In April this year, the public security authorities in Xi’an, China, received a report of a cyberattack in which the information system of Northwestern Polytechnical University was found to have suffered traces of cyberattack.
China’s National Computer Virus Emergency Response Center and Qihoo 360, a Chinese internet security company, jointly formed a technical team to participate in the technical analysis of the case. The technical team extracted several Trojan virus samples from several information systems and Internet terminals of Northwestern Polytechnical University, using the existing Chinese data resources and analysis means, and with the full support of partners from some European and South Asian countries, fully restored the general overview of the relevant attacks, technical characteristics, attack weapons, attack paths and attack sources, and initially identified the relevant attack activities originated from The preliminary identification of the attack activities originated from the Office of Tailored Access Operation (TAO) of the National Security Agency (NSA).
This investigation found that in recent years, TAO has carried out tens of thousands of malicious cyber attacks on domestic Chinese network targets, controlling tens of thousands of network devices (network servers, Internet terminals, network switches, telephone switches, routers, firewalls, etc.) and stealing over 140 GB of high-value data. TAO has used its cyber attack weapon platform, the “0day” and its controlled network devices, etc., to continuously expand its cyber attacks and scope.
After technical analysis and traceability, the technical team has now clarified the cyber attack infrastructure, dedicated weaponry, and techniques and tactics used in TAO’s attack activities, restored the attack process and stolen files and mastered evidence related to cyber attacks and data theft on China’s information networks by the U.S. NSA and its subordinate TAO, involving 13 personnel who launched direct cyber attacks on China within the U.S., and more than 60 contracts and 170 electronic documents signed by the NSA with U.S. telecom operators through cover companies for the purpose of constructing a cyber attack environment.
TAO would make long preparations before starting the operation, mainly to build the anonymization attack infrastructure. After the successful attack, TAO installed the NOPEN Trojan and took control of 54 jumper servers and proxy servers mainly distributed in 17 countries, including Japan, South Korea, Sweden, Poland, Ukraine, etc., of which 70% were located in China’s neighboring countries.
The function of these jumper servers is limited to command relaying, i.e.: forwarding the higher level jumpers commands to the target system, thus masking the real IP of the NSA to launch the cyber attack. To further conceal the association between servers and the NSA, the NSA used anonymity protection services to anonymize the relevant domain names, certificates, and registrants, and other traceable information, which cannot be queried through public channels.
TAO used 41 types of NSA-specific cyber attack weaponry in this cyberattack. In the course of the attack, TAO would flexibly configure the same cyber weapon according to the target environment. For example, there were 14 different versions of the backdoor tool used in this cyberattack.
Combining the above technical analysis results and traceability investigation, China’s technical team initially identified that the cyberattack to the university was conducted by the Tailored Access Operations (TAO) (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of US’ NSA. The unit was established in 1998, and its deployment relies primarily on the NSA’s cryptographic centers in the United States and Europe.
TAO is currently the U.S. government’s tactical implementation unit specializing in large-scale cyberattack stealing activities against other countries, consisting of more than 2,000 military and civilian personnel, and its internal agencies include:
S321: Remote Operations Center (ROC), which is primarily responsible for operating weapons platforms and tools to access and control target systems or networks.
S322: Advanced Network Technology (ANT), responsible for researching relevant hardware technologies and providing hardware-related technology and weaponry support for TAO cyber attack operations.
S323: Data Network Technologies (DNT), responsible for developing complex computer software tools to support TAO operators in executing cyber attack missions.
S324: Telecommunications Network Technologies (TNT), responsible for researching telecommunications-related technologies to provide support for TAO operators to covertly penetrate telecommunications networks.
S325: Mission Infrastructure Technology (MIT), responsible for developing and establishing cyber infrastructure and security monitoring platforms for building attack operations cyber environments and anonymity networks.
S326: Access Technologies Operations (ATO), responsible for backdoor installation of products intended for delivery to targets through the supply chain.
S327: Requirements & Targeting (R&T), receives assignments from all relevant units, identifies reconnaissance targets, and analyzes and assesses intelligence value.
S32P: TAO Program Planning Integration (PPI), responsible for overall planning and program management.
The NSA attack was code-named “shotXXXX”. The operation was under the direct command of the TAO, with MIT (S325) responsible for building the reconnaissance environment and renting attack resources; R&T (S327) responsible for determining the attack strategy and intelligence assessment; ANT (S322), DNT (S323), and TNT (S324) responsible for providing technical support; and ROC (S321) responsible for organizing and conducting the attack reconnaissance operation. It can be seen that those directly involved in the command and operation mainly include the TAO head, S321 and S325 units.
The head of the TAO during this NSA attack was Robert Edward Joyce. Born on September 13, 1967, he received his Bachelor’s Degree in Electrical and Computer Engineering from Clarkson University and earned a Master’s Degree in Electrical Engineering from John Hopkins University. He has held a wealth of technical and leadership positions across NSA and the broader government, to include serving as Special Assistant to the President and Cybersecurity Coordinator at the White House, Acting Homeland Security Advisor at the White House, and Chief of NSA’s Tailored Access Operations.
Chinese Foreign Ministry spokesman Mao Ning said that as the country with the most powerful cyber technology, the U.S. should immediately stop stealing secrets and attacks on other countries.
(Sources: NSM, electrospace, CVERC, Xinhuanet)