China requires the United States to explain the network attack

Zhonghong.com, September 6th. On September 5th, a spokesman for the Ministry of Foreign Affairs Mao Ning presided over a regular press conference. Some reporters asked questions that a few days ago, the National Computer Virus Emergency treatment Center and 360 Company released a survey report on Northwest Polytechnical University's network attacks by the National Security Agency, showing that the specific invasion operation office of the National Security Agency implemented on the implementation of China's network goals. Thousands of malicious network attacks. What is China's comment?

Mao Ning said that the investigation report you mentioned revealed another example of the US government's network attack on China.

Mao Ning said that according to the technical analysis and tracking traceability of the National Computer Virus Emergency treatment Center and the 360 ​​Company Joint Technical Team, the National Security Agency's evidence chain of China's implementation of cyber attacks and data theft of China is clear and complete, involving the Internet in the United States to initiate the network directly to China There were 13 attacks on the attack, and more than 60 contracts signed with US telecommunications operators to build a network attack environment and more than 170 electronic files. The report shows that the United States has successively used 41 special network attack weapons and equipment to launch thousands of attacks on Northwestern Polytechnical University to steal a number of core technical data. The United States has also carried out no different voice monitoring of mobile phone users in China for a long time, illegally stealing the text message content of mobile phone users, and a wireless positioning of it.

Mao Ning pointed out that the US acts seriously endangered China's national security and personal information security. The Chinese side strongly condemned, asking the United States to explain and immediately stop illegal behavior.

Mao Ning said that I want to emphasize that network space security is a common problem facing countries around the world. As a country with the most powerful network technology, the United States should immediately stop stealing and attacking other countries, participate in global network space management with a responsible attitude, and play a constructive role in maintaining network security.

Extended reading

Northwestern University of Technology Public Statement

On April 12, 2022, our school reported the case to the public security organs on the email system. Recently, the public security organs have informed our school to investigate the case. Here, our school publicly stated that we resolutely oppose the implementation of cyber attacks in any form. The school attaches great importance to network security work and create a security network environment for teachers and students. The school calls on the majority of teachers and students to further improve the awareness of network security and jointly maintain the school's network security.

Western Industry University was attacked overseas! Police notice

On June 22,@Northwest University of Technology issued a public statement on Weibo, saying that the school's email system was attacked by a network, which had a negative impact on the normal teaching life of the school. The school has called the police as soon as possible.

On June 23, the Beilin Branch of the Xi'an Public Security Bureau of Shaanxi Province issued a police report that in accordance with the provisions of Article 285 of the People's Republic of China Criminal Law, the case was investigated in this case, and the withdrawal of the withdrawal of Trojan and fishing mail was further carried out. technical analysis. Initially judged that this incident was a cyber attacks initiated by overseas hackers and criminals.

The results of the survey were announced! The source of the network attack is the National Security Agency

On September 5th, the National Computer Virus Emergency treatment Center and 360 Company released a survey report on Northwestern Polytechnical University of Technology. Tens of thousands of malicious network attacks have been implemented in my country's domestic network targets, controlling related network devices, and suspected high value data.

In April of this year, Xi'an Public Security Organs received an alarm of online attacks, and the information system of Northwestern Polytechnical University found traces of network attacks.

Xi'an Public Security Organs attach great importance to this, and immediately organized police forces and network security technology experts to set up a joint task force to investigate the case. The National Computer Virus Emergency Treatment Center and 360 Company jointly formed a technical team to participate in the technical analysis of the case throughout the process. The technical team has extracted a number of Trojan samples from multiple information systems and Internet terminals from Northwestern University of Technology, comprehensively uses domestic data resources and analysis methods, and has received the support of partners in Europe and South Asia. The overall summary, technical characteristics, attack weapons, attack paths, and attack source of related attack events, and the initially determined that related attack activities originated from the National Security Agency (NSA) "specific invasion action office" (Office of Tailored Access Operation (TAO) (TAO) Essence

This survey also found that in recent years, the National Security Agency (NSA) under the Specific Invasion Action Office (TAO) has implemented tens of thousands of malicious network attacks on China's domestic network targets, and controlled tens of thousands of network devices , Including: network server, Internet terminal, network switch, telephone switch, router, firewall, etc., stealing more than 140GB of high value data.

After complex technical analysis and traceability, the joint technical team restored the process of being attacked and stolen by the Northwestern Polytechnical University. Related evidence of network attacks and data theft involves 13 people who directly launch cyber attacks in China in the United States, and the National Security Agency (NSA) by covering the company's contract with the US telecommunications operator 60 with the US telecommunications operators. More than 170 e -files. At present, the joint task force has reported the results of the relevant survey to the relevant national departments.

