The National Security Agency has attacked China tens of thousands of times and stole exceeded 140GB of data

Northwestern Polytechnical University was reported by the US NSA network attack event (one)

On June 22, 2022, Northwestern Polytechnical University issued the "Public Statement" stating that the school was attacked by overseas networks. The Beilin Branch of the Xi'an Public Security Bureau of Shaanxi Province immediately released the Police Report, confirming that a number of samples from overseas were found in the information network of Northwestern Polytechnical University. The Xi'an police had officially filed a case for investigation.

The National Computer Virus Emergency Treatment Center and 360 Company jointly formed a technical team (hereinafter referred to as the "technical team"), and participated in the technical analysis of the case throughout the process. The technical team has extracted a number of Trojan samples from multiple information systems and Internet terminals from Northwestern University of Technology, comprehensively uses domestic data resources and analysis methods, and has received the support of partners in Europe and South Asia. The overall summary, technical characteristics, attack weapons, attack paths and attack source of related attack events, and the initially determined that related attack activities originated from the National Security Agency (NSA) "OFFICE of Tailored Access Operation (Office of Tailored Access Operation" (later referred to as TAO).

1. Observation of attack events

This survey found that in recent years, TAO under the United States NSA has implemented tens of thousands of malicious network attacks on China's domestic network targets, and controls tens of thousands of network devices (network servers, Internet terminals, network switches, telephone switches , Router, firewall, etc.), stole high value data of more than 140GB. TAO uses its network attack weapon platform, "zero -day vulnerability" (0DAY) and its controlled network devices to continue to expand network attacks and scope. After technical analysis and traceability, the technical team has clarified the network attack infrastructure, special weapons and equipment, and technical tactics used in the TAO attack activities, restores the attack process and stealing documents, and masters the US NSA and its subordinates of China information to China information. Related evidence of the network attack and data theft on the Internet involves 13 people who directly launch cyber attacks in China in the United States, and NSA signed more than 60 contracts signed with US telecommunications operators by covering the company to build a network attack environment. Electronics, electronics, electronics There are more than 170 files.

Second, attack event analysis

In the network attack against Northwest University of Technology, TAO used more than 40 different NSA exclusive network attack weapons, continued to attack the stealing of Northwestern Polytechnical University, stealing core technologies such as key network equipment configuration, network management data, operation and maintenance data such as network management, operation and maintenance data of the school data. Through the analysis of evidence, the technical team has accumulated a total of more than 1,100 attack links that attackers penetrated within Northwestern University of Technology, more than 90 instruction sequences of operation, and positioned multiple stolen networks from the invaded network devices. Equipment configuration files, sniffing network communication data and passwords, other types of logs and key files, and other main details related to attack activities. The specific analysis situation is as follows:

(1) Related network attack infrastructure

In order to cover its attack operations, Tao will carry out long -term preparations before starting the operation, mainly anonymous attack infrastructure construction. TAO uses the two "zero vulnerabilities" using the two "zero vulnerabilities" of the SUNOS operating system to choose a tool to choose a server with more network applications such as educational institutions and commercial companies in China as the attack target; The program (see the relevant research report for details) controls a large number of springboard.

TAO has used 54 springboard machines and proxy servers in the network attack operation of Northwestern Polytechnical University. It is mainly distributed in 17 countries including Japan, South Korea, Sweden, Poland, and Ukraine, of which 70%are located in Chinese countries, such as Japan and, such as Japan. South Korea and so on.

The functions of these springboard machines are limited to instruction transit, that is, forward the previous -level springboard instructions to the target system, thereby covering the real IP of the US National Security Agency to launch a network attack. At present, the four IP addresses of TAO control the springboard from its access environment (US domestic telecommunications operator) are 209.59.36.*, 69.165.54.*, 207.195.240.*And 209.118.143. *. At the same time, in order to further cover up the relationship between the springboard and the proxy server and the NSA, the NSA uses the anonymous protection service of the US register to conduct anonymous processing of the traceable information such as related domain names, certificates, and registered people. Inquiry.

Through the analysis of threatening intelligence data, the technical team found that the network resources used by the Northwest Institute of Technology's attack platform involved a total of 5 proxy servers. The NSA purchased Egypt by Terremark, a company in secret through the secret establishment, IP addresses in the Netherlands and Colombia and rent a batch of servers. The two companies are Jackson Smith Consultants and Mueller Diversify Systems. At the same time, the technical team also discovered that the staff of the TAO Infrastructure Technology Office (MIT) used the name of "Amanda Ramirez" to purchase a domain name and a universal SSL certificate (ID: E42D3BEA0A1679F9CC2 *** *** **). Subsequently, the above -mentioned domain names and certificates were deployed on the intermediary attack platform "Foxacid" located in the United States to attack a large number of Chinese network targets. In particular, TAO launched multiple rounds of continuous attacks and secrets of Chinese information network targets such as Northwestern Polytechnical University. (2) Related network attack weapons

