Recent allegations from Chinese cybersecurity authorities have placed the U.S. National Security Agency (NSA) under scrutiny for orchestrating a multi-year cyber espionage campaign against Northwestern Polytechnical University (NPU), a renowned institution specializing in aerospace and defense research. Joint reports by China’s National Computer Virus Emergency Response Center (CVERC) and cybersecurity firm Qihoo 360 have shed light on a highly sophisticated operation.The NSA’s Tailored Access Operations (TAO) unit, labeled “APT-C-40” by Chinese experts, allegedly deployed over 40 different malware strains to penetrate NPU’s networks from 2020 to 2022, aiming to exfiltrate sensitive research data, network blueprints, and operational credentials.
The Initial Compromise
Exploiting Neighboring Servers
The attackers’ initial entry into NPU’s networks began by compromising Solaris-based servers located in neighboring countries. This strategic move was facilitated by SHAVER, an automated exploitation tool that allowed these servers to act as proxies in phishing campaigns targeting NPU staff. These compromised servers created a facade of legitimacy, making it easier to deceive the faculty and staff at NPU. By utilizing these servers as intermediaries, the attackers managed to bypass many conventional security measures, thereby gaining a foothold within the university’s network infrastructure.
Upon achieving initial access, the attackers utilized SECONDDATE, an advanced network surveillance tool designed to operate on border routers and firewalls. SECONDDATE intercepted and manipulated internal network traffic, redirecting it to the NSA’s FOXACID platform. FOXACID, known for its deployment of zero-day payloads, was then employed to deliver malicious software and backdoors when users visited specific online platforms. This Man-in-the-Middle (MiTM) technique was crucial in ensuring the undisrupted delivery of malware components, facilitating continuous monitoring and data extraction.
Man-in-the-Middle Techniques
The employment of the MiTM technique enabled the attackers to stealthily implant backdoors such as NOPEN and FLAME SPRAY, which were engineered to evade conventional security analysis tools. This persistence allowed the attackers to maintain continuous access, even in the face of potential countermeasures from the university’s cybersecurity team. By embedding these backdoors into the network’s core operations, the NSA’s operatives ensured they could consistently exfiltrate valuable data while remaining undetected.
In a critical operational lapse, an NSA operator mishandled a Perl script, inadvertently exposing a Linux directory path. This slip provided Chinese forensic investigators with tangible evidence of TAO’s proprietary tool directory structure. This blunder was a rare opportunity for Chinese cybersecurity officials to validate their suspicions about NSA involvement definitively. This revelation further complicated the landscape of international cybersecurity, underscoring an environment where even state-level actors are susceptible to intricate forensic tracing and inadvertent errors.
Advanced Persistent Threat Tactics
Maintaining Persistent Access
Maintaining persistent access to NPU’s networks was paramount for the alleged TAO operatives. They employed backdoors such as STOIC SURGEON and CUNNING HERETICS, which were designed to reestablish communication channels following system cleanups. These backdoors worked by embedding themselves deep within the network’s architecture, ensuring that any attempts to purge the system of malware only temporarily disrupted the attackers’ access. This level of persistence highlighted the advanced capabilities of state-sponsored cyber espionage units and their relentless pursuit of strategic intelligence.
To facilitate data exfiltration, the operatives deployed a toolkit named OPERATION BEHIND ENEMY LINES. This toolkit was adept at encrypting stolen files, rendering them undetectable during transit, and routing them through a series of proxy servers scattered across various countries. By masking the origin and destination of the data transfers, the attackers effectively obfuscated their activities, complicating attribution efforts by cybersecurity professionals. This method underscores the tactical sophistication of the campaign, reflecting the high stakes involved in modern cyber warfare.
Attribution and Evidence
Recent claims from Chinese cybersecurity authorities have spotlighted the U.S. National Security Agency (NSA) for allegedly running a years-long cyber espionage campaign against Northwestern Polytechnical University (NPU), a prestigious institution focused on aerospace and defense research. Detailed reports from China’s National Computer Virus Emergency Response Center (CVERC) and cybersecurity firm Qihoo 360 illuminate a highly advanced operation. The NSA’s Tailored Access Operations (TAO) unit, referred to as “APT-C-40” by Chinese experts, supposedly deployed more than 40 different malware variants to infiltrate NPU’s networks from 2020 to 2022. The goal was to exfiltrate sensitive research data, network blueprints, and operational credentials. This operation, if confirmed, highlights escalating cyber tensions between the U.S. and China. The sophisticated nature of the attack raises serious concerns about the lengths national entities might go to compromise significant technological and academic research.