Chinese cybersecurity organizations have made serious accusations against the U.S. National Security Agency (NSA) for allegedly orchestrating a cyberattack on Northwestern Polytechnical University, a prestigious Chinese institution known for its aerospace and defense research.
The allegations, brought to light by entities like Qihoo 360 and the National Computer Virus Emergency Response Center (CVERC), suggest that the NSA’s Tailored Access Operations (TAO) unit, referred to as “APT-C-40” by Chinese sources, was behind the attack in 2022. The cyberattack reportedly involved the use of advanced malware and exploitation frameworks to infiltrate the university’s systems.
It was in June 2022 when the university disclosed the breach, stating that the initial entry point for the attack was through phishing emails targeting both staff and students. Chinese investigators claim that the NSA deployed over 40 different malware strains and exploited zero-day vulnerabilities to gain unauthorized access to the university’s network.
Tools like NOPEN and SECONDDATE, which have previously been associated with the NSA in leaked documents, were allegedly used by the attackers to establish a persistent presence within the network and intercept network traffic for surveillance purposes.
Chinese cybersecurity researchers attribute the cyberattack to the NSA based on forensic analysis and patterns observed during the investigation. Key indicators included the timing of the attack activity, which predominantly occurred during U.S. business hours, as well as the use of American English language settings and system configurations in the operation.
Moreover, investigators uncovered human errors in the attack tactics, such as a misconfigured script that revealed directory paths linked to TAO’s tools, further solidifying the connection to the NSA. The use of IP addresses obtained through front companies like “Jackson Smith Consultants” to conceal NSA operations was also identified by the researchers.
The attack itself was said to have unfolded in several stages, starting with the exploitation of zero-day vulnerabilities in servers of neighboring countries to establish a foothold. Subsequently, phishing emails carrying malware were used to target the university, while tools like ISLAND and FOXACID were employed to compromise external servers and redirect user traffic for exploitation.
Malware like NOPEN and SECONDDATE facilitated long-term access and traffic interception on the network devices, allowing the attackers to move laterally across internal systems and exfiltrate sensitive data using proprietary encryption tools and proxy servers.
These accusations against the NSA underscore the increasing emphasis on targeting edge devices like routers and firewalls for cyber espionage, given their limited logging capabilities. The alleged use of tools consistent with those leaked in the past, including from the Shadow Brokers disclosures, raises ongoing concerns about state-sponsored cyber activities.
While the claims made by Chinese cybersecurity entities have not been independently verified, they reflect a broader narrative of escalating tensions between global powers regarding cyber operations targeting critical infrastructure. The NSA has yet to publicly respond to these allegations.
In conclusion, the accusations against the NSA for orchestrating a cyberattack on Northwestern Polytechnical University highlight the intricate and high-stakes nature of international cybersecurity dynamics, underscoring the need for heightened vigilance and cooperation in defending against such threats.