On June 22, 2022, Northwestern Polytechnical University issued a "Public Statement" stating that the school suffered an overseas cyber attack.
The Beilin Branch of the Public Security Bureau of Xi'an City, Shaanxi Province immediately issued the "Police Information Bulletin", confirming that a number of Trojan horses and malicious program samples originating from abroad were found in the information network of Northwestern Polytechnical University.
China National Computer Virus Emergency Response Center and 360 Company participated in the technical analysis of the case throughout the process.
The technical team has successively extracted samples of Trojan programs from multiple information systems and Internet terminals of Northwestern Polytechnical University, comprehensively used domestic existing data resources and analysis methods, and received the full support of partners from some countries in Europe and Southeast Asia. The overall overview, technical characteristics, attack weapons, attack paths and attack sources of the attack incidents. It is preliminarily determined that the relevant attack activities originated from the "Special Intrusion Operations Office" of the National Security Agency (NSA) (ie: Office of Tailored Access Operation, later). referred to as "TAO").
This series of research reports will publish the important details of some specific attack activities among the thousands of cyber attacks launched by TAO against Northwestern Polytechnical University, and provide examples for countries around the world to effectively discover and prevent subsequent cyber attacks by TAO.
1. The process of TAO attack infiltrating Northwestern Polytechnical University
TAO's cyber attack techniques and tactics against other countries are highly targeted, adopting a semi-automatic attack process, single-point breakthrough, gradual penetration, and long-term secret theft.
(1) Single-point breakthrough, cascade penetration, control the network of Northwestern Polytechnical University
After a long period of careful preparation, TAO used the "Sour Fox" platform to carry out a man-in-the-middle hijacking attack on the internal hosts and servers of Northwestern Polytechnical University, and deployed the "Rage Jet" remote control weapon to control multiple key servers.
Using the method of cascading Trojans to control penetration, it penetrated deeply into the internal network of Northwestern Polytechnical University, and successively controlled the core network equipment, servers and terminals of the operation and maintenance network and office network, and obtained some important network nodes such as routers and switches in Northwestern Polytechnical University. Control of the device, stealing authentication data, and further infiltration and expansion, and finally achieved covert control of the internal network of Northwestern Polytechnical University.
(2) Concealed residency, "legal" monitoring, stealing core operation and maintenance data
TAO uses the combat action cover weapon "Precision Surgeon" with the remote control Trojan NOPEN to achieve comprehensive "stealth" of processes, files and operation behaviors, and covertly control the operation and maintenance management server of Northwestern Polytechnical University for a long time. System files and 3 types of system logs are used to eliminate traces and avoid traceability.
TAO has successively stolen several network device configuration files from the server.
Using the stolen configuration files, TAO remotely "legitimately" monitored a group of network devices and Internet users, providing data support for subsequent expansion and penetration of these targets.
(3) Collecting authentication data, building channels, and infiltrating infrastructure
By stealing key sensitive data such as account passwords, operation records, and system logs of Northwestern Polytechnical University's operation and maintenance and remote business management of technicians, TAO has mastered a batch of network border equipment account passwords, business equipment access rights, routers and other equipment configuration information, FTP Server documentation information.
According to the characteristics of TAO's attack link, penetration method, Trojan samples, etc., the correlation found that TAO illegally attacked and penetrated infrastructure operators in China, and constructed a "legitimate" channel for remote access to the core data network of infrastructure operators. Penetration control of infrastructure.
(4) Control important business systems and implement user data theft
TAO enters the operator's network as a "legitimate" through the account and password of the Cisco PIX firewall, Tianrongxin firewall and other equipment of China's infrastructure operators, and then implements intranet penetration and expansion to control the service quality monitoring of the relevant operators. The system and SMS gateway server used weapons and tools such as "Magic School" specifically aimed at operators' equipment to inquire a group of sensitive identities in China, and packaged and encrypted user information and sent it back to the NSA headquarters through a multi-level springboard. .
