Chinese government agencies and private firms attributed cyberattacks aimed at the country’s Northwestern Polytechnical University to the United States’ National Security Agency (NSA) based on IPs, incident timeline, keyboard input, human error, and deployed tools, a security researcher reports.
In September 2022, China’s National Computer Virus Emergency Response Center (CVERC) accused the NSA of tens of thousands of cyberattacks against networks in the country, and of infiltrating the Northwestern Polytechnical University.
A year later, CVERC said it linked malware used in an April 2022 attack against the aerospace and defense institution to the NSA, and that it had uncovered the identities of the attackers.
CVERC, however, was not the only Chinese entity to blame the NSA for the Northwestern Polytechnical University hack, and Australia-based researcher Lina Lau has dived into multiple reports to better understand the evidence behind the attribution.
Lau is the co-founder of Xintra, a company that provides advanced cybersecurity training solutions.
While “the authenticity and extent of these allegations remain unverified by independent sources,” the reports paint a clear picture of the Chinese methodology of incident response, Lau notes.
China tracks the threat actor as APT-C-40, which Lau suggests is linked to the notorious Equation Group.
According to the analyzed reports, the NSA’s Tailored Access Operations (TAO) division targeted the university for data theft and espionage, deploying at least 41 malware strains, and performing hands-on-keyboard operations.
Reports from the university, CVERC, and cybersecurity firm Qihoo 360 mention four IP addresses that the NSA allegedly purchased through cover entities, and the use of anonymous protection services to anonymize domain names and certificates.
Hands-on-keyboard operations performed during weekdays, but not on US national holidays such as Memorial Day and Independence Day, pointed to US attackers, the same as the use of keyboards with American English layout and devices with English-language operating systems and applications.
One of the attackers, the reports show, forgot to modify the parameters of a Python script, which returned an error, exposing their working directory, which had “the special name of the TAO network attack tool directory”.
The reports also claim that, following the Shadow Brokers’ leak, the publicly exposed NSA tools were linked to malware uncovered during the investigations into several prior breaches at the Northwestern Polytechnical University.
Overall, the Chinese agencies and firms linked 41 malware families and tools to the NSA, including 16 consistent with the TAO toolkits exposed by Shadow Brokers. In total, 23 of the uncovered tools “had around 97% similarity to the tools in the Shadow Brokers leak”, Lau explains.
The reports also show that the NSA exploited zero-days to hack the university, using 54 jump servers and 5 proxy servers in the attack, and employing a proprietary tool called Shaver to target SunOS-exposed systems.
Man-in-the-middle (MitM) attacks, phishing emails, and the FoxAcid zero-day vulnerability attack platform were also used in the attack, along with Island (for manual exploitation of Solaris systems) and the SecondDate espionage framework, which supports traffic hijacking, network eavesdropping, and code injection.
The platform was allegedly used to hijack internal hosts and servers and deploy additional tools to gain remote access to core network equipment, servers, and terminals.
For long-term persistence and lateral movement, the attackers allegedly used tools such as SecondDate, NoPen, Flame Spray, Cunning Heretics, and Stoic Surgeon, legitimate credentials for firewalls, hijacked software update mechanisms, stolen SSH, Telnet, and Rlogin passwords, and compromised routers to hijack and manipulate traffic.
According to the reports, “NSA operatives allegedly systematically stole classified research data, network infrastructure details, and sensitive operational documents,” Lau notes.
It’s not uncommon for government hackers to make opsec mistakes that expose their identity and TTPs, but it’s also not uncommon for sophisticated threat actors to plant false flags that make attribution difficult.
Related: Chinese Researchers Detail Linux Backdoor of NSA-Linked Equation Group
Related: CISA, FBI Warn of China-Linked Ghost Ransomware Attacks
Related: FCC Taking Action in Response to China’s Telecoms Hacking
Related: US Updates a Science and Technology Pact With China to Reflect Growing Rivalry and Security Threats