Event Background
On June 22, 2022, Northwestern Polytechnical University issued a "Public Statement" saying that the school had been attacked by an overseas network and had immediately called the police. The next day, the Beilin Branch of the Public Security Bureau of Xi'an City, Shaanxi Province issued the "Police Information Bulletin", confirming that the bureau received a report from the Information Construction and Management Office of Northwestern Polytechnical University at 15:00 on April 12, and found that the school's email system appeared. A batch of phishing emails with the theme of scientific research review, defense invitation, and overseas notification, etc., contain Trojan horse programs. At the same time, traces of cyber attacks were also found on the personal Internet computers of some faculty members.
On September 5, the official Weibo of the Beilin Branch of Xi'an Public Security Bureau reissued the "Police Information Bulletin" on the matter, saying: "After more than 100 days of hard work, important progress has been made in the investigation of the case." On the same day, China's National Computer Virus Emergency Response The processing center released the "Northwestern Polytechnical University by the US NSA cyber attack incident investigation report (one)" [hereinafter referred to as "investigation report (one)"], clarified that National Computer Virus Emergency Response Center and 360 company jointly formed The technical team participated in the technical analysis of the case throughout the process. The technical team has successively extracted a variety of Trojan samples from multiple information systems and Internet terminals of Northwestern Polytechnical University, comprehensively used the existing domestic data resources and analysis methods, and fully restored it with the support of partners from some countries in Europe and South Asia. The overall overview, technical characteristics, attack weapons, attack paths and attack sources of the relevant attack incidents. It is preliminarily determined that the relevant attack activities originated from the "Office of Tailored Access Operation" (Office of Tailored Access Operation, later , , NSA) of the National Security Agency of the United States. The text is abbreviated as TAO).
On September 25, the National Computer Virus Emergency Response Center released the "Investigation Report on Northwestern Polytechnical University's Cyber Attack by the US NSA (Part II)" [hereinafter referred to as "Investigation Report (Part II)"], in the "Investigation Report (Part II)". )", the process of TAO's attack infiltrating Northwestern Polytechnical University, the related situation of TAO's identity exposure during the attack, the TAO network attacking Northwestern Polytechnical University weapon platform IP and the TAO network attacking Northwestern Polytechnical University's springboard IP were disclosed. Based on the above two investigation reports,
"Pengpai Mingcha" has combined open source intelligence to sort out the important information in the cyber attack incident on Northwestern Polytechnical University.
Ming Cha of
's connection with the US NSA
National Computer Virus Emergency Response Center released its first traceability report, nearly five months have passed since the Taibai Road Police Station of Beilin Branch of Xi'an Public Security Bureau received the alarm from Northwestern Polytechnical University. An article published on the network security industry portal Freebuf talked about this matter, discussed the cost and difficulty of network attack source tracing, and pointed out that the efficiency of network attack source tracing mainly depends on the capabilities and levels of both attackers and defenders, that is, the attacker's Anti-traceability capability and security construction capability of the attacked party. If the intruder is cunning, using the springboard to cover up its real address, constantly changing the IP, and deleting the logs, it will increase the difficulty of forensics, which is exactly what the Northwestern Polytechnical University may face in the cyber attack incident.
's "Investigation Report (Part One)" mentioned that 54 springboard machines and proxy servers were used successively in cyber attacks against Northwestern Polytechnical University, mainly in 17 countries including Japan, South Korea, Sweden , Poland , and Ukraine. , 70% of which are located in China's neighboring countries, such as Japan and South Korea. Such a large-scale, long-path springboard attack is no easy task. This means that attackers are highly skilled and can take control of computers in multiple countries. But who has the motivation and ability to use the multi-national host as a springboard to attack Northwestern Polytechnical University?
In February this year, Beijing Qi'an Pangu Laboratory Technology Co., Ltd. pointed out in a research report that a backdoor named Bvp47, , had controlled 287 targets in more than 45 countries for more than ten years, and the victims Including Japan, South Korea, Pakistan and many other neighboring countries around China, and some victim hosts are used as a springboard for further cyber attacks.