The person in charge of the secret organization TAO exposure

According to the survey report released by 360 Company, the case was codenamed the "Strike XXXX" in the U.S. National Security Agency (NSA). The action was directly undergoing the person in charge of TAO, and during the NSA secret period, the person in charge of TAO was Robert Edward Joyce.

Robert E. Joyce, the former director of TAO, is now in charge of the NSA Network Security Bureau

This person was born on September 13, 1967. He studied at Hannibal High School. He graduated from Clarkson University in 1989 and received a bachelor's degree. He graduated from John Hopkins University in 1993 and obtained a master's degree. In 1989, he joined the National Security Agency to work. He once served as the deputy director of TAO and the director of Tao from 2013 to 2017. In October 2017, he began to act as an agent of U.S. Land Safety Consultants. From April to May 2018, he served as a State Security Consultant of the White House, and returned to the NSA as a senior consultant of the Cyber ​​Security Strategy of the National Security Agency.

Many large Internet companies in the United States are disclosed with details of secret stealing methods

It was found in the technical analysis that before the attack on the attack, TAO has mastered the management authority of a large number of large -scale Internet companies in the United States, and has mastered the management authority of a large number of communication network devices in China, and has opened up the important information network that has continued to invade NSA in China. Convenient door.

TAO has successively used 41 NSA -specific network attack weapons and equipment. By distributed in 49 springboard machines and 5 proxy servers in 17 countries including Japan, South Korea, Sweden, Poland, and Ukraine, it launched an attack theft operation to Northwestern Polytechnical University Thousands of times, stealing a batch of network data.

41 types of network attack weapons and equipment versions are diverse

The National Security Agency's TAO's network attack weapon equipment has strong targetedness and has received the support of the US Internet giants. The same equipment will be flexibly configured according to the target environment. Of the 41 equipment used, only the back door tool "cunning different criminals" (NSA naming) has 14 different versions of the network attack on Northwestern Polytechnical University.

The technical team divided the tool categories used by TAO in this attack into four categories.

(1) Vulnerability attack breakthrough weapons

Tao relies on such weapons to conduct attack breakthroughs on border network equipment, gateway server, and office network hosts of Northwestern Polytechnical University. It is also used to attack and control overseas springboard to build anonymous networks.

(2) Continuous control weapons

Tao rely on such weapons to conceal and persistent control of Northwestern Polytechnical University networks. Tao staff can send control instructions through an encrypted channel to operate such weapons to implement the penetration, control, and secret of the Northwest Polytechnical University network.

(3) Sniffing theft weapon

Tao relies on such weapons to sniff the account passwords and operating records generated by the staff of Northwestern Polytechnical University when operating and maintenance networks, and stealing sensitive information and operation and maintenance data inside Northwestern Polytechnical University.

(4) Hidden removal weapons

Tao relies on such weapons to eliminate its traces of behavior within the network of Northwestern Polytechnical University, hide and cover up their malicious operations and secrets, and provide protection for the above three types of weapons.

Use 49 springboard machine to cover up the real IP

According to the survey, these springboard machines have been carefully selected, and all IP belongs to non -"five -eye alliance" countries, and most of them have chosen IPs of neighboring countries (such as Japan, South Korea, etc.), accounting for about 70%. According to the analysis of traceability, these springboard uses only the transit command to forward the previous -level springboard instructions to the target system, thereby covering up the true IP of the US National Security Agency to launch a network attack.

At present, at least the four IPs of the TAO attack embodiment control the springboard from its access environment (US domestic telecommunications operator):

209.59.36.*

69.165.54.*

207.195.240.*

209.118.143.*

In order to protect its status security, the National Security Agency NSA used the anonymous protection service of the US register. The relevant domain name and certificate have no clear direction and unrelated personnel. In order to cover up the source of its attack and protect the safety of the tools, TAO has purchased services from the service provider by covering the company that needs to stay on the Internet for a long time.

5 proxy servers cooperate with cover

A total of 5 proxy servers used for the network resources used by the Northwest Institute of Technology's attack platform. The NSA purchased IPs in Egypt, the Netherlands and Colombia through the secret establishment of the secret establishment of the company through the secret establishment of the secret establishment, and rented it.A batch of servers.The two companies are Jackson Smith Consultants and Mueller Diversify Systems.

At the same time, the technical team also discovered that the staff of the TAO Infrastructure Technology Office (MIT) used the name of "Amanda Ramirez" to purchase a domain name and a universal SSL certificate (ID: E42D3BEA0A1679F9CC2 *** *****).Subsequently, the above -mentioned domain names and certificates were deployed on the intermediary attack platform "Foxacid" located in the United States to attack a large number of Chinese network targets.In particular, TAO launched multiple rounds of continuous attacks and secrets of Chinese information network targets such as Northwestern Polytechnical University.

- END -