Source: Global Times
Northwestern Polytechnical University issued a statement in June saying that hacking organizations and lawbreakers from abroad sent phishing emails containing Trojan horses to teachers and students in an attempt to steal relevant teacher and student email data and citizens' personal information. On September 5, the Global Times learned from relevant departments that the "real culprit" of the "foreign cyber attack on Northwestern Polytechnical University" was the National Security Agency (NSA) Office of Specific Intrusion Operations (TAO). With the full cooperation of various departments, this operation comprehensively restored a series of attacks launched by the US NSA using cyber weapons in the past few years, breaking the "one-way transparency" advantage of the United States on the mainland.
"True Culprit" Exposed: Office of Specific U.S. Incursions
On June 22, Northwestern Polytechnical University issued a statement saying that hacking organizations and criminals from abroad sent phishing emails containing Trojan horse programs to teachers and students in an attempt to steal relevant teachers' and students' email data and citizens' personal information, causing major risks and hidden dangers to the normal work and living order of the school. On June 23, the Beilin Branch of the Xi'an Municipal Public Security Bureau issued a police circular saying that it had filed a case for investigation and further technical analysis of the samples of Trojan horses and phishing emails extracted. It was preliminarily determined that this incident was a cyber attack initiated by overseas hacking organizations and criminals.
In response to the "overseas cyber attack on Northwestern Polytechnical University", China's National Computer Virus Emergency Response Center and 360 Company jointly formed a technical team (hereinafter referred to as the "technical team") to conduct a comprehensive technical analysis of the case. The technical team has extracted a number of Trojan samples from a number of information systems and Internet terminals of Northwestern Polytechnical University, comprehensively using existing domestic data resources and analysis methods, and receiving full support from partners in some countries in Europe and South Asia, comprehensively restoring the overall overview, technical characteristics, attack weapons, attack paths and attack sources of relevant attack events. The technical team preliminarily determined that the cyber attack on Northwestern Polytechnical University was carried out by the TAO (code S32) department of the NSA Information Intelligence Department (code name S) Data Reconnaissance Bureau (code name S3).
Attack Operation Codename "Block XXXX"
Founded in 1998, TAO is currently a tactical implementation unit of the U.S. government specializing in large-scale cyber attacks and stealing secrets in other countries, consisting of more than 2,000 military and civilian personnel, with 10 divisions.
The Global Times reporter learned that the case was code-named "shot XXXX" (shotXXXX) in the NSA's internal attack operation. Directly involved in command and action include the head of TAO, the Remote Operations Center (mainly responsible for operating weapons platforms and tools to enter and control target systems or networks), and the Mission Infrastructure Technology Division (responsible for developing and establishing network infrastructure and security monitoring platforms for building the network environment and anonymity network for attack operations).
In addition, four divisions participated in the operation: the Advanced/Access Network Technology Division, the Data Network Technology Division, the Telecommunications Network Technology Division, and the Requirements and Positioning Division, which was responsible for determining the attack strategy and intelligence assessment.
The head of TAO at the time was Robert Joyce. Born on September 13, 1967, he attended Hannibal High School, graduated from Clarkson University with a bachelor's degree in 1989, and graduated from Johns Hopkins University with a master's degree in 1993. He joined the National Security Agency in 1989. He served as Deputy Director of TAO and director of TAO from 2013 to 2017. He began serving as acting U.S. Homeland Security Advisor in October 2017. From April to May 2018, he served as the U.S. White House State Security Advisor, and later returned to the NSA as senior adviser on cybersecurity strategy for the director of the U.S. National Security Agency, and now serves as the director of the NSA Cybersecurity Agency.
The technical team comprehensively reconstructs the attack stealing process: TAO uses 41 NSA-specific cyber attack weapons
The survey found that in recent years, the US NSA's TAO has carried out tens of thousands of malicious cyber attacks on China's domestic network targets, controlled tens of thousands of network devices (network servers, Internet terminals, network switches, telephone exchanges, routers, firewalls, etc.), and stole more than 140GB of high-value data.
The technical analysis also found that TAO had mastered the management authority of a large number of communication network equipment in China with the cooperation of many large and well-known Internet companies in the United States before the start of this attack, which opened the door for the NSA to continue to invade China's important information network.
