Recently, Northwestern Polytechnical University issued a "Public Statement" stating that the school suffered from overseasNetwork attacks. The Beilin Branch of the Public Security Bureau of Xi'an City, Shaanxi Province immediately issued a "Police Information Bulletin", confirming that a number of Trojan horse program samples originating from abroad were found in the information network of Northwestern Polytechnical University. The Xi'an police have officially opened an investigation into this.
China's National Computer Virus Emergency Response Center and 360 Company immediately set up a technical team to carry out investigation work and participated in the technical analysis of the case throughout the entire process. The technical team has captured Trojan horse program samples from multiple information systems and Internet terminals, comprehensively used existing domestic data resources and analysis methods, and received full support from partners in some countries in Europe and South Asia to comprehensively restore the overall situation of related attack events. Overview, technical characteristics, attack weapons, attack paths and attack sources, it was initially determined that the relevant attack activities originated from the "Office of Tailored Access Operation" (hereinafter referred to as TAO) of the US National Security Agency (NSA).
This series of research reports will reveal the important details of some specific attack activities among the thousands of cyber attacks launched by the U.S. National Security Agency (NSA)'s "Signal Specific Invasion Operations Office" (TAO) against Northwestern Polytechnical University, and will be effective for countries around the world. Preventing and discovering TAO’s subsequent cyber attacks provides examples that can be used for reference.
1. Overview of attack events
The analysis found that the U.S. NSA's "Specific Intrusion Operations Office" (TAO) carried out tens of thousands of malicious network attacks on Chinese domestic network targets and controlled related network equipment (network servers, Internet terminals, network switches, telephone switches, routers , firewall, etc.), suspected of stealing high-value data. At the same time, the U.S. NSA also used the network attack weapon platform, "zero-day vulnerabilities" (0day) and network equipment it controlled to conduct indiscriminate voice monitoring of Chinese mobile phone users for a long time, illegally steal the content of mobile phone users' text messages, and Wirelessly locate it. After complex technical analysis and traceability, the technical team has now clarified the network resources, special weapons and equipment and specific techniques used in NSA attack activities, restored the attack process and stolen documents, and mastered the U.S. NSA's "Specific Intrusion Operations Office" ( TAO)’s evidence chain for cyber attacks and data theft on China’s information networks.
2. Basic situation of attack organization
Technical analysis and online traceability investigations revealed that this cyber attack was carried out by the TAO (codename S32) department of the Data Reconnaissance Bureau (codename S3) of the Information Intelligence Division (codename S) of the US National Security Agency (NSA). The department was established in 1998, and its deployment of power mainly relies on the cryptographic centers of the National Security Agency (NSA) in the United States and Europe.
The six cryptographic centers that have been announced so far are:
1National Security Agency headquarters at Fort Meade, Maryland;
2National Security Agency Hawaii Cryptozoological Center (NSAH) on Oahu Island;
3National Security Agency Georgia Cryptozoological Center (NSAG) at Fort Gordon;
4National Security Agency Texas Cryptozoological Center (NSAT) in San Antonio;
5National Security Agency Coloraro Cryptozoological Center (NSAC), Markley Air Force Base, Denver;
6The National Security Agency’s European Cryptozoological Center (NSAE) at the U.S. military base in Darmstadt, Germany.
TAO is currently a tactical implementation unit of the US government that specializes in large-scale cyber attacks and theft of secrets against other countries. It consists of more than 2,000 military and civilian personnel and has 10 units:
The first place: Remote Operations Center (ROC, code-named S321)
Mainly responsible for operating weapons platforms and tools to enter and control target systems or networks.
Division 2: Advanced/Access Network Technology Division (ANT, code-named S322)
Responsible for researching related hardware technologies and providing hardware-related technologies and weapons and equipment support for TAO network attack operations.
The third department: Data Network Technology Department (DNT, code name S323)
Responsible for the development of complex computer software tools to provide support for TAO operators to perform network attack tasks.
Division 4: Telecommunications Network Technology Division (TNT, code-named S324)
Responsible for researching telecommunications-related technologies and providing support for TAO operators to covertly penetrate telecommunications networks.
Division 5: Mission Infrastructure Technology Division (MIT, codename S325)
Responsible for developing and establishing network infrastructure and security monitoring platforms to build attack network environments and anonymous networks.
Office Six: Access Operations Office (AO, code-named S326)
Responsible for backdoor installation of products intended to be delivered to the target through the supply chain.
