base in Darmstadt, Germany.

The TAO is currently the U.S. government's tactical implementation unit specializing in large-scale cyberattacks and espionage activities in other countries, consisting of more than 2,000 military and civilian personnel, and its internal agencies include:

The first: the Remote Operations Center (ROC, codenamed S321), which is primarily responsible for operating weapon platforms and tools to enter and control target systems or networks.

The second division: The Advanced/Access Network Technology Division (ANT, code name S322), which is responsible for researching related hardware technologies and providing hardware-related technology and weaponry support for TAO cyber attack operations.

The third division, the Data Network Technology Division (DNT, code name S323), is responsible for developing sophisticated computer software tools to support TAO operators in performing cyber attack missions.

The fourth place: the Telecommunications Network Technology Division (TNT, code name S324), which is responsible for researching telecommunications-related technologies and providing support for TAO operators to covertly infiltrate telecommunications networks.

Division 5: Mission Infrastructure Technology Division (MIT, code name S325), which is responsible for developing and establishing network infrastructure and security monitoring platforms for building network environments and anonymity networks for attack operations.

Sixth: The Access Operations Division (ATO, code name S326), which is responsible for the backdoor installation of the products to be delivered to the target through the supply chain.

Seventh: The Requirements and Positioning Division (R&T, code name S327), which receives the tasks of the relevant units, determines reconnaissance targets, and analyzes and evaluates the value of intelligence.

S32P: The Project Planning Integration Division (PPI, code name S32P) is responsible for master planning and project management.

NWT: The Cyber Warfare Group (NWT), which is responsible for liaising with the Cyber Warfare Squad.

The NSA's attack on Northwestern Polytechnical University is code-named "shotXXXX" (shotXXXX). The operation is directly commanded by the head of TAO, and MIT (S325) is responsible for building the reconnaissance environment and leasing attack resources; R&T (S327) is responsible for determining the attack operation strategy and intelligence assessment; ANT (S322), DNT (S323), TNT (S324) is responsible for providing technical support; RoC (S321) is responsible for organizing and carrying out attack reconnaissance operations. It can be seen that those directly involved in command and action mainly include the head of TAO, S321 and S325 units.

The head of TAO during the N.S.A. attack on Northwestern Polytechnical University was Robert Edward Joyce. Born on September 13, 1967, he attended Hannibal High School and graduated from Clarkson University with a bachelor's degree in 1989 and a master's degree from Johns Hopkins University in 1993. He joined the National Security Agency in 1989. He served as Deputy Director of TAO and director of TAO from 2013 to 2017. He began serving as acting U.S. Homeland Security Advisor in October 2017. From April to May 2018, he served as the U.S. White House State Security Advisor, and then returned to the NSA as senior adviser on cybersecurity strategy for the director of the U.S. National Security Agency, and now serves as the NSA's head of cybersecurity.

4. Summary

Based on the analysis results of the joint technical team of the National Computer Virus Emergency Treatment Center and 360 Corporation, this report exposes the truth that the NSA has long carried out cyber espionage activities against Chinese information network users and important units, including Northwestern Polytechnical University. The follow-up technical team will continue to announce more technical details of the investigation of the relevant incidents.