Qi'an Pangu Lab listed the victim's domain name, detailed information and IP address in the report, among which there are many institutions, such as Kyoto, JapanThe name of the university and the University of Bremen in Germany also appeared in the "Investigation Report (Part 2)" in the TAO network attack IP list of springboards used by Northwestern Polytechnical University. "Pengpai Mingcha" sent inquiry emails to Kyoto University in Japan, University of Bremen in Germany, Korea Institute of Science and Technology and other institutions, but has not received a reply as of press time. The
Bvp47 victim overlaps with the main body of the springboard machine used when Northwestern Polytechnical University was attacked.
On September 13, Qi'an Pangu Lab released a follow-up report, pointing out that Bvp47 contained a "tea drinking" tool, which was also used in the attack on Northwestern Polytechnical University. On the same day, the National Computer Virus Emergency Response Center issued an analysis report on the "tea drinking" tool, citing the research results of the Qi'an Pangu Laboratory, mentioning that this cyber weapon is a "sniffing and stealing weapon". For the Unix/Linux platform, the remote access account password on the target host can be stolen. According to the content of the "Investigation Report (Part 2)", "Drinking Tea" has been used for a long time to stealthily sniff and steal the remote maintenance and management information of the operation and maintenance managers of Northwestern Polytechnical University, including network boundary device account passwords, business device access rights, routers and other device configuration information. This means that there may be some connection between the manipulators behind Bvp47 and the intruders of the Northwestern Polytechnical University network. The analysis report of
Chi'an Pangu Lab revealed that there is sufficient evidence to show that the US hacker group "Equation" is manipulating Bvp47. On the website of American Foreign Relations Association , "Equation" is described as a high-tech hacker gang with national background, suspected to be from the United States. The group's main attack methods are firewall vulnerability attacks or spear-phishing emails, and its primary targets include China, Iran, Russia, Syria, and other countries.
spear phishing emails are fraudulent emails that deliver specific subjects and content to specific targets. They are often more confusing than general phishing emails, and may also have more stealthy attack purposes. A zhihu user "Yu Xinghe" marked as " Northwestern Polytechnical University Computer School Master Reading" mentioned that since at least January this year, the school's Information Construction and Management Office has repeatedly sent emails to remind teachers Students: A hacker organization collects the names and position information of teachers and students through various public channels such as news releases and scientific research papers on the Internet, and registers the mailboxes with the names of the school's organization and employees in the commercial mail systems such as Gmail and 163, under the guise of the school's organization, In the name of colleagues, friends, and leaders, with the themes of "I have something to look for you", "Help me with something", and "Year-end financial allowance", a notification email is sent to the school's faculty and staff, but there is no specific email content.
Image source: Zhihu user @domain galaxy.
In 2016, a mysterious hacker group called " Shadow Brokers " (The Shadow Brokers) claimed to have successfully hacked into "Equation", obtained a large number of tools and data used by the group, and publicly sold it online. From the documents published by the "Shadow Broker", members of Qi'an Pangu Lab discovered a group of files suspected of containing the private key , and this group of files happened to be the only asymmetric encryption private key that can activate the top-level backdoor of Bvp47. Direct remote activation and control of Bvp47 top-level backdoors. This proves a link between Bvp47 and the "equation" organization. Screenshot of
Beijing Qi'an Pangu Laboratory Technology Co., Ltd. "Bvp47 US NSA Formula Top Backdoor Technical Details" report.
