What is the network weapon?
It is like an agent . It can not only sneak into the enemy camp, obtain intelligence and monitor trends in long-term lurking, but also build a network system that paralyzes opponents in one fell swoop when the time is right.
If you have undergone official special training, the damage index will be further improved.
Recently, news about Northwestern Polytechnical University being attacked by overseas online weapons has frequently appeared in hot searches.
Thanks to the professional and meticulous investigation and traceability of the technical team, more flaws of the US National Security Agency were discovered, and this matter is another hot topic today.
We might as well sort out this attack from the beginning.
On June 22, 2022, Northwestern Polytechnical University issued a statement saying it was attacked by overseas cyber attacks.
Then, the Beilin Branch of Xi'an Public Security Bureau issued a "Police Information Notice", confirming that in the information network of Northwest Polytechnical University, a number of Trojan samples from overseas were found, and the police have officially filed an investigation.
The next technical analysis, the team consists of two parties: National Computer Virus Emergency Response Center , and 60 Company .
When the investigation becomes increasingly in-depth, the technical characteristics, attack weapons, attack paths and other contexts gradually become clear, the real culprit behind this hidden attack incident from abroad surfaced: The US National Security Agency "Special Invasion Operations Office" (TAO).
, a slightly strange "office", is the full name of Office of Tailored Access Operation, and is , a TAO (code S32) department of the Information and Information Department (code S) Data Reconnaissance Bureau (code S3).
Look at the degree of concealment, it makes people dizzy.
TAO was established in 1998 and its deployment mainly relies on various password centers in the United States and Europe by the National Security Agency. At present, there are 6 password centers that have been announced:
1, NSA headquarters in Fort Meade, Maryland, USA;
2, NSA Hawaii Password Center (NSAH) in Oahu, Hawaii, USA;
3, NSA Georgia Password Center (NSAG) in Fort Gordon, Georgia, USA;
4, NSA Texas Password Center (NSAT) in San Antonio, Texas;
5, NSA Colora Rollo Password Center (NSAC) in Markley Air Force Base, Denver, Colora Rollo, USA;
6, NSA US Military Base in Darmstadt, Germany European Cryptographic Center (NSAE).
TAO is currently a tactical implementation unit specializing in the US government's large-scale cyber attacks and secrets in other countries. It consists of more than 2,000 soldiers and civilian personnel and has multiple institutions.
Remote Operation Center (ROC, code S321), mainly responsible for operating weapon platforms and tools to enter and control the target system or network.
Advanced/Access Network Technology Office (ANT, code name S322), is responsible for researching related hardware technologies and providing hardware-related technologies and weaponry support for TAO cyber attack operations.
Data Network Technology Department (DNT, code name S323), is responsible for the development of complex computer software tools to provide support for TAO operators to perform cyber attack tasks.
Telecom Network Technology Department (TNT, code name S324), is responsible for researching telecommunications-related technologies and providing support for TAO operators to covertly penetrate telecommunications networks.
Task Infrastructure Technology Department (MIT, code name S325), is responsible for developing and establishing network infrastructure and security monitoring platforms, used to build an attack operation network environment and anonymous network.
Access Operation Office (ATO, code name S326), is responsible for backdoor installation of products to be delivered through the supply chain.
Requirements and Positioning Office (R&T, code S327), receives tasks from each relevant unit, determines reconnaissance targets, and analyzes and evaluates the value of intelligence.
Project Planning Integration Department (PPI, code name S32P), responsible for overall planning and project management.
Cyber Warfare Team (NWT), responsible for contacting the Cyber Warfare Team.
This attack on Northwestern Polytechnical University was code-named "Shot XXXXX" (shot XXXX), directed by TAO head Robert Joyce, and cooperated with multiple institutions.
Task Infrastructure Technology Department is responsible for building a reconnaissance environment and renting attack resources;
Requirements and Positioning Department is responsible for determining attack operation strategies and intelligence assessment;
Advanced/Access Network Technology Department, Data Network Technology Department, and Telecom Network Technology Department are responsible for providing technical support;
Remote Operation Center is responsible for organizing attack reconnaissance operations. Robert Edward Joyce, head of
TAO, was born on September 13, 1967, and obtained his master's degree from Johns Hopkins University in 1993.
989, Robert joined the National Security Agency and served as Director of the TAO from 2013 to 2017.
In October 2017, Robert began to serve as an acting U.S. Homeland Security Consultant. Half a year later, he served as a state security consultant at the White House. Later, he returned to the NSA to serve as a senior advisor to cybersecurity strategy of the Director of the NSA and is now the NSA head of cybersecurity.
This time, Robert directly commanded TAO to launch an attack on Northwestern Polytechnical University, using the number of NSA dedicated network attack weapons and equipment, with as many as 41 types.
not only has a large number of weapons, but the wonderful thing is that weapons can also be adapted to local conditions and adjusted according to different target environments. For example, you can experience it.
