NSA acquires certain Chinese personnel info via cyberattack: report
Updated 15:57, 27-Sep-2022


The latest investigative report further revealed the purpose of the U.S. cyberattack on Northwestern Polytechnical University: infiltrating and controlling the core equipment of China's infrastructure and stealing private data from Chinese users.

In the process of the intrusion, information of a group of people in China with sensitive identities was also queried, and the information was packaged and encrypted and sent back to the headquarters of the U.S. National Security Agency (NSA) through multiple jump servers. 

On June 22, China's Northwestern Polytechnical University announced that hackers from abroad were caught sending phishing emails with Trojan horse programs to teachers and students at the university, attempting to steal their data and personal information. 

The report said the investigators traced the cyberattacks back to the NSA's Office of Tailored Access Operations (TAO), which had exposed its own technical loopholes and operational missteps during the attack.

Detailing TAO's infiltration of the Chinese university's internal network, the report said TAO first used "FoxAcid," a man-in-the-middle attack platform, to hack into the university's internal host computer and servers and then gained control over several key servers with remote control weapons. It then controlled some important network node equipment, including the university's internal routers and switches, and stole authentication data.

Bian Liang, a cybersafety expert at Qihoo 360 Technology, said TAO can obtain administration authority over some internet equipment by automatically setting up internet loopholes and viruses.

"Then they lay low, maintain their control of those equipment and steal information with specific demands," said Bian.

Hiding in the university's operation and maintenance servers, TAO stole several key configuration files for network equipment, which it then used to "validly" monitor a batch of network equipment and internet users.

"It used the university's equipment as a proxy to attack other organizations' networks," said Bian, explaining that the TAO would have been "recognized as a regular user and allowed to get through."

With technical support from several European and Southeast Asian countries, Chinese experts retraced the technical features, attack weapons and paths used in the cyberattack on the university, according to the report published by China's National Computer Virus Emergency Response Center in collaboration with internet security company 360.

An earlier probe found that TAO used 41 types of cyber weapons in the recently exposed cyberattacks against the university.

Among the 41 types of cyber attack tools, 16 are identical to the TAO's weapons that have been exposed by the hacker group "Shadow Brokers," and 23 share a 97-percent genetic similarity with those deployed by TAO, said the report.

The remaining two types need to be used in conjunction with other TAO cyberattack weapons, the report said, adding that the homology of the weapons suggests they all belong to TAO.

Technical analysis found that the cyberattackers' working time, language and behavior habits and operation miss have also exposed their links with TAO.

The report said the true identities of 13 attackers have been uncovered.

(With input from Xinhua)

Read more:

U.S. hacked China 10,000 times, stole 140GB of critical data

Search Trends