2. Stealing sensitive information from Northwestern Polytechnical University and Chinese operators
(1) Stealing key sensitive data such as remote business management account passwords and operation records of Northwestern Polytechnical University
TAO installs the sniffing tool "Drinking Tea" on the operation and maintenance management server of Northwestern Polytechnical University, and stealthily steals the remote maintenance and management information of Northwestern Polytechnical University's operation and maintenance management personnel for a long time, including the account password of network boundary equipment, business equipment access rights, routers, etc. Device configuration information, etc.
The types of network equipment that are sniffed include fixed Internet access network equipment (routers, authentication servers, etc.), core network equipment (core routers, switches, firewalls, etc.), as well as important equipment (data service Platform, etc.), the content includes account, password, device configuration, network configuration and other information.
1. Steal the account password and configuration information of the core network equipment of NPU
At 6:52 on December 11, 20××, Beijing time, TAO used the proxy server (IP: 130.54.××.××) located in Kyoto University, Japan as an attack springboard, and illegally invaded the “Northwestern Polytechnical University’s operation and maintenance network”. telnet” management server, upload and install the NOPEN Trojan, and then cascade control its intranet monitoring and management server. The above two servers have been installed with the “Drinking Tea” sniffing tool in advance.
TAO remotely controls the Trojan to retrieve and download the compressed and encrypted monitoring record file, and then clear the trace and exit.
The stolen data includes information such as routers, core network devices (core routers, switches, and firewalls) management accounts, passwords, device configurations, and network configurations.
2. Stealing the account password and configuration information of the access network authentication device for many times
(1) At 0:28 on May 30, 20××, Beijing time, TAO used the proxy server located in Japan (IP: 210.135.××.××) as an attack springboard and illegally invaded the operation and maintenance network of Northwestern Polytechnical University” telnet” management server, upload and install the NOPEN Trojan, and then cascade control its intranet monitoring and management server. These two servers have been installed with the “Drinking Tea” sniffing tool in advance. TAO remotely controls the Trojan to retrieve and download the secret stealing record file. Clear marks and exit.
The stolen data includes the account, password and configuration information of the access network authentication device.
(2) At 1:12 on July 4, 20××, Beijing time, TAO used the proxy server (IP: 141.57.××.××) located at the Leipzig Institute of Technology, Economics and Culture in Germany as an attack springboard to illegally invade Northwest Industries. The university's operation and maintenance network "telnet" manages the server, uploads and installs the NOPEN Trojan tool, and cascades control of its intranet monitoring and management server and other 3 servers. The remote control Trojan retrieves and downloads the stolen files and then clears the marks and exits.
(3) At 10:35 on October 11, 20××, Beijing time, TAO used the proxy server (IP: 210.115.××.××) located at Gangwon National University in Seoul, South Korea as an attack springboard, and illegally invaded Northwestern Polytechnical University. Dimension network monitoring and management server, upload and install the NOPEN Trojan tool, and then cascade control of its intranet backup server, authentication server and other 4 servers, these 5 servers have been installed with the "drinking tea" sniffing tool in advance, TAO remote control Control the Trojan to retrieve and download the stolen record files respectively, and then clear the trace and exit.
(4) At 2:46 on October 19, 20××, Beijing time, TAO used the proxy server (IP: 143.248.××.××) of the Advanced Institute of Science and Technology in Daejeon, South Korea as an attack springboard and illegally invaded the Northwest The "telnet" management server of the operation and maintenance network of the University of Technology, cascades to control two other servers including its intranet supervision server. These three servers have been installed with the "Drinking Tea" sniffing tool in advance, and TAO retrieves and downloads through the remote control Trojan. Steal the secret file, and then clear the mark and exit.
(2) Stealing the network equipment operation and maintenance configuration files and log files of Northwestern Polytechnical University
The National Security Agency's "Specific Intrusion Operations Office" (TAO) has long-term attacked the network operation and maintenance management server of Northwestern Polytechnical University, secretly stealing network equipment operation and maintenance configuration files and log files.