Not only that, when the "Shadow Broker" released the data it claimed to have obtained from the "Equation" organization, some researchers found that there was a string of 16-digit identifiers (ace02468bdf13579) in the data, which was consistent with the 2013 German " der ". The unique identifiers used in the operating manual of the NSA cyber attack platform exposed by SPIEGEL later in the "Prismgate" incident match each other. This shows that the materials released by the "Shadow Brokers" are generally credible, and it also means that the materials released by the "Shadow Brokers" and the internal NSA documents disclosed by Der Spiegel are likely to come from the same place - the "equation" "The organization is likely to be a hacker gang serving the National Security Agency, and the manipulation behind the Bvp47 toolIt is also very likely the National Security Agency. The
"Shadow Broker" leaked compressed file containing the identification code "ace02468bdf13579". In addition to the "drinking tea" tool included in Bvp47,
also disclosed the exploits used by attackers in the attack on Northwestern Polytechnical University, such as breaching, persistent control, sniffing and stealing, and concealing traces. Class and other other 40 kinds of weapons. The "Investigative Report (One)" said that these are the " private network attack weapons and equipment" of the US NSA. The "Investigation Report (II)" counted 41 different cyber-attack weapons and tools used in the attack and stealing of Northwestern Polytechnical University, and found that 16 tools were related to the weapons of the "Equation" organization exposed by the "Shadow Broker". Exactly the same; although the 23 tools are not exactly the same as the tools exposed by "Shadow Broker", their genetic similarity is as high as 97% and belong to the same type of weapons; another 2 tools cannot correspond to the exposure tools of "Shadow Broker" , but it has the same origin with other network attack weapons within the US NSA and needs to be used with other network attack tools of the US NSA. A technical team jointly formed by
National Computer Virus Emergency Response Center and 360 Corporation found that some of the cyberattacks against Northwestern Polytechnical University occurred before the "shadow broker" exposed the hacking tools of the US NSA, which were still inside the US NSA at the time. Confidential, with a high probability, it can only be used by the insiders of the NSA in the United States. In addition, the technical team also found evidence that exposed the identity of the intruder from the aspects of attack time, language behavior habits, code characteristics, etc., and finally integrated five aspects to lock the mastermind behind the cyber attack on Northwestern Polytechnical University. Bureau. A report released by
"a highly classified department"
National Computer Virus Emergency Response Center states that the Northwestern Polytechnical University cyber attack was carried out by a "specialized" data reconnaissance bureau (code S3) under the NSA's Information Intelligence Service (code S). Commanded by the Intrusion Operations Office (TAO).
Over the years, the U.S. government has often regarded itself as a "righteous man", condemning other countries' attacks on the U.S. and its allies' networks, but keeping a close eye on the role of its national security agencies in invading, monitoring other countries' networks, and stealing classified information. It wasn't until 2009 that intelligence historian Matthew Aid's book "Secret Sentinel: The Untold History of the National Security Agency" was published, revealing the tip of the TAO iceberg. It wasn't until the 2013 "Prismgate" incident that people outside the intelligence community were able to learn more about the tactical implementation unit within the NSA, which specializes in large-scale cyberattacks and theft of secrets.
Matthew Ed described TAO in his book as "a highly classified department". The U.S. foreign policy magazine also used this term in an article published in June 2013, saying that TAO's existence was also a "mystery" to other NSA staff: its Fort Meade, Maryland-based The office is hidden in the NSA headquarters building, separated from other departments by a large office suite. The steel gate leading to the room is guarded by armed police, and only those specially authorized can enter the gate after entering a six-digit code and a retinal scan.
Other media, such as the US political news website Politico and Germany's "Der Spiegel" magazine, bluntly call TAO "the hacking division of the NSA". Der Spiegel pointed out that since its inception in 1997, TAO's goal has been clear, that is, to "work around the clock to find a way to invade the global communication network". In 2010 alone, it carried out 279 operations around the world. According to information disclosed to Foreign Policy by former NSA officials, TAO's day-to-day job is to damage or destroy foreign computers and communications by hacking foreign computers and communications systems, gathering intelligence information about foreign targets, and launching attacks when "necessary." communication system. How does a highly classified hacker group like
usually work? A classified report from the U.S. Navy shows that there are at least six constituent units within TAO, namely the Requirements and Positioning Division (R&T) responsible for the management and development of operational objectives and operational requirements, execution of intrusions, data collection, geolocation, etc. Remote Operations Center (ROC) for online operations, development operationsData Network Technology Unit (DNT) for concept and software implantation, Telecommunications Network Technology Unit (TNT) for developing cyber warfare capabilities using technologies such as telephone switching, Access Operations Unit for backdoor installation of intended products through the supply chain (AT&O), and the Mission Infrastructure Technology Division (MIT), which is responsible for designing, developing, and delivering the end-to-end infrastructure that supports the operations of the attack operations network.
