During the investigation of the cyberattack against Northwestern Polytechnical University (NPU), a leading Chinese aviation university, China has successfully extracted multiple samples of the spyware named SecondDate, and with the collaborative efforts of partners in various countries, the real identity of the U.S.’ National Security Agency (NSA) personnel responsible for launching the cyberattack on NPU has been successfully identified, Global Times learnt from National Computer Virus Emergency Response Center (CVERC) and Chinese internet security company 360 on Thursday.
In June 2022, NPU issued a public statement stating that it had been subjected to a cyberattack, with a hacker organization from overseas attempting to steal relevant data.
Afterwards, China successfully detected the mastermind behind this cyberattack was the Office of Tailored Access Operations (TAO, Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of NSA.
According to internal documents exposed by the group “Shadow Brokers,” SecondDate is a cyber weapon developed by the NSA. It is primarily deployed on target network boundary devices such as gateways, firewalls, and edge routers. It covertly monitors cyber traffic and, as needed, selectively redirects, intercepts, and manipulates specific network sessions.
The latest information shows that the CVERC and the company 360, during the investigation of this cyberattack case, have successfully extracted multiple samples of the spyware and identified the true identity of the NSA personnel behind this cyber “spying” case.
The subsequent technical analysis revealed that the involved spyware is a highly advanced cyber espionage tool. The developers must have a very deep understanding of cyber technology, especially network firewall technology. It is equivalent to installing a set of content filtering firewalls and proxy servers on the target network devices, allowing the attacker to completely take control of the target network devices and the network traffic passing through them. This enables the attacker to carry out long-term theft on other hosts and users in the target network, and serve as a “forward base” for delivering more cyberattack weapon toward target network at any time.
The spyware concerned is usually used in conjunction with various firewall and router vulnerability exploitation tools of TAO. After successful vulnerability exploitation and obtaining the corresponding permissions, it is implanted into the target device. The control of spyware is divided into server-side and control-side. The server-side is deployed on the target network boundary devices such as gateways, firewalls, or edge routers, and it monitors and filters all traffic in real-time through underlying drivers. The control-side triggers the activation mechanism by sending specially crafted packets, and the server-side parses the reconnect IP address from the activation packet and initiates a connection, then choose any target within the network to carry out a man-in-the-middle attack according to actual needs.
The network connection uses the UDP protocol, and the communication is encrypted throughout. The communication port is random. The control-side can remotely configure the working mode of the server-side and the target of hijacking.
According to relevant sources, Chinese side and its industry partners have conducted technical investigations worldwide. Through tracing, they have discovered hidden spyware and its derivative versions in thousands of network devices spread across multiple countries and regions. They have also found jump servers remotely controlled by the NSA in countries and regions including Germany, Japan, South Korea, India, and China’s Taiwan region.
“With the strong collaboration of partners in multiple countries, we have made significant breakthroughs and have successfully identified the true identity of the NSA personnel responsible for launching cyberattacks against NPU.”
The successful extraction and tracing of the spyware sample further demonstrates China’s determination to prevent and defend against U.S. government-backed cyberattacks and safeguard global cyber security. This practice of revealing the details of cyber crimes launched by the U.S. government to the world also proves that China has a “visible” foundation in cyber technology, which can effectively assist our country and other nations in perceiving risks, identifying threats, and resisting attacks, thereby exposing state-sponsored hacker attacks to the public.
Relevant sources have told the Global Times that the real identities of individuals involved in NSA’s cyberattacks will be disclosed through the media in due course. It is believed that this will once again draw global attention to the U.S. government’s indiscriminate cyberattacks on other countries.