1. Stealing the network operation log files of Northwestern Polytechnical University
At 3:41 on March 2, 20××, Beijing time, TAO illegally invaded and controlled a network operation and maintenance management server of Northwestern Polytechnical University through a proxy server (IP: 210.135.××.××) located in Japan.
At 3:49, TAO moved laterally from the operation and maintenance management server to another operation and maintenance monitoring server, retrieved log files with specific strings as keywords, and stole a batch of system operation log files and system daily self-check report backup. document.
2. Steal the regular task configuration script of the Northwestern Polytechnical University server
At 10:41 on October 11, 20××, Beijing time, TAO invaded and controlled an intranet server of Northwestern Polytechnical University through a proxy server (IP: 210.115.××.××) located in South Korea.
At 10:48, after two lateral movements, TAO invaded another intranet server, accessed the periodic task configuration script in a specific directory, and retrieved a total of 14 configuration files for periodic task execution.
The 14 files were then stolen in one go, which could be used to perform regular cleanups, backups, power checks, and more.
3. Stealing the server system information files of Northwestern Polytechnical University
At 1:27 on June 6, 20××, Beijing time, TAO invaded and controlled an intranet server of Northwestern Polytechnical University through a proxy server (IP: 222.122.××.××) located in South Korea.
At 2:4, after two lateral movements, TAO invaded another intranet server, accessed the system files under the directory /var/, and stole 60 commonly used system information files. The contents of the stolen system information files included System release version, user password hash, user authority, local domain name resolution configuration, etc.
(3) Penetrating and controlling the core equipment of China's infrastructure
The U.S. National Security Agency's "Specific Intrusion Operations Office" (TAO) used the stolen network device account passwords to enter the service network of an infrastructure operator in China as a "legitimate" identity, control the relevant service quality monitoring system, and steal user privacy data.
1. Stealing private data of Chinese users
At 22:53 on March 7, 20××, Beijing time, the “Special Intrusion Operations Office” (TAO) of the National Security Agency attacked and controlled a Chinese infrastructure operator through the attack agent 148.208.××.×× located in Mexico. The business server 211.136.××.××, after two lateral movements on the intranet (10.223.140.××, 10.223.14.××), the attack controlled the user database server, and illegally queried the information of multiple sensitive persons. User Info.
At 15:02 on the same day, TAO saved the queried user data in the /var/tmp/.2e434fd8aeae73e1/erf/out/f/ directory of the attacked server, packaged it and sent it back to the attack springboard, and then uploaded it during the stealing process. Attack traces such as tools and user data are quickly removed by special tools.
The National Security Agency's "Specific Intrusion Operations Office" (TAO) used the same method, respectively, at 23:22 on January 10, 20××, Beijing time, at 8:41 on January 29, and at 22:00 on March 28, Beijing time. At 00:00 and at 23:58 on June 6, another Chinese infrastructure service server was attacked and controlled to illegally query, export, and steal user information of multiple sensitive individuals in batches.
2. Penetration control of the global telecommunications infrastructure
According to the analysis, the National Security Agency's "Specific Intrusion Operations Office" (TAO) used the above-mentioned method to use the same combination of weapons and tools to "legally" control the telecommunications infrastructure networks of no less than 80 countries around the world.
The technical team cooperated with partners in European and Southeast Asian countries to successfully extract and fix the above weapons and tool samples, and successfully completed the technical analysis, which will be announced in due course to help the world jointly resist and prevent the NSA's network penetration attack. .
3. Related situations of TAO's identity exposure during the attack
During the cyber attack on Northwestern Polytechnical University, the "Specific Intrusion Operations Office" (TAO) of the National Security Agency exposed a number of technical loopholes and made many operational mistakes. The relevant evidence further proves the behind-the-scenes of the cyber attack on Northwestern Polytechnical University. The culprit is the NSA.