In the network attack operation of Northwestern Polytechnical University, TAO successively used 41 types of NSA for special network attack weapons and equipment. And during the attack, TAO will flexibly configure the same network weapon according to the target environment. For example, in the network weapons used in the implementation of the Northwest Polytechnical University, there are 14 different versions of the back door tool "cunning different criminals" (NSA naming). The technical team divided the tool category used by TAO in this attack event into four categories, including:

1. Vulnerability attack breakthrough weapon

Tao relies on such weapons to conduct attack breakthroughs on the border network equipment, gateway server, and office internal network host of Northwestern Polytechnical University. At the same time, it is also used to attack and control overseas springboards to build anonymous networks as a operation. There are 3 types of weapons: there are 3 types:

"Shaver"

This weapon can implement remote vulnerability attacks for the X86 and SPARC architecture of the specified RPC service. When attacking, the target system service can be automatically explored and intelligently select the appropriate version of the loophole to use the code to directly obtain the completeness of the target console. Control. This weapon is used to attack Japan, South Korea and other national springboard machines. The controlled springboard machine is used to attack the Northwestern Polytechnical University.

"Island"

This weapon can also implement remote overflow attacks for the Solaris system that has opened a specified RPC service to obtain complete control over the target host. The difference between the "shaving knife" is that this tool does not have the ability to open the target service of the target service, and the user must manually configure the target and related parameters. NSA used this weapon to attack the boundary server of Northwestern Polytechnical University.

"Sour Fox" weapon platform

This weapon platform is deployed in Colombia, which can combine the use of "second dating" intermediate people to attack weapons. It can intelligently configure vulnerability loads for mainstream browsers on Mainstream browsers on IE, Firefox, Safari, Android Webkit and other mainstream browsers. Control (see for details: National Computer Virus Emergency Treatment Center "National Security Agency (NSA)" Sour Fox "vulnerability attack weapon platform technical analysis report"). TAO mainly uses the weapon platform to invade the internal network host of Northwestern Polytechnical University.

2. persistent control weapons

Tao rely on such weapons to conceal and persistent control of Northwestern Polytechnical University networks. The TAO operation team can send control instructions through an encrypted channel to operate such weapons to implement the penetration, control, and secrets of the Northwest Polytechnical University network. There are 6 kinds of weapons: there are 6 types:

"Second dating"

This weapon has been staying on network boundary devices and servers such as gateway server, boundary router, and can accurately filter and automate hijacking for massive data traffic to achieve intermediate people's attack function. TAO places the weapon on the border equipment of Northwestern Polytechnical University, and the traffic flowing through the device is guided to the "Sour Fox" platform to perform vulnerability attacks.

"NOPEN"

This weapon is a remote -control Trojan that supports multiple operating systems and different system structures. It can perform various operations such as file management, process management, and system command execution through an encrypted tunnel receiving instruction, and it has the ability to improve and persistent authority (permissions and lasting (permissions (authority (itself For details: National Computer Virus Emergency Treatment Center "NOPEN" remote control Trojan Analysis Report)). TAO mainly uses this weapon to perform persistent control of core business servers and key network equipment within the network of Northwestern Polytechnical University.

"Angry Jet"

This weapon is a remote -control Trojan that supports a variety of operating systems and different system structures based on Windows systems. It can be customized according to the target system environment to generate different types of Trojan server. ability. TAO mainly uses this weapon with the "sour fox" platform to implement persistence control to the personal host of the Northwestern University of Technology's office network.

"Cunning" criminals "

This weapon is a lightweight backdoor implantation tool. It is deleted by itself after running. It has the ability to improve permissions. It lasts on the target device and can start with the system. TAO mainly uses this weapon to achieve long -lasting residence in order to establish an encrypted pipeline uploading Nopen Trojan at a suitable time to ensure long -term control over the information network of Northwestern Polytechnical University. "Persevere surgeon"

This weapon is a rear door for 4 types of operating systems including Linux, SOLARIS, JUNOS, FREEBSD. This weapon can run on the target device for a long time, and hides the designated files, directory, processes, etc. on the target device according to the instruction. TAO mainly uses the weapon to hide the files and processes of the Nopen Trojan horses to avoid being monitored and found. Technical analysis found that TAO used a total of 12 different versions of the weapon in the network attack on Northwestern Polytechnical University.

3. Sniff theft weapon

Tao relies on such weapons to sniff the account password and command line operation records used by the staff of Northwestern Polytechnical University when operating and maintenance networks, and stealing sensitive information and operation and maintenance data inside the network of Northwestern Polytechnical University. There are two types of such weapons:

"Drink Tea"

This weapon can stay in a 32 -bit or 64 -bit Solaris system for a long time, and obtain an account password exposed in a variety of remote login methods such as SSH, Telnet, and RLOGIN by sniffing the process. TAO mainly uses the weapon to sniff the account passwords, command records, log files, etc. when the business personnel of Northwestern Polytechnical University implement operation and maintenance work.

