Evidence shows US’ NSA behind attack on email system of Chinese leading aviation university

Global Times
Lin Congyi
2022-09-05 16:59:02
cyber attack Photo:VCG

By Zhao Siwei

The email system of a university in Northwest China's Shaanxi Province – well-known for its aviation, aerospace and navigation studies – was found to have been attacked by the US' National Security Agency (NSA), the Global Times learned from a source on Monday.

On June 22, Northwestern Polytechnical University announced that hackers from abroad were caught sending phishing emails with Trojan horse programs to teachers and students at the university, attempting to steal their data and personal information.

A police statement released by the Beilin Public Security Bureau in Xi'an the next day said that the attack attempted to lure teachers and students into clicking links of phishing emails with Trojan horse programs, with themes involving scientific evaluation, thesis defense and information on foreign travel, so as to obtain their email login details.

To probe into the attack, China's National Computer Virus Emergency Response Center and internet security company 360 jointly formed a technical team to conduct a comprehensive technical analysis of the case.

By extracting many trojans samples from internet terminals of Northwestern Polytechnical University, under the support of European and South Asian partners, the technical team initially identified that the cyberattack to the university was conducted by the Tailored Access Operations (TAO) (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of US' NSA.

TAO is the largest and most important part of the intelligence division of the NSA. Founded in 1998, the main responsibility of TAO is to use the internet to secretly access to insider information of its competitors, including secretly invading target countries' key information infrastructure to steal account codes, break or destroy computer security systems, monitor network traffic, invade privacy and steal sensitive data, and gain access to phone calls, emails, network communications and messages.

The various departments of TAO are composed of more than 1,000 active military personnel, network hackers, intelligence analysts, academics, computer hardware and software designers, and electronics engineers. The entire organizational structure consists of one "center" and four "divisions."

The Global Times learned from the source that the attack was code-named "shotXXXX" by the NSA. Directly involved in the command and action mainly includes the head of TAO, remote operations center (mainly responsible for operational weapons platforms and tools to enter and control target system or network) and infrastructure task division (mainly responsible for development and build a network infrastructure and security monitoring platform for attacks)

In addition, four other divisions were also involved in the operation: the advanced/access network technology division, the data network technology division, and the telecommunications network technology division, which provided technical support, and the requirements and location division, which determined the attack strategy and intelligence assessment.

The Global Times learned from the source that at that time, TAO was headed by Rob Joyce. Born September 13, 1967, he attended Hannibal High School and graduated from Clarkson University with a bachelor’s degree in 1989 and Johns Hopkins University with a master’s degree in 1993. He joined the NSA in 1989 and served as Deputy Director of TAO from 2013 to 2017. He began serving as Acting US Homeland Security Advisor in October 2017. From April to May 2018, he served as the State Security Advisor to the White House, and then returned to the NSA as the Senior Advisor to the Director of Cybersecurity Strategy of the NSA. He now serves as the Director of Cybersecurity.

The investigation also found that in recent years, TAO has conducted tens of thousands malicious attacks against targets in China, controlling large numbers of network devices (web server, internet terminals, network switches, telephone switches, routers, firewalls, and etc.) to steal a high value of more than 140 GB of data.

Technical analysis also found that TAO had acquired the management authority of a large number of communication network equipment in China with the cooperation of several large and well-known internet enterprises in the US before the attack began, which made it easy for the NSA to continuously invade the important information network in China.

Aiming at Northwestern Polytechnical University, TAO used 41 types of weapons to steal the core technology data including key network equipment configuration, network management data, and core operational data. The technical team discovered more than 1,100 attack links infiltrated inside the university and more than 90 operating instruction sequences, which stole multiple network device configuration files, and other types of logs and key files, the source said.

It was found that 13 people from the US were directly involved in the attack and more than 60 contracts and 170 electronic documents that the NSA signed with American telecom operators through a cover company to build an environment for cyberattacks, according to the source.

The Global Times also learned from the source that TAO has used 54 jumpers and proxy servers in the network attack against Northwestern Polytechnical University, which were mainly distributed in 17 countries such as Japan, South Korea, Sweden, Poland and Ukraine, 70 percent of which are located in the countries surrounding China, such as Japan and South Korea.

For a long time, the NSA has been carrying out secret hacking activities against China’s leading enterprises in various industries, governments, universities, medical institutions, scientific research institutions and even important information infrastructure operation and maintenance units related to the national economy and people’s livelihood.

A latest cybersecurity report released by Anzer, a cybersecurity information platform, on June 13 showed that the US military and government cyber agencies have remotely stolen more than 97 billion pieces of global internet data and 124 billion phone records in the last 30 days, which are becoming a major source of intelligence for the US and other "Five Eyes" countries.

On June 29, China's National Computer Virus Emergency Response Center and 360 also disclosed a new vulnerability attack weapon platform deployed by the NSA, which experts believe is the main equipment of TAO, and it targets the world with a focus on China and Russia. The US’ move raised wide suspicions that the country might be preparing for a bigger cyberwar, experts noted.


Related News