Exclusive: ‘Concealed, adaptable’ weapon of NSA’s cyberattack on leading Chinese aviation university exposed
Published: Sep 13, 2022 10:13 AM
Photo: CFP

Photo: CFP

A "concealed and adaptable" weapon used by US' intelligence center National Security Agency (NSA) to launch a cyberattack on the email system of Northwestern Polytechnical University in Northwest China's Shaanxi Province - well-known for its aviation, aerospace and navigation studies - was captured by Chinese cybersecurity experts, the Global Times learned from a source on Tuesday.

On September 5, a Chinese technical team announced that by extracting many trojans samples from internet terminals of Northwestern Polytechnical University, under the support of European and South Asian partners, it initially identified that the cyberattack to the university was conducted by the Tailored Access Operations (TAO) (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of US' NSA.

Aiming at Northwestern Polytechnical University, TAO used 41 types of weapons to steal the core technology data including key network equipment configuration, network management data, and core operational data. The technical team discovered more than 1,100 attack links had infiltrated inside the university and more than 90 operating instruction sequences, which stole multiple network device configuration files, and other types of logs and key files, the team said.

A deeper analysis conducted by China's National Computer Virus Emergency Response Center and Beijing-based Qi An Pangu lab showed that the cyber-sniffing weapon, known as "drinking tea," is one of the most direct culprits responsible for the theft of large amounts of sensitive data. 

A cybersecurity expert from the lab told the Global Times on Tuesday that TAO used "drinking tea" as a tool to detect secrets, implanted it into the internal network server of Northwestern Polytechnical University, and stole the login password of remote management and remote file transfer services, such as SSH, so as to gain access to servers on the Intranet, and other high-value servers, resulting in the stealing of large-scale, persistent sensitive data.

"Drinking tea" can not only steal accounts and passwords for remote transfer of files, but also is very capable of concealment and adapting to new environment. According to the anonymous expert, after being implanted into the target server and equipment, "drinking tea" will disguise itself as a normal background service process, and send malicious load stage by stage, making it very difficult to find. 

"Drinking tea" can run on the server stealthily, monitor the user's input on the terminal program of the operating system console in real time, and intercept all kinds of user names and passwords from it, just like the "peeper" behind the user. 

"Once these usernames and passwords are obtained by TAO, they can be used to carry out the next stage of the attack to help the office steal files on the servers or deliver other cyber weapons," the cybersecurity expert said.

In February, experts from Qi An Pangu lab told the Global Times that they have discovered a top hacker group under US' NSA, which has been using a cyber weapon "Telescreen" for more than a decade, infiltrating 45 countries and regions including China, Russia, Japan, Germany, Spain and Italy, and involving 287 important institutional targets. 

"Telescreen" has also been found to have been used together with "drinking tea" to launch the attack to Northwestern Polytechnical University's email system, the source said. 

According to the source, Chinese experts also found traces of "drinking tea" attack in the network of other institutions, which shows that the weapon is likely to have been used by TAO to launch a large-scale cyberattack on China.

Apart from that, a research report, entitled "American Dragnet: Data-driven Deportation in the 21st Century," which was released by US Georgetown University's Center on Privacy and Technology Law in May, showed after two years of investigations, the center found that in the name of counterterrorism, US Immigration and Customs Enforcement (ICE) has pushed ethical and legal boundaries to build a surveillance dragnet that covers most Americans by bypassing Congressional oversight and privacy laws. 

It means that the US government's unlimited access to data surveillance has expanded from "regular" law enforcement departments such as the NSA, Central Intelligence Agency, Federal Bureau of Investigation or police department to administrative agencies like ICE.

Chinese Foreign Ministry spokesperson Mao Ning has urged the US to immediately stop its wrongdoings, saying that cyberspace security is a common problem affecting all countries worldwide.

China has asked the US through multiple channels to explain the malicious cyberattack and immediately stop the illegal behavior, but so far we have not received any substantive response from the US, Mao said. 

"I want to stress that what the US has done has seriously infringed on the technical secrets of relevant Chinese institutions and seriously jeopardized the security of China's critical infrastructure, and institutional and personal information. The US must stop immediately and give a responsible explanation," Mao said.