One of the online weapons, "Crazy Heretics", is a backdoor tool (the name was chosen by the US side itself). In actual attacks, there are as many as 14 versions of the "Crazy Heretics", which shows its cunning heart. The 41 attack tools used by
TAO can be divided into four categories:
, vulnerability attack breakthrough class : Finding an attack breakthrough port
, the task of tools such as tools is to implement attack breakthroughs on the border network equipment, gateway servers, office intranet hosts, etc. of Northwestern Polytechnical University, and at the same time use it to attack and control overseas springboard machine to build an anonymous network as a cover for action.
(1) "Isle": NSA uses this weapon to attack and control the border server of Northwestern Polytechnical University.
(2) "Sour Fox": This is a weapon platform deployed in Colombia to invade Northwestern Polytechnical University's office intranet hosts.
(3) "Razor": Remote vulnerability attack is implemented for Solarise systems with X86 and SPARC architectures that have opened specified RPC services. During the attack, you can automatically detect the openness of the target system service, intelligently select the appropriate version of the vulnerability exploit code, and directly obtain complete control over the target host.
This weapon is used to attack springboard machines in Japan, South Korea and other countries. The controlled springboard machines are used to attack network attacks at Northwestern Polytechnical University.
, persistent control class : Concealed implementation of penetration control behavior
sends control instructions through encrypted channels, and operates such tools to implement penetration, control, and stealing of the Northwest Polytechnical University network.
(1) "Second Date": Hijacking the traffic flowing through the border equipment of Northwestern Polytechnical University and guiding it to the "Sour Fox" platform to carry out a vulnerability attack.
It can reside on network boundary devices and servers such as gateway servers, border routers, etc. for a long time, accurately filtering and automated hijacking of massive data traffic, and realize the man-in-the-middle attack function.
(2) "NOPEN": implements persistent control of core business servers and key network equipment within the Northwestern Polytechnical University network.
This is a remote control Trojan that supports multiple operating systems and different architectures. It can receive instructions through encrypted tunnels, execute file management, process management , system command execution and other operations, and it has the ability to improve permissions and persist.
(3) "Rage Ejaculation": In cooperation with the "Sour Fox", implement persistent control of personal hosts within the Northwest Polytechnical University's office network.
This is a remote control Trojan based on Windows system but supports multiple operating systems and different architectures. It can customize and generate different types of Trojan servers according to the target system environment. The server itself has strong anti-analysis and anti-debugging capabilities.
(4) "Crazy Heretic": Achieve persistent residence, wait for an opportunity to establish an encrypted pipeline, upload a NOPEN Trojan, and play a role in protecting the long-term control of the information network of Northwest Polytechnical University.
This is a lightweight backdoor implantation tool that is deleted after running. It has the ability to increase permissions and lasts on the target device and can be started with the system.
(5) "Stoic Surgeon": Hide the files and processes of the NOPEN Trojan to avoid being detected by monitoring.
This is a backdoor for the operating systems of Linux, Solarishml2, JunOS, FreeBSD. This weapon can be run persistently on the target device, and hide the specified files, directories, processes, etc. on the target device according to the instructions.
technical analysis found that TAO used a total of 12 different versions of the weapon in its cyber attack on Northwestern Polytechnical University.
, sniffing secret stolen : Steal sensitive information and operation and maintenance data
TAO Relying on this type of weapon, sniffing account passwords and command line operation records used by staff at Northwestern Polytechnical University when operating and maintaining the network, and then stealing relevant information.
(1) "Drinking tea": sniffs the account password, command line operation records, log files, etc. generated by business personnel when implementing operation and maintenance work. After compression and encryption storage, it is available for download by NOPEN Trojans.
It can reside in a 32-bit or 64-bit Solaris system for a long time, and obtain the account passwords exposed under various remote login methods such as ssh, telnet, rlogin, etc. by sniffing inter-process communication .
(2) "Operation behind enemy lines" series of weapons: a stealing tool for telecom operators' specific business systems. The term
"series" indicates that this type of weapon has multiple members. In the cyber attack on Northwestern Polytechnical University, TAO used "magic school", "clown food" and "cursed fire".
, hidden traces : Clear traces of crime.
This type of weapon can eliminate traces of its behavior within the Northwestern Polytechnical University network, hide and conceal its malicious operations and stealing behavior, and provide protection for the above three types of weapons.
For example, "Toast Bread": used to clear and replace various log files on the Internet device accused of Northwestern Polytechnical University, and hide their malicious behavior. TAO has used 3 versions in the attack.
As the investigation deepens, an interesting plot appears.
You read that right. In such a serious attack investigation, there are actually some interesting things hidden, that is, the fox tail that TAO has not hidden well and cannot be hidden at all.
. "Regular Attacker" who never works overtime
Since some attack operations are not automatic/semi-automatic processes, such as using tipoff activation instructions and remote control of NOPEN Trojans, the attacker must operate manually, so by analyzing the attack time of these attack tools, you can know the attacker's working time.
Through big data analysis, interesting things happened:
(1) The cyber attack on Northwestern Polytechnical University was concentrated between 21:00 and 4:00 am Beijing time, that is, 9:00 to 16:00 pm Eastern Time, which happened to be the working time period in the United States.
(2) No cyber attacks on Northwestern Polytechnical University occurred on all Saturdays and Sundays in US time.