Department Seven: Demand and Positioning Department (R&T, code-named S327)
Receive tasks from relevant units, determine reconnaissance targets, and analyze and evaluate the value of intelligence.
Division 8: Access Technology Operations Office (ATO, No. S328)
Responsible for the development of contact-based eavesdropping devices, and cooperating with CIA and FBI personnel to install eavesdropping software or devices into target computers and telecommunications systems through human contact.
S32P: Project Planning Integration Office (PPI, code name S32P)
Responsible for overall planning and project management.
NWT:cyber warfareTeam (NWT)
Responsible for liaison with 133 cyber operations teams.
This case was code-named "shotXXXX" within the US National Security Agency (NSA). The operation is directly commanded by the person in charge of TAO, and MIT (S325) is responsible for building the reconnaissance environment and renting attack resources; R&T (S327) is responsible for determining the attack strategy and intelligence assessment; ANT (S322), DNT (S323), TNT ( S324) is responsible for providing technical support; ROC (S321) is responsible for organizing attack reconnaissance operations. It can be seen that those directly involved in command and operations mainly include the person in charge of TAO, S321 and S325 units.
The head of TAO during the NSA spying period was Robert Edward Joyce. This person was born on September 13, 1967. He attended Hannibal High School, graduated from Clarkson University with a bachelor's degree in 1989, and graduated from Johns Hopkins University with a master's degree in 1993. Joined the US National Security Agency in 1989. He once served as deputy director of TAO and director of TAO from 2013 to 2017. He has served as Acting U.S. Homeland Security Advisor since October 2017. From April to May 2018, he served as the National Security Advisor of the White House, and later returned to the NSA to serve as the Director of the National Security Agency.cyber securitySenior advisor for strategy and currently serves as director of the NSA Cybersecurity Bureau.
3. The actual situation of TAO network attacks
The S325 unit of the TAO department of the US National Security Agency, through layers of cover, built an anonymous network composed of 49 springboard machines and 5 proxy servers, purchased dedicated network resources, and set up an attack platform. The S321 unit used more than 40 different NSA exclusive network attack weapons to continuously carry out attacks and steal secrets against our country, stealing key network equipment configurations, network management data, operation and maintenance data and other core technical data. The secret theft activities lasted for a long time and covered a wide range. The technical analysis also found that before the attack began, TAO, with the cooperation of many large and well-known Internet companies in the United States, had mastered the management authority of a large number of China's communication network equipment, providing the NSA with continued intrusions into China's important domestic information networks. Open the door of convenience.
After traceability analysis, the technical team has now fully restored the NSA's attack and theft process, clarifying that it penetrated more than 1,100 attack links within Northwestern Polytechnical University, more than 90 command sequences of operations, and multiple stolen network device configuration files. , sniffed network communication data and passwords, other types of logs and key files, basically restoring the main details of each attack. Mastered and fixed multiple relevant evidence chains, involving 13 people who directly launched cyber attacks on China in the United States, as well as more than 60 contracts and electronic documents signed by the NSA with American telecom operators through cover companies to build a cyber attack environment. More than 170 copies.
4. Construction of NSA attack network
The technical team’s traceability analysis found that the US National Security Agency’s TAO department used 49 springboard machines in its cyber attack on Northwestern Polytechnical University. These springboard machines were carefully selected, and all IPs belonged to non-Five Eyes Alliance countries. And most of them chose IPs from countries surrounding China (such as Japan, South Korea, etc.), accounting for about 70%.
TAO used two "zero-day vulnerability" exploitation tools (samples extracted) for the SunOS operating system, named EXTREMEPARR (named by NSA) and EBBISLAND (named by NSA), to select educational institutions in countries surrounding China. Servers with large network application traffic such as commercial companies are the target of the attack; after the attack is successful, the NOPEN (named by NSA, sample has been extracted) backdoor is installed and a large number of springboard machines are controlled.
According to the traceability analysis, a total of 49 springboard machines were selected for this secret theft operation. These springboard machines only used transfer instructions to forward the upper-level springboard instructions to the target system, thereby concealing the true nature of the network attack launched by the US National Security Agency. IP.
At present, it is known that the perpetrators of TAO attacks control at least four IP addresses of springboard machines from their access environment (domestic telecom operators in the United States):
209.59.36.*
69.165.54.*
207.195.240.*
209.118.143.*
TAO Infrastructure Technology Division (MIT) personnel deployed anonymously purchased domain names and SSL certificates on the man-in-the-middle attack platform "FOXACID" (named by NSA) located in the United States to launch attacks on a large number of network targets in China. What deserves particular attention is that the NSA used the above-mentioned domain name and certificate deployment platform to launch multiple rounds of continuous attacks and secret theft operations against Chinese information networks such as Northwestern Polytechnical University.
