Northwestern Polytechnical University (NPU), one of China’s top aviation institutions, found itself in the crosshairs of a cyberattack in June 2022. The subsequent investigation led to a surprising revelation: the involvement of the US National Security Agency (NSA).
Following the attack, the National Computer Virus Emergency Response Center (CVERC) and prominent Chinese internet security firm, 360, delved into the depths of the assault, uncovering intricate details. Their collaborative efforts, corroborated by international partners, managed to trace back the origins of the attack, specifically to individuals within the US’ NSA.
Chronology of the Attack
Last June, NPU’s public statement painted a grim picture: a sophisticated cyberattack with an international hacker group intent on pilfering valuable data. The ripple effects of this statement were profound, prompting an immediate and comprehensive investigation.
The mastermind behind the attack was identified as the Office of Tailored Access Operations (TAO, Code S32). This particular entity operates under the Data Reconnaissance Bureau (Code S3) which is part of the NSA’s Information Department (Code S).
The Digital Weapon: SecondDate
From documents exposed by the whistleblower group “Shadow Brokers”, SecondDate is revealed as an NSA-developed cyber weapon. Its primary function is to be deployed on network boundary devices such as gateways, firewalls, and edge routers. The tool discreetly scrutinizes cyber traffic, possessing the capability to divert, intercept, or alter specific network sessions on demand.
As CVERC and 360’s investigation progressed, they not only extracted several instances of this spyware but also successfully unmasked the NSA personnel responsible for this covert digital operation.
A technical deep dive into SecondDate showcases its prowess. This isn’t a rudimentary tool; its intricacies suggest a profound understanding of cyber technology, particularly network firewall technology. The functionality can be likened to having content-filtering firewalls and proxy servers on target devices, allowing absolute control over these devices and their subsequent traffic. This total control grants the attacker unprecedented access for extended data theft, even using the compromised network as a launchpad for more attacks.
How SecondDate Operates
In conjunction with TAO’s arsenal of firewall and router exploitation tools, once a vulnerability is detected and exploited, SecondDate is introduced into the target device. Control over this spyware is bifurcated into server-side and control-side operations.
The server-side, located on boundary devices like gateways or routers, filters all traffic in real-time. Meanwhile, the control-side activates the tool using specially designed packets. Once the server-side discerns the reconnect IP address from these packets, it connects and can choose any target to execute a man-in-the-middle attack based on requirements.
This communication employs the UDP protocol, ensuring encrypted communication throughout. Furthermore, the communication port used is random. From a remote location, the control-side can dictate the server-side’s operations, including which traffic to hijack.
A Global Web of Deception
China and its global partners didn’t limit their inquiry to the NPU incident. Through persistent tracking, they unearthed the presence of SecondDate and its variants in thousands of network devices across numerous countries. Notably, servers controlled by the NSA were found in regions such as Germany, Japan, South Korea, India, and Taiwan.
In the words of an involved official, “The collaboration between countries has led to crucial breakthroughs. We’ve identified NSA personnel directly involved in cyberattacks against NPU.”
The unmasking of SecondDate stands as a testament to China’s commitment to thwarting state-sponsored cyberattacks, especially those orchestrated by the US government. By shining a light on these covert operations, China emphasizes its advanced cyber technological base, aiming to bolster global cyber defense mechanisms. It’s not just about deflecting attacks; it’s about exposing the entities behind them to the world, holding them accountable.
Sources have intimated that identities of those behind the NSA cyberattacks will soon be made public, a revelation that will undoubtedly refocus global scrutiny on the US government’s relentless cyber espionage.
Final Thoughts
The NPU incident is more than a cyberattack; it’s a manifestation of the shadowy realm of cyber espionage where state-sponsored entities operate with alarming discretion. China’s endeavors, in collaboration with international allies, not only staved off this threat but also set a precedent in cyber defense and transparency. The world will be watching closely, anticipating further disclosures and hoping for a safer, more transparent digital future.