After traceability analysis, the technical team has now fully restored the process of stealing secrets from this attack: in the network attack against Northwestern Polytechnical University, TAO used 41 kinds of NSA-specific network attack weapons to continue to attack Northwestern Polytechnical University and steal secrets, stealing core technology data such as key network equipment configuration, network management data, and operation and maintenance data of the university. The technical team clarified more than 1,100 attack links infiltrated within Northwestern Polytechnical University, more than 90 instruction sequences, multiple stolen network device configuration files, sniffed network communication data and passwords, and other types of logs and key files, basically restoring the main details of each attack. A number of relevant chains of evidence were mastered and fixed, involving 13 people who directly launched cyber attacks on China in the United States, and more than 60 contracts and more than 170 electronic documents signed by the NSA with U.S. telecom operators to build a network attack environment through cover companies.
The evidence is conclusive: four IP addresses are locked
In order to cover its attack operations, the TAO carried out a long period of preparatory work before starting the operation, mainly to build an anonymized attack infrastructure. Tao used its two "zero-day vulnerability" exploit tools for the SunOS operating system to target servers with high traffic for network applications such as educational institutions and commercial companies in neighboring countries in China. After the successful attack, the OPEN Trojan was installed (participated in the relevant research report) and a large number of springboard machines were controlled.
According to reports, TAO has used 54 springboard machines and proxy servers in the network attack operation against Northwestern Polytechnical University, mainly distributed in 17 countries such as Japan, South Korea, Sweden, Poland, Ukraine, etc., of which 70% are located in China's neighboring countries, such as Japan, South Korea, etc.
The function of these springboard machines is limited to instruction relay, that is, to forward the springboard instructions of the upper level to the target system, thus masking the real IP of the NSA launching a cyber attack. At present, TAO has at least four IP addresses to control the springboard machine from its access environment (domestic telecommunications operator in the United States), namely 209.59.36.*, 69.165.54.*, 207.195.240.*, and 209.118.143.*. At the same time, in order to further cover up the relationship between springboard machines and proxy servers and the NSA, the NSA used the anonymous protection service of the American Registrar Company to anonymize the traceable information such as relevant domain names, certificates and registrants, and could not be queried through public channels.
Through threat intelligence data correlation analysis, the technical team found that the network resources used against the Northwestern Polytechnical University attack platform involved a total of 5 proxy servers, and the NSA purchased IP addresses from Terremark in the United States through two cover companies secretly established, and rented a number of servers. The two companies are Jackson Smith Consultants and Mueller Diversified Systems. At the same time, the technical team also found that TAO Infrastructure Technology Division (MIT) staff used the name "Amanda Ramirez" to buy the domain name anonymously and a generic SSL certificate (ID: e42d3bea0a16111e67ef79f9cc2*****). Subsequently, the above-mentioned domain names and certificates were deployed on Foxacid, an intermediary attack platform located in the United States, to attack a large number of Chinese network targets, especially TAO launched multiple rounds of continuous attacks and stealing operations against Chinese information network targets such as Northwestern Polytechnical University.
In order to cover up the whereabouts of the attack, TAO will flexibly configure the same network weapon according to the target environment in the network attack operation on Northwestern Polytechnical University. For example, there are 14 different versions of the cyber weapons used in the cyberattack on Northwestern Polytechnical University alone, the "cunning heretic" (named after the NSA).
Significant: Breaking the "one-way transparency" advantage of the United States over the mainland
According to the introduction, the US National Security Agency (NSA) has been conducting long-term secret hacking activities against leading enterprises in various industries in the mainland, governments, universities, medical institutions, scientific research institutions and even important information infrastructure operation and maintenance units related to the national economy and people's livelihood. Their behavior may cause serious harm to the mainland's national defense security, critical infrastructure security, financial security, social security, production security, and citizens' personal information.
The Northwestern Polytechnical University, together with China's National Computer Virus Emergency Treatment Center and 360 Company, comprehensively restored a series of attacks launched by the US NSA using cyber weapons in the past few years, breaking the "one-way transparency" advantage of the United States to the mainland. In the face of a strong opponent with a national background, we must first know where the risk is, what kind of risk it is, and when the risk is, as can be proved by the US NSA attack, and it is necessary to be beaten if it is not seen. This is a successful practice of the three parties to concentrate on jointly overcoming the "seeing" problem, helping the country to truly perceive risks, see threats, resist attacks, and expose overseas hacker attacks to the sun.
In addition, the action of Northwestern Polytechnical University and relevant departments to actively take defensive measures is worth learning from the victims of NSA cyber attacks around the world, which will become a strong reference for countries around the world to effectively prevent and resist the follow-up network attacks of the US NSA, and the Global Times will continue to pay attention to the progress of this matter.