(3) During holidays unique to the United States, such as " Memorial Day " for 3 days off and "Independence Day" for 1 day off, the attacking party did not carry out any attacks and stealing secrets.
(4) Closely tracking attacks for a long time was discovered that all cyberattack activities were silent during the Christmas period.
From the above discovery, it can be seen that attacks against Northwestern Polytechnical University’s attacks are strictly carried out according to the working day time of the United States.
Attend on time. work overtime? This is not true.
. The difficult language habits
was found in the long-term tracking and reverse infiltration of the attacker. The attacker has obvious language characteristics:
(1) The attacker is proficient in American English;
(2) The Internet devices associated with the attacker are all equipped with English operating systems and various English version applications;
(3) The attacker uses American keyboard to input.
. Imperfect crime scene
When the attacker carried out a third-level infiltration of Northwestern Polytechnical University and tried to control a network device, the attacker made a human error: when running the upload PY script tool, the specified parameters were not modified. The error information returned after the script was executed, the attacker's working directory and corresponding file name were exposed.
information shows that the system environment of the Trojan control end is a Linux system, and the corresponding directory name is "/etc/autoutils", and autoutils is the special name of the TAO cyber attack weapon tool directory.
, a highly homologous weapon tool
" Shadow Broker " is a very mysterious hacker organization that has disclosed a large number of extremely destructive cyber attack weapons, including " Eternal Blue ".
This time, there were as many as 41 cyber attack weapons against Northwestern Polytechnical University. After comparing with the TAO cyber attack weapons exposed by "Shadow Broker", the following points were found:
(1) 16 of which are exactly the same as the exposed TAO weapons;
(2) There are 23 tools, although they are not exactly the same as the tools exposed by "Shadow Broker", but their genetic similarity is as high as 97%, which belongs to the same category of weapons, but the relevant configurations are not very similar;
(3) There are 2 other tools, although they cannot correspond to the tools exposed by "Shadow Broker", these 2 tools need to be TAO other cyber attack weapon tools are used in conjunction with each other.
In summary, all cyber attack weapons that attacked Northwestern Polytechnical University belong to TAO.
During the continuous technical analysis and attack tracing, the technical team also discovered a batch of server IP addresses, which are weapons and equipment used by TAO to host attack operations.
In addition, the technical team also locked the target nodes, multi-level springboards, main control platforms, encrypted tunnels, attack weapons and the original terminals that launched the attack, discovered the identity clues of the attack implementer, and successfully identified the true identities of the 13 attackers.
. In the persistent technical investigation, another attempt by the US National Security Bureau to attack Xi University of Technology also surfaced: query information of sensitive identity personnel in China.
With the help of cyber attack weapons, TAO successfully mixed into the operator's network with a "legitimate identity", implemented penetration and expansion on the intranet, successively controlling the operator's service quality monitoring system and SMS gateway server, and then using weapons such as "Magic School" that specifically targeted operator equipment, a group of sensitive identity personnel in China were inquired, and the relevant information was packaged and encrypted, and returned to the headquarters of the US National Security Agency.
From this we can feel that cyber attacks are hard to defend against, and network security has a long way to go.
The World Economic Forum's Global Cyber Security Outlook report shows that the number of global cyber attacks has more than doubled in 2021.
Faced with the problem of cyber weapons, Interpol Secretary-General Jurgen Stock is deeply worried: Perhaps the digital weapons currently developed and used by the military will be exploited by malicious hackers tomorrow.
Eternal Blue is an proof of this concern.
The cyber weapon "Eternal Blue" developed by the US National Security Agency was transformed into WannaCry ransomware by malicious hackers. In just 5 hours, a storm swept across most of the earth. The UK, Russia, the entire Europe, and many universities in China were infected with the intranet of campus , large enterprise intranets and government agencies' dedicated networks. Important infrastructure such as banks, power systems, communication systems, energy companies, and airports were affected, and heavy losses were caused.
As a result, WannaCry has become a heavy milestone in the history of cybersecurity.
No one can guarantee that those cyber weapons that have not been disclosed today and developed by the state will not be mastered by hackers tomorrow, and they will even be sold on the dark web in a pantheon.
No one can guarantee that there will be another victim tomorrow in the attack on Northwestern Polytechnical University today.
Murphy's Law says: Things that will go wrong will always go wrong.
We all know that that day will always come, and this is the ultimate essence of network security: endless offensive and defensive confrontation.
Reference materials:
1, https://weibo.com/ttarticle/x/m/show/id/2309404810286572896311?_wb_client_=1
2, https://weibo.com/ttarticle/x/m/show#/id=2309404818257147199763&_wb_client_=1
Text | Muzi Yanni
Hi, this is the black technology, we are all children in the future.
If you want to see more technology stories, please click → WeChat official account: Qianhei Technology.
![Source: People's Liberation Army Daily Client·China Military Name [People Introduction] Wang Hui, female, born in 1995, joined the army in 2014, is a second-level sergeant of the Armed Police, a member of the Communist Party of China, and is currently a health officer of a detach - DayDayNews](https://cdn.daydaynews.cc/wp-content/themes/begin/img/loading.gif)
