On June 29, 2022, 360, self-described as “the largest provider of Internet and mobile security products in China,” says in a Chinese-language report it has found multiple cases of Validator running in Chinese computer systems, “transmitting intelligence to the National Security Agency headquarters.”

In the report, 360 described Validator as

根据斯诺登曝光文档描述，“验证器”（Validator）是与美国国家安全局（NSA）接入技术行动处（TAO）“酸狐狸”（FOXACID）攻击武器平台相配套的专用木马程序，

According to the Edward Snowden documents, Validator is a special Trojan program that accompanies the FOXACID cyberweapon platform by the National Security Agency's Tailored Access Operations.

The 360 report went on to cite one NSA document, first revealed [German] by Der Spiegel at the end of 2013.

Though 360 described the content above as part of the documents exposed by Edward Snowden, I want to add that the source of the leak to Der Spiegel has never been established. Multiple people including James Bamford, who is specialized in the United States intelligence agencies, and security expert Bruce Schneier, had said they didn’t think this particular NSA document came from Edward Snowden.

But where exactly the document comes from is irrelevant now, as the existence of Validator has long been established, including by Der Spiegel in 2013 and The Intercept in 2014.

The 360 report went on to explore the technicalities that I just don’t understand and therefore won’t relay to you. It’s basically how 360 analyzed a sample of Validator, and how Validator works, and how to identify it.

360 said in the report

近期在中国科研机构提取的“验证器”木马程序样本会被微软explorer.exe或avp.exe加载启动。该样本的更高版本，也可被一些常见的服务进程加载启动，如：svchost.exe、wuauserv（Windows更新服务）、LanmanServer（Windows共享服务）等。

The Validator Trojan sample recently extracted from a Chinese research facility is loaded and launched by Microsoft explorer.exe or avp.exe. Higher versions of this sample can also be loaded and launched by some common service processes, such as svchost.exe, wuauserv (Windows Update Service), LanmanServer (Windows Shared Services), etc.

Citing anonymous sources, Bloomberg reported on May 6 (emphasis mine)

China has ordered central government agencies and state-backed corporations to replace foreign-branded personal computers with domestic alternatives within two years, marking one of Beijing’s most aggressive efforts so far to eradicate key overseas technology from within its most sensitive organs.

Staff were asked after the week-long May break to turn in foreign PCs for local alternatives that run on operating software developed domestically, people familiar with the plan said.

China will mostly encourage Linux-based operating systems to replace Microsoft’s Windows. Shanghai-based Standard Software is one of the top providers of such tools, one person said.

[Citing this report does not mean Pekingnology, a personal newsletter, confirms its authenticity.]

Bloomberg didn’t cite sources to explain why that was happening. I imagine its explanation of the reason is general background, which focuses on, simply, China wanting to wean itself off U.S. technology.

The push to replace foreign suppliers is part of a longstanding effort to wean China off its reliance on American technology -- a vulnerability exposed after sanctions against companies like Huawei Technologies Co. hammered local firms and businesses.

This apparently doesn’t answer the question “why now?” And two months later we have 360 come out saying they recently have found Validator loaded and launched in Microsoft Windows.

[I’m not saying they are connected. I’m just saying, you know what, I have read two different reports from two places in two months, and they read interesting together. ]

Share

After going through the technicalities, the 360 report said

在成功提取国内某科研机构重要信息系统中的“验证器”（Validator）木马程序样本的基础上，360第一时间在国内开展扫描检测。

Based on the successful extraction of the "Validator" Trojan sample from an important information system of a domestic research institution, 360 immediately set out scanning and detection in China.

令人遗憾的是，这款美国国家安全局（NSA）的标配木马的不同版本曾在中国上百个重要信息系统中运行，其植入时间远远早于“酸狐狸”攻击武器平台及其组件被公开曝光时间，说明NSA对至少上百个中国国内的重要信息系统实施网络攻击。

Regrettably, different versions of this standard NSA Trojan had been running in hundreds of critical information systems in China, implanted well before the FOXACID cyberweapon platform and its components were publicly exposed, suggesting that the NSA had carried out cyber attacks on at least a hundred critical domestic information systems in China.

时至今日，多个“验证器”木马程序仍在一些信息系统中运行，向NSA总部传送情报。

To this day, multiple Validator Trojan horses are still running in some information systems, transmitting intelligence to NSA headquarters.

可以预见的是，世界各地的重要信息基础设施中，正在运行的“验证器”木马程序数量会远远超过中国。

It is foreseeable that the number of the "Validator" Trojans running in critical information infrastructures around the world will far exceed that of China.

That’s the end of the 360 report.

To sum up, what’s the news here? Since I don’t know the technicalities, I can’t tell if 360’s finding or analysis is original, especially given that Validator has been publicly exposed for almost a decade. But the largest provider of Internet and mobile security products in China said

1. It recently found multiple Validator, the U.S. National Security Agency cyberweapon, still running in Chinese systems and passing intelligence to NSA headquarters;

2. It recently found there were over a hundred Validator which used to run in critical Chinese systems;

3. It foresees far more Validator still running across the world right now.

Some apparently unanswered questions:

How recent is “recently”? Why did 360 reveal the findings now? What took it so long, given that Der Spiegel revealed Validator at the end of 2013? What exactly are the Chinese “critical” systems that have been compromised by Validator? Is the finding related to the Bloomberg-reported, unconfirmed Chinese government directive to dump foreign PCs at its offices and state firms?

I don’t know.

Is it possible that 360 made everything up? I don’t think so, but I’m not a cybersecurity expert so I’m in a position to pass judgment. You’ll have to read their Chinese-language report to dive into the technical details.