In order to protect the security of its identity, the National Security Agency (NSA) of the United States uses the anonymous protection service of the American Register company. The relevant domain names and certificates have no clear direction and no associated personnel.
In order to cover up the source of its attacks and protect the security of its tools, TAO uses cover companies to purchase services from service providers for attack platforms that require long-term presence on the Internet.
A total of five proxy servers were involved in the network resources used by the Northwestern Polytechnical University attack platform. The NSA purchased IPs in Egypt, the Netherlands, and Colombia from the American company Terremark through two cover companies, and rented a batch of servers. .
The two companies are Jackson Smith Consultants and Mueller Diversified Systems.
5. Analysis of TAO’s weapons and equipment
Technical analysis found that TAO has used 41 types of NSA's special network attack weapons and equipment to launch attacks on Northwestern Polytechnical University through 49 springboard machines and 5 proxy servers distributed in 17 countries including Japan, South Korea, Sweden, Poland, and Ukraine. Conducted thousands of secret theft attacks and stole a batch of network data.
The US National Security Agency TAO's cyber attack weapons and equipment are highly targeted and have received strong support from US Internet giants. The same piece of equipment will be flexibly configured according to the target environment. Among the 41 pieces of equipment used here, only the backdoor tool "Cunning Heretic" (named by NSA) had 14 different versions in the network attack on Northwestern Polytechnical University. The types of tools used by the NSA are mainly divided into four categories, namely:
(1) Vulnerability attack and breakthrough weapons
TAO relies on such weapons to carry out attacks and breakthroughs on the border network equipment, gateway servers, and office intranet hosts of Northwestern Polytechnical University. It is also used to attack and control overseas springboard machines to build an anonymous network. There are 3 types of weapons of this type:
1. "razor"
This weapon can carry out remote overflow attacks against X86 and SPARC architecture Solaris systems that have opened specified RPC services. During the attack, it can automatically detect the opening status of the target system services and intelligently select the appropriate version of the exploit code to directly obtain the complete access to the target host. Control.
This weapon is used to attack springboards in countries such as Japan and South Korea, and the controlled springboards are used to attack Northwestern Polytechnical University.
2. "Isolated Island"
This weapon can also carry out remote overflow attacks against Solaris systems that have opened customized RPC services, directly gaining complete control over the target host.
The difference from the "razor" tool is that this tool does not have the ability to independently detect the openness of target services, and the user needs to manually select the target service to attack.
The NSA used this weapon to attack and control the border server of Northwestern Polytechnical University. 3. "Sour Fox" Weapon Platform
This weapon platform is deployed in Colombia and can be used in conjunction with the "second date" man-in-the-middle attack weapon. It can intelligently configure vulnerability payloads to carry out remote overflow attacks against mainstream browsers on IE, FireFox, Safari, Android Webkit and other platforms to obtain the target system. of control.
TAO mainly uses this weapon platform to carry out breakthrough attacks on the office intranet host of Northwestern Polytechnical University.
(2) Persistent control weapons
TAO relies on such weapons to carry out covert and lasting control over the Northwestern Polytechnical University network. TAO staff can send control instructions through encrypted channels to operate such weapons to penetrate, control, and steal secrets on the Northwestern Polytechnical University network. There are 5 types of weapons of this type:
1. "Second date": This weapon resides on network edge devices and servers such as gateway servers and border routers for a long time. It can accurately filter and automatically hijack massive data traffic to achieve man-in-the-middle attacks. TAO placed the weapon on the border equipment of Northwestern Polytechnical University, hijacked the traffic flowing through the equipment and directed it to the "Acid Fox" platform to conduct vulnerability attacks.
2. "NOPEN" Trojan: This weapon is a control-type Trojan that supports multiple operating systems and different architectures. It can receive instructions through encrypted tunnels to perform various operations such as file management, process management, and system command execution, and it itself Ability to escalate privileges and persist. TAO mainly uses this weapon to implement persistent control over core business servers and key network equipment within the Northwestern Polytechnical University network.
3. "Rage Spray": This weapon is a Windows-based control Trojan that supports multiple operating systems and different architectures. It can be customized to generate different types of Trojan servers based on the target system environment. The server itself has Extremely strong anti-analysis and anti-debugging capabilities. : TAO mainly uses this weapon in conjunction with the "Sour Fox" platform to implement persistent control over personal hosts within the Northwestern Polytechnical University office network.
