Exclusive: US cyberattack against leading Chinese aviation university intended to control infrastructure equipment, steal personal info: source
Published: Sep 27, 2022 10:22 AM
Illustration: Liu Rui/Global Times

Illustration: Liu Rui/Global Times

The cyberattack launched by the US National Security Agency (NSA) against Northwestern Polytechnical University in Northwest China's Shaanxi Province - well-known for its aviation, aerospace and navigation studies - was aimed at infiltrating and controlling core equipment in China's infrastructure and stealing private data of Chinese people with sensitive identities, the Global Times learned from a source close to the matter on Tuesday.

On June 22, Northwestern Polytechnical University announced that hackers from abroad were caught sending phishing emails with Trojan horse programs to teachers and students at the university, attempting to steal their data and personal information.

To probe into the attack, China's National Computer Virus Emergency Response Center and internet security company 360 jointly formed a technical team to conduct a comprehensive technical analysis of the case. 

By extracting many Trojan horse samples from internet terminals of Northwestern Polytechnical University, with the support of European and South Asian partners, the technical team announced on September 5 that they initially identified that the cyberattack was conducted by the Tailored Access Operations (TAO) (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of the US NSA.

A deeper analysis conducted by China's National Computer Virus Emergency Response Center and Beijing-based Qi An Pangu lab showed that a cyber-sniffing weapon, known as "drinking tea," is one of the most direct culprits responsible for the theft of large amounts of sensitive data.

"Drinking tea" can not only steal accounts and passwords for remote transfer of files, but is also very capable with concealment and adapting to a new environment. After being implanted into the target server and equipment, "drinking tea" will disguise itself as a normal background service process, and send malicious loads stage by stage, making it very difficult to find.

The source told the Global Times that further investigation into the case discovered 13 attackers, which proved that the TAO has been secretly controlling the operation and maintenance management server of the university for a long time. At the same time, the TAO has replaced the original system files and erased system logs to eliminate traces and avoid tracing. 

According to the characteristics of the TAO's attack, such as covert links, infiltration tools and Trojan horse samples, Chinese cybersecurity experts found that the TAO infiltrated and controlled the core data network of Chinese infrastructure operators.

Moreover, the TAO entered the network of China's infrastructure operators with a "legal" identity through the account and password of Cisco PIX firewall, Tianrongxin firewall and other devices. By controlling the monitoring system and message servers of infrastructure operators, TAO could access to the information of Chinese people with sensitive identities and then package and encrypt their information and send it back to the headquarters of the NSA through multi-level springboards. 

Relying on its strong technological advantages, the US launched the attacks against the university on its working days, which was unscrupulous and unabashed, the source told the Global Times. 

According to a big data analysis of related cyber attacks, 98 percent of the attacks were conducted between 9 pm and 4 am (Beijing Time), which corresponds to 9 am and 4 pm (Eastern Time).

No cyberattack on Saturday and Sunday (US time) and on major American holidays was detected during the investigation.