Intro: On June 22, China's Northwestern Polytechnical University announced that hackers from abroad were caught sending phishing emails with Trojan horse programs to teachers and students at the university, attempting to steal their data and personal information.
.jpg)
The report said the investigators traced the cyberattacks back to the NSA's Office of Tailored Access Operations (TAO), which had exposed its own technical loopholes and operational missteps during the attack.
✓
U.S. hacked China 10,000 times, stole 140GB of critical data: Report
.jpg)
"The U.S. National Security Agency (NSA) conducted over 10,000 cyberattacks against China in recent years and is suspected to have stolen 140 gigabytes of valuable data, according to a joint investigation report released on Monday by China's National Computer Virus Emergency Response Center (CVERC) and internet security company Qihoo 360 Technology Co. Ltd.
The investigation was launched after Northwestern Polytechnical University (NPU), a leading Chinese university in aviation, reported being hacked in April. The investigators have traced the cyberattacks back to the Office of Tailored Access Operations (TAO) of the NSA.
"NPU was targeted because many top-level talents in the country work there," Jin Qi, deputy head of the local police bureau, told China Media Group (CMG). "Many national-level research projects were conducted there."
A total of 13 people were found to have directly launched the cyberattacks, with more than 60 contracts signed to cover the malicious activities.
"They first scout the network," said Bian Liang, a network security expert at Qihoo 360. "Then they create customized tools to target the specific network."
The hackers used 41 tools to breach the firewalls, plant remote-controlled backdoors, steal critical data and erase the traces of doing so.
"There are four steps in their attack," said Du Zhenhua, senior engineer at the CVERC. "Break in, establish long-term control, keep stealing data and after everything's done, clear the scene."
They also tried to hide their real location and identity using so-called "jump servers." A total of 54 jump servers were traced by the investigators, which are spread in 17 countries like Japan, South Korea, Sweden, Poland and Ukraine.
The IP addresses used to control the jump servers are 209.59.36.*, 69.165.54.*, 207.195.240.* and 209.118.143.*.
Some of the jump servers were "zombie computers" hacked by the NSA without the knowledge of the owners. The hackers mostly target two "zero-day" vulnerabilities in the Solaris operating system developed by Sun Microsystems, which is now a part of U.S. tech giant Oracle Corporation.
.jpg)
The NSA tried to hide their identity by buying assets anonymously or through dummy companies like Jackson Smith Consultants and Mueller Diversified Systems. But investigators managed to trace their real identity.
"As long as we can sense the attacks," said Zhou Hongyi, founder of Qihoo 360. "We can clear them up, trace the origin and patch the loopholes."
The investigators said they will reveal more details of U.S. hacking and spying technologies in the future.
.jpg)
China's Ministry of Foreign Affairs has responded to the findings. Spokesperson Mao Ning told reporters that China strongly condemns such activities, adding that the U.S. side should stop the cyberattacks immediately.
"China wishes to work with the international community to keep the network safe," she said during a routine press briefing on Monday."
✓
NSA acquires certain Chinese personnel info via cyberattack: report
"The latest investigative report further revealed the purpose of the U.S. cyberattack on Northwestern Polytechnical University: infiltrating and controlling the core equipment of China's infrastructure and stealing private data from Chinese users.
In the process of the intrusion, information of a group of people in China with sensitive identities was also queried, and the information was packaged and encrypted and sent back to the headquarters of the U.S. National Security Agency (NSA) through multiple jump servers.
.jpg)
On June 22, China's Northwestern Polytechnical University announced that hackers from abroad were caught sending phishing emails with Trojan horse programs to teachers and students at the university, attempting to steal their data and personal information.
The report said the investigators traced the cyberattacks back to the NSA's Office of Tailored Access Operations (TAO), which had exposed its own technical loopholes and operational missteps during the attack.
.jpg)
Detailing TAO's infiltration of the Chinese university's internal network, the report said TAO first used "FoxAcid," a man-in-the-middle attack platform, to hack into the university's internal host computer and servers and then gained control over several key servers with remote control weapons. It then controlled some important network node equipment, including the university's internal routers and switches, and stole authentication data.
.jpg)
. . .Hiding in the university's operation and maintenance servers, TAO stole several key configuration files for network equipment, which it then used to "validly" monitor a batch of network equipment and internet users.
"It used the university's equipment as a proxy to attack other organizations' networks," said Bian, explaining that the TAO would have been "recognized as a regular user and allowed to get through."
With technical support from several European and Southeast Asian countries, Chinese experts retraced the technical features, attack weapons and paths used in the cyberattack on the university, according to the report published by China's National Computer Virus Emergency Response Center in collaboration with internet security company 360.
An earlier probe found that TAO used 41 types of cyber weapons in the recently exposed cyberattacks against the university.
Among the 41 types of cyber attack tools, 16 are identical to the TAO's weapons that have been exposed by the hacker group "Shadow Brokers," and 23 share a 97-percent genetic similarity with those deployed by TAO, said the report.
The remaining two types need to be used in conjunction with other TAO cyberattack weapons, the report said, adding that the homology of the weapons suggests they all belong to TAO.
Technical analysis found that the cyberattackers' working time, language and behavior habits and operation miss have also exposed their links with TAO.
The report said the true identities of 13 attackers have been uncovered."
(With input from Xinhua)
.jpg)
Read more:
U.S. hacked China 10,000 times, stole 140GB of critical data
✓
U.S. is biggest threat of global cybersecurity: spokesperson
.jpg)
The U.S. implements indiscriminate cyber control and cyber espionage actions on a global scale and it is the biggest threat of global cybersecurity, Chinese Foreign Ministry spokesperson Wang Wenbin said on Wednesday.
Wang made the remarks while commenting on the second investigative report on the U.S. National Security Agency cyberattack on China's Northwestern Polytechnical University.
The report released yesterday revealed that the U.S. secretly controls telecommunications operators in no less than 80 countries and conducts indiscriminate communications surveillance worldwide.
.jpg)
China has asked the U.S. side through different channels to explain the hostile cyberattack and urged the U.S. to stop illegal actions immediately, but the U.S. has ignored the hard evidence released by the Chinese side and remained silent so far, Wang said.
China calls on countries to unite to resist hegemonic acts that infringe on cyber sovereignty and undermine international rules, and work together to create a peaceful, secure, open and cooperative cyberspace, he added."
.jpg)
Read more:
NSA acquires certain Chinese personnel info via cyberattack: report
No comments:
Post a Comment