4. "Cunning Heretic": This weapon is a lightweight backdoor implantation tool. It will delete itself after running. It has the function of elevating privileges. It resides permanently on the target device and can be started with the system. TAO mainly uses this weapon to achieve persistent persistence, so that it can establish an encrypted pipeline at the right time to upload the NOPEN Trojan to ensure long-term control of the Northwestern Polytechnical University information network.
5. "Stoic Surgeon": This weapon is a backdoor for four types of operating systems, including Linux, Solaris, JunOS, and FreeBSD. This weapon can run persistently on the target device and target specified files on the target device according to instructions. , directories, processes, etc. are hidden. TAO mainly uses this weapon to hide the files and processes of the NOPEN Trojan to avoid being discovered by monitoring. TAO used 12 different versions of this weapon in the cyber attack on Northwestern Polytechnical University.
(3) Sniffing for secret-stealing weapons
TAO relies on such weapons to sniff the account passwords and generated operation records used by Northwestern Polytechnical University staff when operating and maintaining the network, and steal sensitive information and operation and maintenance data within the Northwestern Polytechnical University network. There are two types of weapons of this type:
1. "Yincha": This weapon can reside in 32-bit or 64-bit Solaris systems for a long time, and obtains account passwords exposed in various remote login methods such as ssh, telnet, rlogin, etc. by sniffing inter-process communications. TAO mainly uses this weapon to sniff the account passwords, operation records, log files, etc. generated by Northwestern Polytechnical University business personnel when they perform operation and maintenance work, and compresses and encrypts the files for download by the NOPEN Trojan. 2. "Operation Behind Enemy Lines" series of weapons. This series of weapons is a tool specifically designed for operators' specific business systems. According to different types of controlled business equipment, "Operation Behind Enemy Lines" will be used in conjunction with different analysis tools. In the attack on the operation and maintenance pipeline of Northwestern Polytechnical University, the CCP used three types of attack and secret stealing tools targeting operators, including "Magic School", "Clown Food" and "Curse Fire".
(4) Concealed trace-erasing weapons
TAO relies on such weapons to eliminate traces of its behavior within the Northwestern Polytechnical University network, hide and cover up its malicious operations and secret theft, and at the same time provide protection for the above three types of weapons.
A total of 1 such weapon has been discovered:
1. "Toast Bread": This weapon can be used to view and modify log files such as utmp, wtmp, lastlog, etc. to clear traces of operations. TAO mainly uses this weapon to clear and replace various log files on the Internet equipment of Northwestern Polytechnical University and hide its malicious behavior. In TAO’s cyber attack on Northwestern Polytechnical University, the CCP used three different versions of “toast bread.”
summary
The U.S. National Security Agency (NSA) has been conducting long-term secret operations against my country's leading enterprises in various industries, governments, universities, medical institutions, scientific research institutions, and even important information infrastructure operation and maintenance units related to the national economy and people's livelihood.hackerAttack activities. Its behavior may cause serious harm to our country's national defense security, key infrastructure security, financial security, social security, production safety, and citizens' personal information, which deserves our deep thought and vigilance.
This time, Northwestern Polytechnical University, China's National Computer Virus Emergency Response Center and 360 Company, comprehensively restored a series of attacks launched by the US NSA using cyber weapons over the past few years, breaking the one-way transparency advantage of the United States towards my country. Facing a powerful opponent with a national background, you must first know where the risk is, what kind of risk it is, and when the risk will occur. This US NSA attack also proves that if you don't see it, you will be beaten. This is a successful practice in which the three parties have concentrated their efforts to jointly overcome the "seeing" problem, helping the country to truly perceive risks, see threats, resist attacks, and expose overseas hacker attacks to the sun in one fell swoop.
Northwestern Polytechnical University publicly released a statement on being attacked by overseas cyberattacks, which reflects its spirit of being responsible for the country, the school, and society. It is determined to seek truth from facts and never tolerate, and resolutely investigate to the end. Its active defensive measures are worth learning from the victims of NSA cyber attacks all over the world. This will become a powerful reference for countries around the world to effectively prevent and resist subsequent cyber attacks by the US NSA.
Original article, author: SnowFlake, if reprinted, please indicate the source: https://cncso.com/en/nsas-attack-on-northwestern-polytechnical-university-report.html
