NSA’s decades-long cyberattacks against Chinese institutions
Published: Mar 23, 2022 09:28 PM
Cyberattacks Photo: VCG

Cyberattacks Photo: VCG

Editor's Note:

Last month, Chinese internet security company 360 released reports on US National Security Agency (NSA)'s cyberattacks around the world, showing that US' cyberattack activities have become common and the potential threat has grown. Global Times (GT) reporter Zhao Siwei interviewed Bian Liang (Bian), head of the 360 Helios Team. Bian said once these threats are detonated, the harm will occur beyond the virtual world. This will trigger major security incidents in the real world. All departments must realize the urgency of cyber security and take immediate measures to prevent potential threats.

GT: Recently, 360 released related reports on the NSA's cyberattacks on China and the rest of the world. How did 360 finally confirm that the attacks came from the NSA?

Bian: According to Wikipedia records, the NSA has a top-secret division named Tailored Access Operations, also known as the Office of Specific Intrusion Operations, which is mainly responsible for cyber-surveillance, intelligence acquisition and even remote sabotage of internet facilities in other countries. The sector has been active since at least 1998. Since 2008, 360 has integrated massive security data through the Brain of Security and captured and discovered a large number of extremely complex cyber hacking program samples. After long-term analyses and tracking and obtaining evidence from multiple victim units on the spot, it was confirmed that a large number of hacking program samples belonged to the NSA.

GT: Are there any unique characteristics of the cyberattacks carried out by the NSA?

Bian: Different from conventional hacking and sabotage activities, the NSA's attacks are more refined and can manipulate, analyze and destroy any network communication and file transfer in normal network traffic, and can remotely shut down or destroy the critical information infrastructure of the target and livelihood facilities such as water, electricity and gas.

GT: In 2020, 360 also publicly disclosed the global attacks by the Central Intelligence Agency (CIA). What is the difference between attacks from the CIA and NSA?

Bian: From the perspective of attack tools, what the CIA got involved was a series of attack activities using the core network weapon "Vault7," while the NSA network weapons disclosed this time are more in numbers and have stronger attack capabilities, and these cyber weapons have achieved automation, industrialization and artificial intelligence utilization with each other. In terms of attack targets, it was disclosed previously that the cyberattacks organized by the CIA were mainly aimed at China's aerospace industry, scientific research institutions, the oil industry, large internet companies and government agencies. 

A prominent feature of these attacks is that they made system developers in aerospace and scientific research institutions special targets. In contrast, the cyberattacks organized by the NSA this time are indiscriminate on a global scale, including attacks on US allies. They were launched against almost all Web users including those who use various emails, social networks, search engines and video websites indiscriminately.   

GT: 360 has successively released relevant reports about NSA cyberattacks on the world and China. Based on your research, are there any new characteristics of the US cyberattacks on China?

Bian: Some changes have indeed taken place and new features appeared. We summarize them as "six major changes." First, our opponents have grown bigger, from individual hackers in the past to a large-scale organized cyber army led by the NSA and CIA. Second, their attack areas have become broader, which have expanded from computers and information networks to various key information infrastructures for both military and civilian uses. Third, the means of attacks have become diversified, including not only Trojan horses and viruses, but also loopholes, backdoors and counterfeit servers. Fourth, they previously aimed to show off hacking skills or seek industrial or economic interests through illegitimate means, but now they target China's key information infrastructure and major national secrets. Fifth, the challenges we face are bigger. Threats are difficult to prevent in advance and can be found everywhere. Sixth, there have been greater harms. In peacetime, they steal national secrets, while in wartime, they steal information and create turmoil. 

GT: You said the harm has become greater. Then what kind of harm will it bring to China? 

Bian: According to data obtained by 360, the NSA has carried out secret hacking activities for more than 10 years against China's leading enterprises in various industries, governments, universities, medical institutions, scientific research institutions and other agencies that are responsible for operating and maintaining key information infrastructure related to the national economy and people's livelihood. It stole massive amounts of important data related to population, medicine and health, education and scientific research, military and defense, aerospace, social governance, transportation management and infrastructure. It planted backdoors in China's information systems, causing actual harm and potential threats that are hard to assess. 

The NSA's cyberattacks span a wide range of areas vital to a country's livelihood and lifeline, aiming to affect the country's national security, public security and people's private information safety. All of our institutions could face the threat of cyberattacks, which could destroy infrastructure and impact basic services and public security. Once these virtual threats burst out, there will be serious damage to the real world.

GT: In the ongoing Ukraine crisis, cyber warfare has already projected into the real world. Can you describe how a cyberwar could be carried out?

Bian: In the digital era, a cyberwar will undoubtedly be the prioritized choice. As all things are connected through the internet, the number of smart devices and net users increases, and data structure becomes more complicated and diverse with more origins, it will be harder to maintain the key infrastructure used to store the data, and thus result in risks of security in network construction and operation. In the meantime, it will also be difficult to avoid attacks by using the loopholes in various hardware and software systems of critical information infrastructure.

In other words, cyberattacks are aimed at not only stealing information, but also damaging the infrastructure of transport, energy and finance. Any network node can be a springboard for the attacks. This will have serious consequences. So we must be aware of the severe situation of cyber warfare and face up to it. 

GT: How can we prevent such scenarios?

Bian: We suggest upgrading cybersecurity to digital security, establishing a digital security emergency response system that covers all digital scenes, and encouraging relevant institutions to proactively report risks. This will require a national-level defense system of "security brain" that enables us to detect cyberattacks. At present, big data analysis is the only proven effective method to detect attacks. We can establish a comprehensive view of patterns of attacks from big data so that we can perceive the whole picture of cyberattacks. 

In addition, cities will be the main targets of cyber warfare in the future. The attacks that used to focus on certain companies or government departments will target the entire city's governmental services and key infrastructure, with the goal to paralyze the city and destabilize society. Therefore, an urban emergency response system should be established with security infrastructure similar to city-level "air defense systems." 

Third, it is necessary to strengthen the actual drills and improve the offensive and defensive capabilities of each unit in actual combat. There is no unassailable network, and every system can be attacked by exploiting loopholes. It is necessary to conduct actual drills to improve the offensive and defensive capabilities of cyberspace and key infrastructure.

Fourth, we should survey and map the entire network to generate a clear picture. And we need to regularly carry out advanced persistent threat investigations against critical infrastructure. It is necessary to assume that the enemy is already there and to dynamically advance the investigations of important information systems in real-time, in a bid to realize automatic threat identification, risk blocking and attack source tracing and to improve the security defense level of domestic key information infrastructure from the source.

GT: Great progress has been made in China's cyber defense system. Which aspects do you think need further strengthening?

Bian: First, raise people's awareness of cyber security and confidentiality. Regardless of the scale of the units that establish the information system, it is necessary to ensure that the leaders of these divisions are fully aware of the urgency of cyber security and take immediate measures to prevent potential threats.

Second, enhance the cyber security protection capability of the units. Because of the acceleration of the global digitalization, the business chains of the units have become more complex, and cyberattacks may occur at any time. Therefore, each unit needs to continuously boost its own capabilities in cyber security, emergency response and rapid recovery, and conduct offensive and defensive drills and formulate plans for measures.

Third, reduce the likelihood of disruptive network intrusions by means such as multi-factor identity authentication for all remote and privileged or administrative access to an organization's network; employ multiple network security services, including vulnerability scanning, to help reduce the possibility of attacks.

The fourth one is to guarantee that the enterprise or organization responds in a timely manner in the event of a breach. For example, they should test the backup program to ensure that the units can quickly restore key data and guarantee that the backup is isolated from the network when it is attacked by ransomware or others.