Screenshot of internal US Navy document (2012).
The different TAO units are not separate. According to the U.S. Navy report, TAO has begun to combine the resources of R&T, ROC, DNT and MIT at least by 2012 to create a mission-oriented focus group (MAC). These groups consist of operators, analysts, and developers, all focused on specific goals. There are at least two task groups within TAO that see China and North Korea as specific targets, codenamed NSAW and NSAH, respectively. In the cyber attack against Northwestern Polytechnical University, the "Investigation Report (Part 1)" mentioned that the attack was first paved by MIT, and after the reconnaissance environment was constructed and the supply resources were rented, the ROC organization carried out the attack. During the process, TAO's DNT and TNT teams provided technical support; while R&T was responsible for formulating strategies and intelligence assessments for the entire operation. Another catalog document obtained by
Der Spiegel late in the 2013 "Prismgate" incident revealed that there is also a division within the NSA called the Advanced Network Technology Agency (ANT), which works closely with the TAO. The division is primarily responsible for developing tools that can penetrate network devices, monitor mobile phones and computers, and help TAOs hack into networks that cannot be accessed using "conventional means," transferring or even modifying data on the network. Der Spiegel found that malware and hardware provided by ANT were available at the time on computers made by companies such as the Cisco , Dell , Juniper, HP , and China Huawei , but these companies either denied their use at the time. Equipment has been modified, or is said to have "no knowledge" of the information. Screenshot of the catalog file obtained by
"Spiegel" magazine.
In January 2016, at the Usenix Enigma Security Conference held in San Francisco, the then TAO commander Robert Joyce announced TAO's conventional ideas for integrating resources and launching an attack. He said that after selecting a target for intrusion, TAO will follow six steps to conduct operations, namely reconnaissance, initial mining, persistent attack, tool installation, lateral movement, and data collection and exfiltration. Among them, "reconnaissance" not only refers to scanning the intrusion target outside the system, but also includes finding important people and their emails and other information with the help of public information. "Mining" is a term commonly used within TAO, and TAO calls its entire intrusion process "Computer Network Mining (CNE)."
Joyce's sharing is relatively rare within the NSA. A 2012 documentary, "The NSA Revealed: America's Cyber Secrets," noted that NSA insiders rarely show up in public for fear of revealing their identities. Still, those employed by TAO are not without a trace. Search around the keyword "Tailored Access Operations" on LinkedIn , you can find many people who have served or are still serving TAO, such as Teresa Pannell who served as TAO analyst from February 2010 to June 2011 , John Lawrence, Signals Specialist with 9 years of NSA experience, NSA Hacking Certificate, and NETA1100 TAO Overview Certificate, Michelle Dinozzo, MIT Graduate School of Electrical Engineering and Computer Science, Systems Software Specialist (probably still at TAO) pseudonym) etc. In addition, some cybersecurity threat intelligence platforms occasionally share some traceability information about NSA hackers, mostly for warning purposes.
can find information on some people who have served or are still serving TAO on LinkedIn. Traceability information related to US NSA hackers shared by the
cybersecurity threat intelligence platform.
However, rather than the identities of the hackers, the intelligence community is more concerned about the technology mastered by these hackers and their intention to use the technology.
20The 13-year "Prism Gate" incident made the world realize that the NSA directly collects information from the servers of 9 well-known multinational service providers such as Microsoft , Yahoo, Google , Apple , etc. Its authorized monitoring objects are not only This includes customers outside the U.S. using the above servers, as well as U.S. citizens with overseas connections. Der Spiegel also pointed out in a report in the same year that an AT&O team within TAO was responsible for carrying out "off-net operations." The essence of the operation is to arrange for CIA agents to secretly install eavesdropping devices on overseas computer or telecommunications systems so that TAO hackers can remotely access these systems from Fort Meade . These scandals of
have brought the NSA into a crisis of trust, but according to a report published in November 2017 by New York Times , it is actually far less of a threat to the NSA than the "shadow brokers" three years later. "Event: From August 2016 to mid-2017, the "Shadow Broker" successively disclosed a series of hacking tools of the "Equation Group" believed to be closely related to TAO through auction, subscription and free disclosure. These tools bundled with actual code can not only directly attack multi-national network systems including the United States and its allies, resulting in the widespread spread of worm-style ransomware such as WANNACRY, but also put the US NSA's security capabilities in an embarrassing situation.