The following is a summary of examples:
(1) The attack time is completely consistent with the work and rest time rules in the United States
The National Security Agency's "Specific Intrusion Operations Office" (TAO) must manually operate when using tipoff to activate commands and remotely control the NOPEN Trojan. From the attack time of these two tools, the actual working time of the network attacker can be analyzed.
First of all, according to the big data analysis of related cyberattacks, 98% of cyberattacks against Northwestern Polytechnical University are concentrated between 21:00 Beijing time and 4:00 a.m., which corresponds to 9:00 a.m. Working hours in the United States.
Secondly, there was no cyber attack on Northwestern Polytechnical University on all Saturdays and Sundays in US time.
Third, analyzing the unique holidays in the United States, it is found that the United States has a three-day holiday on "Memorial Day" and a one-day holiday on "Independence Day" in the United States. During these four days, the attacker did not carry out any attack and stealing operations.
Fourth, we have closely tracked the attack behavior for a long time and found that during the Christmas period over the years, all network attack activities were silent.
Judging from the above-mentioned working hours and holiday arrangements, the hackers targeting Northwestern Polytechnical University all carried out activities according to the schedule of working days in the United States, unscrupulous and undisguised.
(2) Language and behavior habits are closely related to the United States
During the long-term tracking and anti-penetration process of the network attackers (omitted), the technical team found that the attackers have the following language characteristics: First, the attackers have the habit of using American English; second, the Internet devices associated with the attackers are installed English operating system and various English version applications; third, the attacker uses the American keyboard for input.
(3) Misuse of weapons exposes the working path
At 5:36 on May 16, 20×× (Beijing time), the cyber-attackers against Northwestern Polytechnical University used a springboard machine (IP: 222.122.××.××) located in South Korea, and used the NOPEN Trojan to attack the Northwest again University of Technology.
When trying to infiltrate and control a network device after implementing the third-level penetration into the intranet of Northwestern Polytechnical University, a human error occurred when running the uploading PY script tool, and the specified parameters were not modified.
After the script is executed, an error message is returned. The message exposes the working directory of the attacker's Internet terminal and the corresponding file name. From this, it can be seen that the system environment of the Trojan control terminal is a Linux system, and the corresponding directory name "/etc/autoutils" is a TAO network attack weapon. The special name for the tools directory (autoutils).
The error message is as follows:
Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE .log/ at ../etc/autoutils line 4569
(4) A large number of weapons are highly homologous to the exposed NSA weapons genes
Among the 41 different cyber-attack weapons and tools used in the attack on Northwestern Polytechnical University captured this time, 16 tools are exactly the same as the TAO weapons exposed by the "Shadow Broker"; The tools exposed by "Broker" are not exactly the same, but their genetic similarity is as high as 97%. They belong to the same type of weapons, but the related configurations are different; there are two other tools that cannot correspond to the "Shadow Broker" exposure tools, but these two This tool needs to be used in conjunction with other TAO cyber attack weapons and tools, so these weapons and tools obviously have the same origin and belong to TAO.
(5) Some cyber attacks occurred before the exposure of "shadow brokers"
A comprehensive analysis by the technical team found that among the tens of thousands of cyberattacks against Chinese targets, especially the thousands of cyberattacks against Northwestern Polytechnical University, some of the weapons used in the attack were exposed in the "Shadow Broker" by the NSA. The Trojan horse implantation is completed before the weapon is equipped.
According to the NSA's behavior and habits, the above weapons and tools are likely to be used by TAO employees themselves.
4. TAO cyber attack on Northwestern Polytechnical University weapon platform IP list
During the technical analysis and traceability investigation, the technical team found a batch of server IP addresses of related weapons and equipment used by TAO in the network intrusion operation of Northwestern Polytechnical University. Examples are as follows:
5. List of springboard IPs used by TAO to attack Northwestern Polytechnical University
After continuous hard work, the research team successfully locked the target node, multi-level springboard, main control platform, encrypted tunnel, attack weapon and original terminal of the attack on Northwestern Polytechnical University where TAO carried out the network attack, and found the identity clue of the attacker, And successfully identified the real identities of 13 attackers.