Home>>

‘Concealed, adaptable’ weapon of NSA’s cyberattack on leading Chinese aviation university exposed

By Cao Siqi (Global Times) 15:55, September 13, 2022

A "concealed and adaptable" weapon used by US' intelligence center National Security Agency (NSA) to launch a cyberattack on the email system of Northwestern Polytechnical University in Northwest China's Shaanxi Province - well-known for its aviation, aerospace and navigation studies - was captured by Chinese cybersecurity experts, the Global Times learned from a source on Tuesday.

On September 5, a Chinese technical team announcedthat by extracting many trojans samples from internet terminals of Northwestern Polytechnical University, under the support of European and South Asian partners, it initially identified that the cyberattack to the university was conducted by the Tailored Access Operations (TAO) (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of US' NSA.

Aiming at Northwestern Polytechnical University, TAO used 41 types of weapons to steal the core technology data including key network equipment configuration, network management data, and core operational data. The technical team discovered more than 1,100 attack links had infiltrated inside the university and more than 90 operating instruction sequences, which stole multiple network device configuration files, and other types of logs and key files, the team said.

A deeper analysis conducted by China's National Computer Virus Emergency Response Center and Beijing-based Qi An Pangu lab showed that the cyber-sniffing weapon, known as "drinking tea," is one of the most direct culprits responsible for the theft of large amounts of sensitive data.

A cybersecurity expert from the lab told the Global Times on Tuesday that TAO used "drinking tea" as a tool to detect secrets, implanted it into the internal network server of Northwestern Polytechnical University, and stole the login password of remote management and remote file transfer services, such as SSH, so as to gain access to servers on the Intranet, and other high-value servers, resulting in the stealing of large-scale, persistent sensitive data.

"Drinking tea" can not only steal accounts and passwords for remote transfer of files, but also is very capable of concealment and adapting to new environment. According to the anonymous expert, after being implanted into the target server and equipment, "drinking tea" will disguise itself as a normal background service process, and send malicious load stage by stage, making it very difficult to find.

"Drinking tea" can run on the server stealthily, monitor the user's input on the terminal program of the operating system console in real time, and intercept all kinds of user names and passwords from it, just like the "peeper" behind the user.

"Once these usernames and passwords are obtained by TAO, they can be used to carry out the next stage of the attack to help the office steal files on the servers or deliver other cyber weapons," the cybersecurity expert said.

In February, experts from Qi An Pangu lab told the Global Times that they have discovered a top hacker group under US' NSA, which has been using a cyber weapon "Telescreen"for more than a decade, infiltrating 45 countries and regions including China, Russia, Japan, Germany, Spain and Italy, and involving 287 important institutional targets.

"Telescreen" has also been found to have been used together with "drinking tea" to launch the attack to Northwestern Polytechnical University's email system, the source said.

According to the source, Chinese experts also found traces of "drinking tea" attack in the network of other institutions, which shows that the weapon is likely to have been used by TAO to launch a large-scale cyberattack on China.

Apart from that, a research report, entitled "American Dragnet: Data-driven Deportation in the 21st Century," which was released by US Georgetown University's Center on Privacy and Technology Law in May, showed after two years of investigations, the center found that in the name of counterterrorism, US Immigration and Customs Enforcement (ICE) has pushed ethical and legal boundaries to build a surveillance dragnet that covers most Americans by bypassing Congressional oversight and privacy laws.

It means that the US government's unlimited access to data surveillance has expanded from "regular" law enforcement departments such as the NSA, Central Intelligence Agency, Federal Bureau of Investigation or police department to administrative agencies like ICE.

Chinese Foreign Ministry spokesperson Mao Ning has urged the US to immediately stop its wrongdoings, saying that cyberspace security is a common problem affecting all countries worldwide. The US, with the world's most powerful cyber technology, should refrain from using such advantages to steal secrets from other countries, and should instead participate in global cyberspace governance in a responsible manner, and play a constructive role in maintaining cybersecurity.

(Web editor: Zhong Wenxing, Liang Jun)

Photos

Related Stories