Exposing the NPU Cyberattack: China Deciphers the Spyware and Reveals US NSA’s Hand
Northwestern Polytechnical University (NPU), one of China’s top aviation institutions, found itself in the crosshairs of a cyberattack in June 2022. The subsequent investigation led to a surprising revelation: the involvement of the US National Security Agency (NSA).
Following the attack, the National Computer Virus Emergency Response Center (CVERC) and prominent Chinese internet security firm, 360, delved into the depths of the assault, uncovering intricate details. Their collaborative efforts, corroborated by international partners, managed to trace back the origins of the attack, specifically to individuals within the US’ NSA.
Chronology of the Attack
Last June, NPU’s public statement painted a grim picture: a sophisticated cyberattack with an international hacker group intent on pilfering valuable data. The ripple effects of this statement were profound, prompting an immediate and comprehensive investigation.
The mastermind behind the attack was identified as the Office of Tailored Access Operations (TAO, Code S32). This particular entity operates under the Data Reconnaissance Bureau (Code S3) which is part of the NSA’s Information Department (Code S).
The Digital Weapon: SecondDate
From documents exposed by the whistleblower group “Shadow Brokers“, SecondDate is revealed as an NSA-developed cyber weapon. Its primary function is to be deployed on network boundary devices such as gateways, firewalls, and edge routers. The tool discreetly scrutinizes cyber traffic, possessing the capability to divert, intercept, or alter specific network sessions on demand.
As CVERC and 360’s investigation progressed, they not only extracted several instances of this spyware but also successfully unmasked the NSA personnel responsible for this covert digital operation.
A technical deep dive into SecondDate showcases its prowess. This isn’t a rudimentary tool; its intricacies suggest a profound understanding of cyber technology, particularly network firewall technology. The functionality can be likened to having content-filtering firewalls and proxy servers on target devices, allowing absolute control over these devices and their subsequent traffic. This total control grants the attacker unprecedented access for extended data theft, even using the compromised network as a launchpad for more attacks.
How SecondDate Operates
In conjunction with TAO’s arsenal of firewall and router exploitation tools, once a vulnerability is detected and exploited, SecondDate is introduced into the target device. Control over this spyware is bifurcated into server-side and control-side operations.
The server-side, located on boundary devices like gateways or routers, filters all traffic in real-time. Meanwhile, the control-side activates the tool using specially designed packets. Once the server-side discerns the reconnect IP address from these packets, it connects and can choose any target to execute a man-in-the-middle attack based on requirements.
This communication employs the UDP protocol, ensuring encrypted communication throughout. Furthermore, the communication port used is random. From a remote location, the control-side can dictate the server-side’s operations, including which traffic to hijack.
A Global Web of Deception
China and its global partners didn’t limit their inquiry to the NPU incident. Through persistent tracking, they unearthed the presence of SecondDate and its variants in thousands of network devices across numerous countries. Notably, servers controlled by the NSA were found in regions such as Germany, Japan, South Korea, India, and Taiwan.
In the words of an involved official, “The collaboration between countries has led to crucial breakthroughs. We’ve identified NSA personnel directly involved in cyberattacks against NPU.”
The unmasking of SecondDate stands as a testament to China’s commitment to thwarting state-sponsored cyberattacks, especially those orchestrated by the US government. By shining a light on these covert operations, China emphasizes its advanced cyber technological base, aiming to bolster global cyber defense mechanisms. It’s not just about deflecting attacks; it’s about exposing the entities behind them to the world, holding them accountable.
Sources have intimated that identities of those behind the NSA cyberattacks will soon be made public, a revelation that will undoubtedly refocus global scrutiny on the US government’s relentless cyber espionage.
Final Thoughts
The NPU incident is more than a cyberattack; it’s a manifestation of the shadowy realm of cyber espionage where state-sponsored entities operate with alarming discretion. China’s endeavors, in collaboration with international allies, not only staved off this threat but also set a precedent in cyber defense and transparency. The world will be watching closely, anticipating further disclosures and hoping for a safer, more transparent digital future.
Read More: