[Global Times-Global Network Report Special Correspondent Yuan Hong] The latest investigative report obtained by the Global Times reporter on the 27th further revealed the purpose of the US cyber attack on Northwestern Polytechnical University: infiltrating and controlling the core equipment of China's infrastructure and stealing the privacy of Chinese users During the intrusion process, a group of sensitive identities in China were also queried, and the user information was packaged and encrypted, and then sent back to the NSA headquarters through a multi-level springboard.

  In June, Northwestern Polytechnical University issued a statement saying that there were hackers from abroad attacking the server of Northwestern Polytechnical University.

In September, an investigation by relevant authorities revealed that the cyberattack against Northwestern Polytechnical University came from the National Security Agency (NSA) Specific Intrusion Operations Office (TAO).

  China National Computer Virus Emergency Response Center and 360 Company participated in the technical analysis of the case throughout the process.

After continuous hard work, the research team successfully locked the target node, multi-level springboard, main control platform, encrypted tunnel, attack weapon and original terminal of the attack on Northwestern Polytechnical University where TAO carried out the network attack, and found the identity clue of the attacker, And successfully identified the real identities of 13 attackers.

  The latest investigation report further shows that TAO has long concealed control over the operation and maintenance management server of Northwestern Polytechnical University.

Network security technicians found that TAO implemented penetration control on the core data network of my country's infrastructure operators based on the characteristics of TAO's attack on Northwestern Polytechnical University's hidden links, penetration tools, and Trojan samples.

  Not only that, TAO entered the operator's network as a "legitimate" through the account and password of the Cisco PIX firewall, Tianrongxin firewall and other equipment of Chinese infrastructure operators. The service quality monitoring system and SMS gateway server used weapons and tools such as "Magic School" that are specifically aimed at operators' equipment to inquire a group of sensitive identities in China, and packaged and encrypted user information and sent it back to the United States through a multi-level springboard. Security Service Headquarters.

The details of the intrusion are disclosed, and the stolen goods are obtained

  The latest report released a series of details to further prove that TAO carried out cyber attacks, including when and how it stole the private data of Chinese users, which is equivalent to "everyone gets the money".

  Details show: At 22:53 on March 7, 20××, Beijing time, TAO attacked the business server 211.136.××.×× of an infrastructure operator in China through the attack proxy 148.208.××.×× located in Mexico. , After two lateral intranet movements (10.223.140.××, 10.223.14.××), the attack controlled the user database server and illegally queried the user information of multiple identity sensitive personnel.

  At 15:02 on the same day, TAO saved the queried user data in the "/var/tmp/.2e434fd8aeae73e1/erf/out/f/" directory of the attacked server, packaged it and sent it back to the attack springboard, and then uploaded it during the stealing process. Attack traces such as penetration tools and user data are quickly removed by special tools.

  In addition, TAO used the same method, at 23:22 on January 10, 20××, Beijing time, at 8:41 on January 29, at 22:00 on March 28, and at 23:58 on June 6, respectively. It attacked and controlled another Chinese infrastructure business server, illegally querying, exporting, and stealing user information of multiple sensitive individuals in batches.

TAO's operational mistakes in the attack process exposed the working path

  In the technical analysis of the TAO cyber attack on Northwestern Polytechnical University, China broke the US's "one-way transparency" advantage over my country and obtained sufficient evidence of the US cyber attack.

  It is worth mentioning that TAO exposed work paths due to operational errors in the implementation of cyber attacks.

According to the introduction, at 5:36 on May 16, 20×× (Beijing time), the cyber-attackers against Northwestern Polytechnical University used a springboard machine (IP: 222.122.××.××) located in South Korea and used the NOPEN Trojan. Attack Northwestern Polytechnical University again.

When trying to infiltrate and control a network device after implementing the third-level penetration into the intranet of Northwestern Polytechnical University, a human error occurred when running the uploading PY script tool, and the specified parameters were not modified.

After the script is executed, an error message is returned. The message exposes the working directory of the attacker's Internet terminal and the corresponding file name. From this, it can be seen that the system environment of the Trojan control terminal is a Linux system, and the corresponding directory name "/etc/autoutils" is a TAO network attack weapon. The special name for the tools directory (autoutils).

List of springboard IPs used by TAO to attack Northwestern Polytechnical University

  In addition, the technical analysis also found that the United States, relying on its own strong technological advantages, attacked Northwestern Polytechnical University according to the schedule of the domestic working day, unscrupulous and undisguised.

  According to the big data analysis of related cyberattacks, 98% of cyberattacks against Northwestern Polytechnical University are concentrated between 21:00 Beijing time and 4:00 a.m., which corresponds to 9:00 a.m. to 16:00 a.m. Eastern time, and belongs to the United States. working hours.

Second, there was no cyber attack on Northwestern Polytechnical University on all Saturdays and Sundays in US time.

Third, analyzing the unique holidays in the United States, it is found that the United States has a three-day holiday on "Memorial Day" and a one-day holiday on "Independence Day" in the United States. During these four days, the attacker did not carry out any attack and stealing operations.

Fourth, we have closely tracked the attack behavior for a long time and found that during the Christmas period over the years, all network attack activities were silent.

  During the technical analysis and traceability investigation, the technical team found a batch of server IP addresses of related weapons and equipment used by TAO in the network intrusion operation of Northwestern Polytechnical University. Examples are as follows: