Be careful of "drinking tea"!Details of American Internet Attack West Engineering University exposure

On September 5, relevant Chinese departments announced to the outside world that Northwest University of Technology had previously stated that it was attacked by overseas network attacks. The attacker was the National Security Agency (NSA) specific invasion action office (TAO).

What institution is the "Specific Invasion Action Office" (TAO)?

It is understood that the "Specific Invasion Action Office" was established in 1998. It is currently a tactical implementation unit that specializes in the US government specializing in the implementation of large -scale network attacks on other countries. The National Security Agency set up 10 units in the centers in the United States and Europe.

The person in charge of the attack theft of Northwestern Polytechnical University was Robert Joyce. This person was born on September 13, 1967 and entered the National Security Agency in 1989. He has served as deputy director and director of the "Specific Invasion Action Office", and is currently the head of NSA network security of the National Security Agency.

In this invasion, the National Computer Virus Emergency treatment Center and Beijing Qi'an Panku Laboratory further analyzed. In the latest survey report, the technical details of the United States' attack on attacks were made public:

TAO uses "tea drinking" as a tool for sniffing theft, implanted it into the internal network server of Northwestern University of Technology, stealing the login password of remote management and remote file transmission services such as SSH, so as to obtain access permissions of other servers in the internal network and realize The inner network moves horizontally and sends other high -value servers to other sniffing secrets, persistent control and concealed disappearance network weapons, causing large -scale, persistent sensitive data theft.

According to technical analysis and research, "tea drinking" can not only steal the account password of a variety of remote management and remote file transmission services on the server, but also have strong hiddenness and environmental adaptability.

Network security experts said that after the "tea drinking" is implanted into the target server and network devices, it will disguise itself into a normal background service process, and use a modular method to send malicious loads in stages. It has a strong concealment. It is difficult to find. "Tea Drinking" can be operated hidden on the server, monitor the user's input on the terminal program of the operating system console in real time, and intercepts various user names and passwords, like the "voyer" standing behind the user.

Cyber ​​security experts introduced: "Once these username passwords are obtained by TAO, they can be used to attack the next stage. Even if these usernames password access to other servers and network devices, they will steal files on the server or send other delivery of other. Network weapon. "

According to the previous survey report, through the analysis of evidence, the technical team has accumulated a total of more than 1,100 attack links that attackers in the Northwest Institute of Technology's internal infiltration, more than 90 instruction sequences of operations, and positioning from the invaded network devices that have been invaded. A number of stolen network device configuration files, sniffing network communication data and passwords, other types of logs and key files, and other main details related to attack activities.

In addition, technical analysis shows that "tea drinking" can effectively integrate and link with other NSA network weapons to achieve "seamless docking". In TAO's incident of cyber attacks on Northwestern Polytechnical University, the "Tea Drinking" sniffing theft tools and BVP47 Trojan Programs were cooperated with other components to implement joint attacks.

2

Attacking West Engineering University is just the tip of the iceberg