(Credit: Anonymous NSA cartoonist, with whom the Washington Post had some fun)

On the same day as the 360 report, which is June 29, 2022, China’s National Computer Virus Emergency Response Center (CVERC), a state institution, published a report studying the FOXACID cyberweapon platform of the U.S. National Security Agency.

Fortunately for English speakers, this report is available in both Chinese and English.

Before we start: Thomas Rid, a Johns Hopkins cybersecurity professor, has slammed it on Twitter

Thomas Rid@RidT

So CVERT, a Chinese government agency, has published another analysis of US intelligence capabilities. Remarkable for three reasons: first, it’s a (bad) write-up of leaked files, with nothing new (unless I missed it). Second: it gets major NSA capabilities factually wrong. And

2:43 PM · Jun 30, 2022

---

25 Reposts · 105 Likes

Thomas Rid@RidT

third, very few people in this town will be able to comment, put into context, and debunk this report because all the leaks of the 2010s are still effectively treated as forbidden literature here (for no good reason). Surreal.

cverc.org.cn

2:46 PM · Jun 30, 2022

---

4 Reposts · 51 Likes

Again, I know little about cybersecurity so I’m not in a position to pass judgment on the technicalities.

What I will say is, from the perspective of news reporting, the CVERC report says

近期，中国多家科研机构先后发现了一款名为“验证器”（Validator）木马的活动痕迹

Recently, artifacts of a malware family called “Validator” were discovered from several institutions of research located in China.

Based on its analysis, which has been omitted in this newsletter because I just don’t understand it, the CVERC report says (emphasis mine)

上述技术分析表明，美国NSA“酸狐狸”漏洞攻击武器平台仍是目前美国政府的主战网络武器之一，有三点结论值得国际社会严密关注：一是该漏洞利用平台是美国国家安全局NSA特定入侵行动办公室（TAO）下属计算机网络入侵行动队的主战装备，在计算机网络入侵行动队单独或配合进行的网络入侵行动中得到广泛应用，攻击范围覆盖全球，其中中国和俄罗斯是重点目标。。。

中国国家计算机病毒应急处理中心对全球互联网用户发出预警，中国的科研机构绝不是受到NSA网络攻击的唯一目标，全球范围内的政府机构、科研机构和商业企业，都可能正在被酸狐狸平台远程控制，平时远程窍取重要数据，战时瘫痪重要信息基础设施。。。

Learned from above, we believe the project of FOXACID platform is still running by US government, and everyone should know the following facts:

FOXACID is a common cyber-weapon used by CNE team affiliated with TAO of NSA, and plays a vital role in globe cyber-espionage operated by NSA, especially against China and Russia…

CVERC encourage all users from all over the world to be aware of the risk and the fact that Chinese research institutions were not the only victims. Organizations of governments, academies, business around the world might have been compromised by NSA with FOXACID….FOXACID facilitates US intelligence agencies with the abilities to steal sensitive data at any time, and cause outage of critical infrastructures at war time.

Now, what’s the news here?

Again, since I don’t know the technicalities, I can’t tell if CVERC’s finding or analysis is original, especially given that FOXACID has been publicly exposed for almost a decade. (Prof. Thomas Rid apparently thinks not.)

So the news is a Chinese state cybersecurity organ just said it has recently found that Chinese cybersystems have been hacked by the NSA, using a well-documented cyberweapon. And it is sending a warning.

Share

Historically, China has been unwilling to specify the cyberattacks it suffered, as Bloomberg summarized in February when reporting a Chinese cybersecurity firm’s finding (emphasis is mine)

The report marked a departure from Beijing’s typical stance. Faced with allegations of hacking, China has routinely denied the behavior and labeled the U.S. an “empire of hackers”…

But the effectiveness of that approach has been questioned, including by former Global Times editor-in-chief Hu Xijin. In a recent WeChat post, the widely followed journalist said Chinese officials have been unwilling to provoke its geopolitical rivals and their tactic of relying heavily on statistics was ineffective.

(By the way, that Bloomberg report in February was published immediately after Pekingnology reported the exact same topic.)

Now, Chinese media including Global Times and China Daily have already covered the two reports in English, why is Pekingnology doing it three days later?

Well, apart from my opinion that the news remains underreported internationally, their coverage could use some clarification.

For example, GT reported

A large number of "validator" trojans are running in critical information infrastructure in other countries, which is far more than in China, the company said. 

But as I have shown above, the 360 report actually said

在成功提取国内某科研机构重要信息系统中的“验证器”（Validator）木马程序样本的基础上，360第一时间在国内开展扫描检测。。。

Based on the successful extraction of the "Validator" Trojan sample from an important information system of a domestic research institution, 360 immediately set out scanning and detection in China…

可以预见的是，世界各地的重要信息基础设施中，正在运行的“验证器”木马程序数量会远远超过中国。

It is foreseeable that the number of the "Validator" Trojans running in critical information infrastructures around the world will far exceed that of China.

What the 360 report said was, basically, that they have scanned Chinese domestic systems and they believe if others scan foreign systems - supposedly, following their analysis? - they will find the Validator as well.

That is different from the “a large number of ‘Validator’ trojans are running in critical information infrastructure in other countries…the company says,” which indicated that 360 had scanned foreign systems and found Validator, as reported by the Global Times.

The China Daily reported (emphasis mine)

It added "validator" may still be operating in some computers and continue to send key information back to NSA.

But the 360 report said

时至今日，多个“验证器”木马程序仍在一些信息系统中运行，向NSA总部传送情报。

To this day, multiple Validator Trojan horses are still running in some information systems, transmitting intelligence to NSA headquarters.

So I don’t get where the “may still be” comes from.