Over the years, the FBI, through extensive investigations, has successively arrested Harold T. Martin III, Nghia H. Pho, Jareh Dalke and many other generals. The NSA's classified information is taken away from the workplace of employees, but it has been difficult to link them to "shadow brokers". The true identity of the "Shadow Broker" is still a mystery.
On the other hand, a series of cyber-attack weapons disclosed by "shadow brokers" have also provided more investigative institutions around the world with the opportunity to study TAO's intrusion ideas and methods. For example, Switzerland-based information security firm Kudelski Security blogged in May 2017 that its researchers were building threat intelligence (IOC) documents by testing weapons released by "shadow brokers" in order to identify attacks by these tools, Global customer base targeted by exploits and scripts.
With the in-depth research, the threat intelligence community has also learned more about the "behind-the-scenes organization" of TAO. As of June 22, 2022, the US electrospaces.net website has accumulated more than 400 TAO-related coded words, of which more than one third is the designation of the intrusion tools used by TAO, such as STORMPIG (referring to TAO in the data cleaning tools used in botnet attacks on TAONet) and BANANAAID; some are code names for hacking projects believed to have been launched by TAO, such as MURPHYSLAW, or pronouns for hackers, such as CUTEBOY and ALOOFNESS; but there are also some proprietary Nouns such as ECLECTICPILOT and FINKCOAT, although they have been found in documents believed to be related to TAO, are still unclear. Target of
Intrusion What is the purpose of
NSA's intrusion into the network of Northwestern Polytechnical University? No answers were given when the "Investigation Report (Part 1)" was released. At that time, some analysts believed that the school, as a well-known university affiliated to the Ministry of Industry and Information Technology, participated in the research of major national science and technology projects and weapons and equipment models. Overseas espionage and intelligence agencies spare no effort to carry out cyber attacks in order to spy on and steal secrets in my country's related fields.
, however, refer to Article 48 of China's "Secret Law": Information exchange between 's classified information system and the Internet and other public information networks, and " computer information" shall not be carried out without taking protective measures. Article 6 of the Regulations on Secrecy Management of the International Networking of Systems stipulates that computer information systems involving state secrets shall not be directly or indirectly connected to the Internet or other public information networks, and must be physically separated. The possibility of obtaining classified data is low by invading the “telnet” management server of the operation and maintenance network of Northwestern Polytechnical University by remotely controlling the springboard.
On September 22, a reporter from " Global Times " learned from relevant departments that during the cyber attack on Northwestern Polytechnical University, TAO illegally penetrated a telecommunications operator in China and built a "remote access" network to the core data network. “legitimate” channel, and infiltrate control of China’s telecommunications infrastructure. The "Investigation Report (2)" subsequently released by
confirmed this news, saying that during the intrusion process, TAO stole the account password and configuration information of the core network equipment of Northwestern Polytechnical University, network equipment operation and maintenance configuration files and log files, and used The stolen network device account passwords enter the service network of China's infrastructure operators as "legitimate", control the relevant service quality monitoring systems, and steal user privacy data. According to the report, over the years, TAO has attacked and controlled the servers of at least two Chinese infrastructure businesses, and illegally inquired, exported, and stole the user information of a number of sensitive individuals in batches. In response to the Northwestern Polytechnical University's cyber attack by the United States, on September 5, Mao Ning, a spokesperson for the Chinese Ministry of Foreign Affairs, answered questions at a regular press conference, saying that the actions of the United States seriously endanger China's national security and the security of citizens' personal information. . The Chinese side strongly condemns it and demands that the US side make an explanation and immediately stop its illegal actions.
But the US government has always taken a "neither admit nor deny" attitude in the face of such allegations. Bloomberg and NBC Finance asked the NSA about the contents of the investigation report and received no official response. "Pengpai Mingcha" tried to contact the NSA on this matter, but as of press time also did not receive a reply.