How Beijing determines US hacked Chinese university, INFRASTRUCTURE, & ~80 countries
The hackers worked 9 am to 4 pm ET like clockwork and NEVER on weekends or U.S. holidays. Also, there're strategically important details raising big questions.
This is so much fun that I can’t resist the temptation to publish a second newsletter in one day. And If you are not here for the fun of it, go straight to the final part of this newsletter, which contains strategic and operational information.
China opens up on U.S. hacking details
This year, China has done away with its “silent victim” approach regarding what it says are cyberattacks from U.S. government hackers. The National Computer Virus Emergency Response Center (CVERC)- and several other Chinese cybersecurity firms, in this case, 360 Security - have published a series of articles detailing the tools and methodology that, according to Beijing, the CIA or the Tailored Access Operations (TAO), a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA), deployed against Chinese entities.
All these “HOT” and “New” below are the relevant Chinese-language reports by CVERC.
(source: CVERC web homepage)
I have read the reports but obviously, as a layperson, I don’t understand the technicalities. But I do read widely and my impression is the Chinese reports can be understood as independent confirmations of the applications of the cyber weapons first reported by the German news magazine Der Spiegel in December 2013.
Pekingnology has covered some of the reports in the past (totally based on open-sourced information widely available in Chinese with ZERO insider information so please DO NOT HACK ME and I’m a very low-value target after all) and those Chinese revelations have also been reported in Western mainstream media, such as the AP, AFP, Bloomberg, and CNBC.
Today, or Tuesday, September 27, the CVERC published a new Chinese report detailing what it says are cyberattacks against China’s Northwestern Polytechnical University specializing in Aeronautics and Space Research by the TAO within NSA.
Xinhua and the Global Times have published news reports based on Tuesday’s CVERC report. The Global Times billed its report “exclusive,” but published around the same time as Xinhua‘s and, based on my reading, didn’t provide new facts beyond the publicly accessible CVERC report.
Unfortunately but unsurprisingly, these Chinese media reports are pretty dry and missed or failed to highlight the fun part of the CVERC report, which would make it much more readable, relatable, and thus credible.
So what’s the fun? As I have already shared in the title and subtitle of this newsletter: Beijing says the hackers never worked overtime, weekends, or U.S. national holidays - they always worked 9 am to 4 pm ET like clockwork.
They don’t work overtime
Straight and only from the CVERC report:
(1) the attack time is completely consistent with the work schedule in the United States
When the US National Security Agency's Tailored Access Operations (TAO) uses the tipoff activation instruction and remotely controls the NOPEN Trojan, it must be operated manually. From the attack time of these two kinds of tools, the actual working time of the cyber attacker can be analyzed.
First of all, according to the big data analysis of the related cyber attacks, 98% of the cyber attacks against the Northwestern Polytechnical University are concentrated between 21: 00 Beijing time and 4: 00 a.m. Beijing time, which corresponds to the working time in the United States from 9: 00 a.m. to 16: 00 a.m. Eastern Time.
Secondly, there was no cyber attack on Northwestern Polytechnical University on any Saturdays and Sundays in US time.
Thirdly, by analyzing the holidays in the United States, it is found that "Memorial Day" in the United States is a three-day holiday and the "Independence Day" in the United States is a one-day holiday. In these four days, the attackers have not carried out any attack or espionage.
Fourthly, a long period of close follow-up of the attacks found that all cyber attacks were silent during the Christmas holidays.
Judging from the above-mentioned working hours and holiday arrangements, the attackers and infiltrators at the Northwestern Polytechnical University (network) conducted their activities in accordance with the working day schedule in the United States, 肆无忌惮，毫不掩饰 in broad daylight and blatantly without disguise.
(2) the language habits are closely related to the United States
In the process of long-term tracking of the cyber attacks, the [Chinese] technical team found that the attackers had the following linguistic characteristics:
Firstly, the attackers had the habit of using American English;
Second, the internet devices associated with the attackers are all equipped with English operating systems and various English-language applications;
Third, the attacker uses the American keyboard for input.
The CVERC report lists a few more technicalities
(3) error in operating the cyberweapon exposed working path
At 5: 36 p.m. (Beijing time) on May 16, 20xx, the personnel who carried out the cyber attack on the Northwestern Polytechnic University used the springboard machine located in South Korea (IP: 222.122. *. * *) and used the NOPEN trojan horse to attack the Northwestern Polytechnic University again.
When attempting to invade and control a network device after implementing Level 3 penetration into the internal network of the Northwestern Polytechnic University, a human error occurred in running the upload PY script tool resulting in the specified parameters not being modified. An error message was returned after the script was run. The working directory of the attacker's online terminal and the corresponding file name were exposed in the message. From this, it can be seen that the system environment of the Trojan control terminal was a Linux system, and the corresponding directory name "/etc/autoutils" was the special name (autoutils) of the TAO network cyber weapon tool directory.
