[Global Times-Global Network Report Special Correspondent Yuan Hong] The Global Times reporter learned from relevant departments on the 13th that in the cyber attack incident of Northwestern Polytechnical University by the US National Security Agency (NSA), a sniff named "Drink Tea" Stealing cyber weapons are one of the most direct "culprits" that lead to the theft of large amounts of sensitive data.

In this regard, network security experts suggest that in the process of informatization construction, it is recommended to use localized products and "zero trust" security solutions.

  On September 5, relevant Chinese authorities announced to the outside world that Northwestern Polytechnical University had previously stated that it had suffered an overseas cyber attack. The attacker was the Special Intrusion Operations Office (TAO) of the National Security Agency (NSA).

Since then, the National Computer Virus Emergency Response Center and Beijing Qi'an Pangu Laboratory have further analyzed the intrusion incident. In the latest investigation report, the technical details of the attack carried out by the United States have been disclosed: that is, among 41 kinds of cyber weapons named "Drink". Tea's sniffing and stealing network weapons are one of the most direct "culprits" that lead to the theft of a large amount of sensitive data.

  According to relevant network security experts, TAO used "drinking tea" as a tool for sniffing and stealing secrets, implanted it into the internal network server of Northwestern Polytechnical University, and stole the login passwords of remote management and remote file transfer services such as SSH, so as to obtain other information on the intranet. The access rights of the server, realize the lateral movement of the intranet, and deliver other network weapons of sniffing and stealing, persistent control and concealment to other high-value servers, resulting in large-scale and continuous theft of sensitive data.

  After technical analysis and judgment, "Drinking Tea" can not only steal the account passwords of various remote management and remote file transfer services on the server, but also has strong concealment and environmental adaptability.

The network security experts mentioned above said that after "Drinking Tea" is implanted into the target server and network equipment, it will disguise itself as a normal background service process, and adopt a modular method to deliver malicious payloads in stages, which has a strong effect. Hidden and difficult to find.

"Yancha" can run covertly on the server, monitor the user's input on the terminal program of the operating system console in real time, and intercept various usernames and passwords from it, just like a "peeper" standing behind the user.

Network security experts said: "Once these usernames and passwords are obtained by TAO, they can be used to carry out the next stage of the attack, that is, use these usernames and passwords to access other servers and network devices, and then steal files on the server or deliver other Cyber ​​weapons."

  Technical analysis shows that "Drinking Tea" can be effectively integrated and linked with other NSA cyber weapons to achieve "seamless connection".

In February of this year, Beijing Qi’an Pangu Lab publicly disclosed the technical analysis of the top weapon “Operation Telescreen” (Bvp47), which belonged to the US National Security Agency (NSA) hacker organization, “Equation”. An Pangu named it "Operation Telescreen".

In the incident of TAO's cyber attack on Northwestern Polytechnical University, the "Drink Tea" sniffing and stealing tool cooperated with other components of the Bvp47 Trojan to carry out a joint attack.

According to the introduction, the Bvp47 Trojan has extremely high technical complexity, architectural flexibility, and ultra-high-strength analysis, forensics, and confrontation characteristics. It cooperates with the "Drinking Tea" component to spy on and control the victim organization's information network, and secretly steal important data.

Among them, the "Yincha" sniffing Trojan is secretly lurking in the information system of the victim organization, and is specially responsible for monitoring, recording, and returning "victory results" - the account number and password used by the victim, whether it is on the internal network or the external network. .

  The report also pointed out that with the gradual deepening of the investigation, the technical team also found traces of "Yincha" attacks in the networks of other institutions other than Northwestern Polytechnical University. It is likely that TAO used "Yincha" to launch a large-scale attack on China. cyber attack activity.

  It is worth noting that in the multiple cyber attacks carried out by the United States on other countries, the figure of the US IT industry giant has repeatedly appeared.

For example, in the "Prism" project, the US intelligence department has senior administrator rights and can access the servers of Microsoft, Yahoo, Google, Apple and other companies at any time, and secretly conduct data mining for a long time.

Among the hacking tools used by the "Equation" group published by the "Shadow Broker", there have been many "zero-day vulnerabilities" or backdoors in the products of Microsoft, Cisco, and even some Internet service providers in China.

"The United States is taking advantage of its technological dominance in the field of network information system software and hardware, with the full cooperation of the US IT industry giants, using a variety of cutting-edge cyber weapons to launch indiscriminate cyber attacks on a global scale, and continue to steal Internet equipment around the world. In order to 'legally' log in to the victim's information system at any time and carry out larger-scale theft and even sabotage activities, its network hegemony is undoubtedly revealed." Therefore, network security experts recommend that users monitor key servers, especially network operation and maintenance. The server is reinforced, the administrator passwords of the server and network devices are changed regularly, and the audit of intranet network traffic is strengthened to detect abnormal remote access requests in time.

At the same time, in the process of informatization construction, it is recommended to use localized products and "zero trust" security solutions.

("Zero Trust" is a new generation of network security protection concept, which by default does not trust any person, device and system inside or outside the corporate network.)

  The expert further pointed out that whether it is data theft or system destruction and paralysis, cyber-attacks will cause huge damage to cyberspace and even the real world, especially attacks against important and critical information infrastructure, "Cyberspace is largely a physical space. The characteristics of network activities that easily cross national borders make it a precursor to continuous struggle. Without network security, there is no national security. Only by developing our asymmetric competitive advantage in the field of science and technology can we build an independent and autonomous network that belongs to China. protection and countermeasures.”