PRC Protests Alleged NSA Breach of Northwest Polytechnic Institute in China

The Chinese Foreign Ministry released a statement today which called for the cessation of  “illegal acts” by the U.S. National Security Agency after Chinese state owned media released a report that in June, the agency has breached the network of the Northwestern Polytechnic Institue.

The Chinese NGO, National Community Virus Response Center, which is actually an entity of the PRC, released this statement:

”On June 22, 2022, Northwestern Polytechnical University issued a “Public Statement” stating that the school suffered an overseas cyber attack. The Beilin Branch of the Public Security Bureau of Xi’an City, Shaanxi Province immediately issued the “Police Information Bulletin”, confirming that a number of Trojan samples originating from abroad were found in the information network of Northwestern Polytechnical University, and the Xi’an police have officially opened an investigation.

The National Computer Virus Emergency Response Center and 360 Company jointly formed a technical team (hereinafter referred to as the “technical team”), which participated in the technical analysis of the case throughout the process. The technical team has successively extracted a variety of Trojan samples from multiple information systems and Internet terminals of Northwestern Polytechnical University, comprehensively used the existing domestic data resources and analysis methods, and obtained the full support of partners in some countries in Europe and South Asia to fully restore The overall overview, technical characteristics, attack weapons, attack paths and attack sources of the relevant attack events are preliminarily determined, and it is preliminarily determined that the relevant attack activities originated from the “Office of Tailored Access Operation” (hereinafter referred to as the “Special Intrusion Operation”) of the National Security Agency (NSA). TAO).”

The NGO also listed several of the “41 cyber tools used by the NSA”:

1. Vulnerability attack breakthrough weapons

TAO relies on such weapons to carry out attack breakthroughs on Northwestern Polytechnical University’s border network equipment, gateway servers, and office intranet hosts. It is also used to attack and control overseas springboards to build an anonymous network as a cover for action. There are 3 types of weapons:

“Razor”

This weapon can carry out remote vulnerability attacks on Solarise systems with X86 and SPARC architectures that open specified RPC services. When attacking, it can automatically detect the open status of the target system services and intelligently select the appropriate version of the exploit code to directly obtain the complete information on the target host. Control. This weapon was used to attack the springboards in Japan, South Korea and other countries, and the controlled springboards were used in the network attack on Northwestern Polytechnical University.

“Island”

This weapon can also implement remote overflow attacks on Solaris systems that have opened specified RPC services, and directly gain complete control over the target host. The difference from “Razor” is that this tool does not have the ability to autonomously detect the opening of the target service, and the user needs to manually configure the target and related parameters. The NSA used this weapon to attack a border server at Northwestern Polytechnical University.

“Sour Fox” weapon platform

This weapon platform is deployed in Colombia and can be used in combination with the “second date” man-in-the-middle attack weapon. It can intelligently configure vulnerability payloads to carry out remote overflow attacks against mainstream browsers on multiple platforms such as IE, FireFox, Safari, and Android Webkit, and obtain the target system. (see: National Computer Virus Emergency Response Center “National Security Agency (NSA) “Acid Fox” Vulnerability Attack Weapon Platform Technical Analysis Report”). TAO mainly used this weapon platform to intrude the host of the office intranet of Northwestern Polytechnical University.

2. Persistent control weapons

TAO relies on such weapons to covertly and persistently control the Northwestern Polytechnical University network. The TAO action team can send control commands through encrypted channels to operate such weapons to infiltrate, control, and steal the Northwestern Polytechnical University network. There are 6 types of weapons in this category:

“Second date”

This weapon resides on network edge devices and servers such as gateway servers and border routers for a long time, and can perform precise filtering and automatic hijacking of massive data traffic to achieve man-in-the-middle attack functions. TAO installed the weapon on the border equipment of Northwestern Polytechnical University, hijacked the traffic flowing through the equipment and directed it to the “Sour Fox” platform to carry out the vulnerability attack.

