NSA-affiliated staff behind Chinese university cyberattack identified: new evidence


China has identified the U.S. National Security Agency (NSA) personnel responsible for the cyberattacks on China's Northwestern Polytechnical University when analyzing a spyware, according to the latest technical analysis by China's National Computer Virus Emergency Response Center (CVERC) in collaboration with internet security company 360, China Media Group (CMG) reported on Thursday.

According to the analysis, the spyware, dubbed SecondDate, is a cyber-espionage weapon developed by the NSA.

It is able to carry out malicious activities such as eavesdropping and interception of network traffic, man-in-the-middle attacks, and the insertion of malicious code. When combined with other malware, it can facilitate complicated network espionage activities.

During the investigation of the cyberattack, the CVERC has successfully extracted multiple samples of the spyware and locked down the identity of the NSA staff behind the cyber espionage operation.

SecondDate is a highly sophisticated cyber-espionage tool that allows attackers to fully take control of the targeted network devices and the network traffic passing through these devices, Du Zhenhua, a senior engineer at the CVERC, told CMG.

"That enables long-term data theft from hosts and users in the target network, and at the same time, it serves as a 'forward base' for the next stage of attacks, allowing for more cyberattack weapons [to be] delivered into the target network at any time," said Du.

The spyware can be widely applied as it supports various operating systems, including Linux, FreeBSD, Solaris and JunOS, and is compatible with a wide range of architectures.

It is usually used along with various tools of the NSA's Office of Tailored Access Operation (TAO) for exploiting vulnerabilities in network devices, such as firewalls and routers, said Du. "Once a vulnerability attack is successful, the attacker obtains the control over the target device and can implant the cyber-espionage software into the target."

The report reveals that the SecondDate spyware and its derivative versions remain covertly operating in thousands of network devices across countries, and discloses jump servers controlled remotely by the NSA, with the majority located in Germany, Japan, South Korea, India, and China's Taiwan region.

"With the concerted efforts of industry partners from multiple countries, our joint investigation has achieved a breakthrough. The true identity of the NSA staff who launched the cyberattack on the Northwestern Polytechnical University has been successfully identified," said Du.

On June 22, the Chinese university, leading in its aviation, aerospace and navigation studies, announced that hackers from abroad were caught sending phishing emails with Trojan horse programs to teachers and students at the university, attempting to steal their data and personal information. 

Afterwards, the cyberattacks were traced back to the TAO, which used 41 tools to breach the firewalls, plant remote-controlled backdoors, steal critical data and erase the traces of doing so.

Search Trends