"Action behind the enemy" series weapons

This series of weapons is a tool specially used for telecommunications operators' specific business systems. According to the different types of the business equipment accused, the "behind the enemy" will be used in conjunction with different analytical tools. In the network attack on Northwestern Polytechnical University, TAO used the three categories of "magic school", "clown food" and "cursing fire" to attack the stealing tools for telecommunications operators.

4. Hidden fading weapons

Tao relies on such weapons to eliminate its traces of behavior within the network of Northwestern Polytechnical University, hide and cover up their malicious operations and secrets, and provide protection for the above three types of weapons. This type of weapon has been found now:

"Toast Bread", this weapon can be used to view and modify log files such as UTMP, WTMP, Lastlog to remove operating traces. TAO mainly uses the weapon removal and replacement of various log files on the access to the Internet equipment of Northwestern Polytechnical University to hide its malicious behavior. TAO's network attack on Northwestern Polytechnical University uses three different versions of "toast bread".

Third, attack traceability

The technical team combined with the above technical analysis results and traceability surveys, and initially judged that the network attack operation to the Northwestern University of Technology was the U.S. National Security Agency (NSA) Information Intelligence Department (Code S) Data Investigation Bureau (code S3). )department. The department was established in 1998, and its power deployment mainly relies on the National Security Agency (NSA) in various password centers in the United States and Europe. The six password centers that have been announced are:

1. NSA headquarters of Mideburg, Maryland, USA;

2. NSA Chariodenda (NSAH) of the U.S. Hawaii Waju; NSAH;

3. NSA Georgia Password Center (NSAG) of Georgia Gordon State;

4. NSA Dexas Password Center (NSAT) of San Antonio, Texas;

5. NSA Corolro Password Center (NSAC) at the Denflley Air Force Base in Colorary in the United States; NSAC;

6. The NSA European Code Center (NSAE) of Diam Stert in Diam Stert in Germany.

TAO is currently a tactical implementation unit specializing in the implementation of large -scale cyber attacks on other countries. It consists of more than 2,000 soldiers and cultural personnel.

The first: Remote Operation Center (ROC, Code of S321), is mainly responsible for operating the weapon platform and tools to enter and control the target system or network.

The second place: Advanced/Access Network Technology Division (ANT, code S322), is responsible for researching related hardware technologies, and providing hardware -related technology and weapons and equipment support for TAO network attack operations.

The third place: Data Network Technology Office (DNT, code -code S323), is responsible for developing complex computer software tools to provide support for Tao operators to perform network attack tasks.

Fourth: Telecom Network Technology Division (TNT, code -code S324), is responsible for studying telecommunications related technologies and providing support for the hidden penetration of the telecommunications network for the TAO operator.

Fifth point: Task Infrastructure Technology Division (MIT, code -codenamed S325), is responsible for developing and establishing network infrastructure and security monitoring platforms to build an attack on the network environment and anonymous network.

Sixth place: access action (ATO, code -code S326), is responsible for the back door installation of the product that intends to be delivered through the supply chain.

Seventh place: demand and positioning (RT, code S327), receive the tasks of relevant units, determine the reconnaissance goals, and analyze and evaluate the value of intelligence.

S32P: Project plan integration (PPI, code -codenamed S32P), responsible for overall planning and project management.

NWT: Network War Team (NWT), responsible for contacting the online combat team. The National Security Agency (NSA) has the attack on Northwestern Polytechnical University as "shotxxxx". The operation of the operation was directly commanded by the person in charge of TAO, and MIT (S325) was responsible for building a reconnaissance environment and renting attack resources; RT (S327) was responsible for determining the attack strategy and intelligence assessment; S324) is responsible for providing technical support; ROC (S321) is responsible for organizing attack reconnaissance operations. It can be seen that the direct participation in command and action includes TAO leaders, S321 and S325 units.

The head of the NSA during the attack on Northwestern Polytechnical University was Robert Edward Joyce. This man was born on September 13, 1967. He studied at Hannibal High School. He graduated from Clarkson University in 1989, received a bachelor's degree, and graduated from Johns Hopkins University in 1993. He obtained a master's degree. In 1989, he joined the National Security Agency to work. He once served as the deputy director of TAO and the director of Tao from 2013 to 2017. In October 2017, he began to act as an agent of U.S. Land Safety Consultants. From April to May 2018, he served as a State Security Consultant of the White House, and returned to NSA as a senior consultant of the Cyber ​​Security Strategic Strategy of the National Security Agency. He is currently the director of NSA network security.

Fourth, summary

Based on the analysis of the National Computer Virus Emergency treatment Center and the 360 ​​Company Joint Technology Team, the report revealed the truth of the United States NSA for a long time to carry out cyber spy activities on Chinese information network users and important units including Northwest Polytechnical University. The subsequent technical team will also announce more technical details of related incident investigations.

Source: National Computer Virus Emergency Treatment Center

- END -