“NOPEN”

This weapon is a remote control Trojan that supports multiple operating systems and different architectures. It can receive commands through encrypted tunnels to perform various operations such as file management, process management, and system command execution. For details, please refer to: “NOPEN” Remote Control Trojan Analysis Report of the National Computer Virus Emergency Response Center). TAO mainly uses this weapon to implement persistent control over the core business servers and key network equipment inside the Northwestern Polytechnical University network.

“Rage Jet”

This weapon is a Windows-based remote control Trojan that supports multiple operating systems and different architectures. It can be customized to generate different types of Trojan servers according to the target system environment. The server itself has strong anti-analysis and anti-debugging capabilities. ability. TAO mainly uses this weapon to cooperate with the “Sour Fox” platform to implement persistent control over the personal hosts within the office network of Northwestern Polytechnical University.

“Cunning Heresy”

This weapon is a lightweight backdoor implantation tool that deletes itself after running. It has the ability to escalate privileges. It persists on the target device and can be started with the system. TAO mainly uses this weapon to achieve permanent residency, so as to establish an encrypted channel to upload the NOPEN Trojan at the right time, and ensure long-term control of the information network of Northwestern Polytechnical University.

“Stoic surgeon”

This weapon is a backdoor for 4 types of operating systems, including Linux, Solaris, JunOS, and FreeBSD. The weapon can run persistently on the target device and hide the specified files, directories, processes, etc. on the target device according to the instructions. TAO mainly uses this weapon to hide the files and processes of the NOPEN Trojan and prevent it from being discovered by monitoring. A technical analysis found that TAO used a total of 12 different versions of the weapon in its cyberattack on Northwestern Polytechnical University.

3. Sniffing secret weapons

TAO relies on such weapons to sniff the account passwords and command line operation records used by Northwestern Polytechnical University staff to operate and maintain the network, and steal sensitive information and operation and maintenance data within the Northwestern Polytechnical University network. There are two types of weapons:

“Drinking tea”

This weapon can reside in a 32-bit or 64-bit Solaris system for a long time, and obtain account passwords exposed by various remote login methods such as ssh, telnet, and rlogin by sniffing inter-process communication. TAO mainly uses this weapon to sniff account passwords, command line operation records, log files, etc. generated by business personnel of Northwestern Polytechnical University when they perform operation and maintenance work, and compress and encrypt them for download by NOPEN Trojan.

“Operation behind enemy lines” series of weapons

This series of weapons is specially designed for the specific business systems of telecom operators. According to the different types of business equipment being charged, “operation behind enemy lines” will be used in conjunction with different analytical tools. TAO used three types of hacking tools against telecom operators, including “Magic School”, “Clown Food” and “Cursed Fire” in the cyber attack on Northwestern Polytechnical University.

4. Concealed weapons

TAO relies on such weapons to eliminate traces of its behavior within the Northwestern Polytechnical University network, hide and cover up its malicious operations and stealing behaviors, and at the same time provide protection for the above three types of weapons. 1 such weapon has been found:

“Toast Bread”, this weapon can be used to view and modify log files such as utmp, wtmp, lastlog, etc. to remove traces of operations. TAO mainly used this weapon to remove and replace various log files on the alleged Northwestern Polytechnical University’s Internet access device, to hide its malicious behavior. TAO’s cyber attack on Northwestern Polytechnical University used 3 different versions of “toast”.”

The Chinese Foreign Ministry stated that over 140GB of data concerning personnel, technical research, and other details were stolen. The United States has not responded to the statements. However, it is extremely ironic considering the massive exploitation of U.S. academic institutions by the PRC through cyber and HUMINT means. The PRC send thousands of students to the United States in an intricate infiltration program targeting STEM programs in all major colleges. If these students are not directly agents of Chinese intelligence agencies, they are at the very least extensively debriefed when they return to China. These students are encouraged to bring back technical notes, research details, and other documents which aid the massive intellectual property theft campaign in China.

Week's Top Stories

Tessaron
Tessaron
United States Military Academy and American Military University Alumni. Victor covers flash military, intelligence, and geo-political updates.
spot_img
spot_img