September 28, 2022
BEIJING – The United States National Security Agency gained access to China’s telecommunications networks and made inquiries about a number of people with sensitive backgrounds, leading to some of their information being leaked, according to an investigation report on a cyberattack at a prominent Chinese public research university.
On June 22, Northwestern Polytechnical University, in Xi’an, Shaanxi province, which is known for its education and research programs in aeronautics, astronautics and marine technology engineering, announced that overseas hackers had been caught sending phishing emails with Trojan horse programs to teachers and students at the university in an attempt to steal their data and personal information.
The report, released on Tuesday, said that while retracing the technical features, attack weapons and paths used in the NSA cyberattack on Northwestern Polytechnical University, analysts discovered that the NSA’s Office of Tailored Access Operation had infiltrated the networks of at least two telecommunication operators in China and built a “legitimate” channel for remote access to the core data.
The office then made inquiries about a number of people with sensitive backgrounds. Some of their information was sent back to the NSA headquarters via multiple jump servers, according to the report released by China’s National Computer Virus Emergency Response Center and internet security company 360.
With support from partners in European and Southeast Asian countries, analysts discovered that the office has also infiltrated the telecommunications networks of at least 80 countries using the same cyberattack weapons.
The report detailed the process of the office’s infiltration of the university’s internal network. First, it used “FoxAcid”, an intermediate attack platform, to hack into the university’s internal host computer and servers, and then gained control over several key servers with remote control weapons. It controlled some important network node equipment, including the university’s internal routers and switches, and stole authentication data.
Hiding in the university’s operations and maintenance servers, the office stole several configuration files of network equipment that it used to “validly” monitor network equipment and internet users, according to the report.
Of the 41 types of tools used in the particular attack, 16 are identical to the office’s weapons that have been exposed by the hacker group “Shadow Brokers”, and 23 have a 97 percent structural similarity with those deployed by the office. Also, the remaining two types have to be used in conjunction with other cyberattack weapons from the office, it said.
The identities of 13 hackers who carried out the attack have been discovered. Their working hours, language used and behavior habits have also exposed their links with the office, the report added.