The error message was as follows:
Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE .log/ at ../etc/autoutils line 4569
(4) A large number of weapons are highly homologous to the exposed NSA weapons genes
Among the 41 different cyber-attack weapons used in the attack against Northwestern Polytechnic University captured this time, 16 were exactly the same as the TAO cyber weapons exposed by the "Shadow Brokers". Although there were 23 tools that were not exactly the same as those exposed by the "Shadow Brokers", their genetic similarity was as high as 97%, belonging to the same category of cyber weapons, but with different configurations; The other two tools did not correspond to the tools exposed by the "Shadow Brokers," but these two tools needed to be used together with TAO's other cyber weapons. Therefore, these weapon tools have obvious homology and all belong to TAO.
(5) Some of the cyber attacks took place before the expose by "Shadow Brokers"
A comprehensive analysis of the technical team found that in the tens of thousands of cyber attacks on Chinese targets, especially in the thousands of cyber attacks launched at the Northwestern Polytechnic University, some of the cyber weapons used in the attacks were implanted with trojans before the "Shadow Brokers" released the NSA weapons. According to the NSA's behavior, it is highly probable that the above-mentioned weapons were used by TAO employees themselves.
Strategic and operational information
Lastly, the CVERC report mentioned a few important details:
Beijing secured overseas support. Specifically 欧洲、东南亚部分国家合作伙伴的通力支持 “full support from cooperating partners in some European and South East Asian countries”, but the names of the countries weren’t disclosed.
并成功查明了13名攻击者的真实身份 “the true identities of 13 attackers have been identified” but their names were withheld in the report.
It’s worth watching if Beijing will publish their identities and even prosecute them - presumably, in absentia. The U.S. Department of Justice prosecuted what it says are Chinese state-linked hackers in 2018 and 2021. China and the U.S. are world powers with influence if not extradition treaties with multiple jurisdictions.
Most importantly, Beijing now alleges the U.S. conducted cyberattacks not just against one university but penetrated deep into the Chinese information infrastructure.
TAO illegally attacked and infiltrated the infrastructure operators in China, establishing a "legal" channel for remote access to the core data network of the infrastructure operators, and realizing the infiltration and control of the infrastructure in China.
TAO entered the (Chinese) operator's network with a "legal" identity through obtaining the account passwords of 思科PIX防火墙 Cisco PIX firewall [Someone should forward this email to Cisco], Topsec firewall, and other equipment of China's infrastructure operators, then implemented internal network penetration and expansion, respectively controlled the relevant operator's service quality monitoring system and SMS (sms short message service) gateway server, and used "Magic School" and other cyberweapons and tools specifically targeted at the operator's equipment to query a group of personnel of sensitive identities in China, and packaged and encrypted their information and sent it back to the headquarters of the US National Security Agency via multi-level springboard.
Again, I’m no expert but I do read widely. This reads to me like a game-changer in that it is not just a hack targeting a certain entity or individual, but “infiltration and control” of a world power’s information infrastructure and then using it to query personal information of potentially high-value targets are unheard of.
(Okay, there was the 2015 allegation of the Office of Personnel Management hack, but that wasn’t on information infrastructure.)
Beijing didn’t disclose whose personal information had been stolen by the NSA. But just imagine the domestic uproar if the U.S. government alleges China or Russia hacked AT&T and, through the hacked telecom operator, got, let’s say, personal information on Nancy Pelosi, Marco Rubio, Anthony Blinken, or maybe even Elon Musk. Would it be called cyber warfare or even just war?
More broadly, Beijing says
Penetration and control of global telecommunications infrastructure
According to analysis, the US National Security Agency's Tailored Access Operations (TAO) has "legally" controlled the telecommunications infrastructure networks of not fewer than 80 countries in the world by using the same combination of cyber weapons and tools. The technical team worked together with partners in Europe and Southeast Asian countries to successfully extract and identify the samples of the above-mentioned cyber weapons and tool s, and successfully completed the technical analysis. The technical team intends to release the samples to the public in a timely manner to help the world jointly resist and prevent the cyber infiltration attack by US National Security Agency.
Which countries are among the not fewer than 80 countries? Will foreign diplomats in Beijing start knocking on Chinese doors to ask? Do they include U.S. allies? And Beijing has promised to go public with technical evidence. So let’s stay tuned.
It’s been over 12 hours since CVERC released the report and I have only seen only Arjun Kharpal at CNBC publish a report an hour ago. (Or maybe it’s Beijing crying foul at the U.S. hacking China, so it doesn’t matter - is it?)
As a private individual writing a personal newsletter on an apparently sensitive subject which probably hasn’t been detailed and discussed like this anywhere else yet, let me once again clarify this newsletter does not represent the views of anybody else. Everything in this article is openly sourced from the CVERC report.
If you haven’t read my first newsletter today, you definitely should - I have heard that the exclusive excerpt from Prof. Zeng Jinghan’s Slogan Politics: Understanding Chinese Foreign Policy Concepts made it onto Chinapol within minutes.
No 9-9-6 for American hackers... : )