A forgotten cyber attack on individuals with sensitive roles in China
With just one week remaining until the 2024 U.S. presidential election, it's not strange that media have made a particular group prominent in recent news headlines: hackers.
A recent news report by the New York Times indicated that Chinese hackers targeted data from phones used by former President Donald J. Trump and his running mate, Senator JD Vance of Ohio, without disclosing any details about the “actors affiliated with the People’s Republic of China.”
Those familiar with U.S. elections are no strangers to the tactic of hyping up China-related issues ahead of the vote; it has become almost routine. However, this report also reminded me of an incident mentioned in a report two years ago, where the U.S. security system was alleged to have infiltrated Chinese university networks and telecommunications operators.
In September 2022, China's National Computer Virus Emergency Response Center (CVERC) and cybersecurity company 360 respectively released investigation reports on the attacks on China's Northwestern Polytechnical University (NPU) from the U.S. National Security Agency (NSA), which showed that the NSA-affiliated Office of Tailored Access Operation (TAO) had mounted hundreds of thousands malicious cyber-attacks targeting Chinese objectives.
The investigation reports, available on the CVERC website, revealed that the United States used 41 specialized cyber weapons to launch cyber theft operations for over 1,000 times against the NPU, a prominent national defense science and technology research institute, and stole core technical data.
The reports also revealed crucial information about several attacks, including the specific ways that TAO's attacks were carried out, the targets of the cyber theft operations, reasons why the attacks were attributed to the TAO and a list of IP addresses for the weapon platforms employed by the TAO.
It is worth noting that the TAO gained access to the university's network and obtained employee credentials, which allowed the agency to further infiltrate the systems. It exploited stolen credentials to access the network of a Chinese infrastructure operator under a "legitimate" guise, controlling its service quality monitoring system to pilfer "多名身份敏感人员的用户信息 the information of several individuals with sensitive identities."
The report does not specify the exact identities of these individuals with sensitive backgrounds, which is perhaps understandable. Are they connected to Chinese leaders? It remains unknown. What is certain is that the TAO has engaged in cyber intrusions into Chinese networks.
(III) Infiltration and Control of Core Network of Chinese Infrastructure
The NSA-affiliated TAO has exploited stolen credentials to access the network of a Chinese infrastructure operator under a "legitimate" guise, controlling its service quality monitoring system to pilfer user private data.
Theft of Chinese Users' Private Data
At 22:53 on March 7, 20XX (Beijing Time), TAO utilized an attack proxy located in Mexico (IP 148.208.XX.XX) to target the business server of a Chinese infrastructure operator (IP 211.136.XX.XX). After executing two lateral movements within the network (IPs 10.223.140.XX and 10.223.14.XX), the agency gained control of the user database server and illegally queried the information of several individuals with sensitive identities.
At 15:02 the same day, TAO saved the queried user data in the directory /var/tmp/.2e434fd8aeae73e1/erf/out/f/ on the compromised server. The agency then packaged this data and transmitted it back through its attack relay. The penetration tools and user data uploaded during the covert operation, along with other traces of the attack, were quickly erased by specialized tools. [Beijing Scroll Note: The "15:02" here should refer to U.S. local time, otherwise it wouldn't align with the "22:53" mentioned earlier in chronological order. I’ve already emailed VERC to confirm this information, and I’ll provide an update here as soon as I receive a response.]
Using the same tactics, TAO controlled additional servers of another Chinese infrastructure operator at the following times in 20XX: January 10 at 23:22; January 29 at 8:41; March 28 at 22:00; and June 6 at 23:58 (all Beijing Time). They conducted multiple illegal queries, exports, and thefts of sensitive personal information.
Infiltration and Control of Global Telecommunication Infrastructure
According to analyses, the TAO employed the same methods and combination of cyber weapons to "legitimately" gain control of telecommunications infrastructure networks in at least 80 countries worldwide. The Chinese technical team has collaborated with partners in Europe and Southeast Asia to successfully extract and secure samples of these cyber tools, completing thorough technical analyses. Plans are underway to publicly disclose this information in due course to assist the global community in resisting and protecting against NSA cyber penetration attacks.
The report emphasized that the U.S. agency had controlled telecommunications infrastructure networks in at least 80 countries worldwide using the same methods and tools described. The findings were published to aid global efforts in resisting and preventing cyber infiltration attacks by the TAO, as highlighted in the report.
A CNBC report which was published later noted “Beijing has for years accused Washington of carrying out cyberattacks, but rarely discloses details of specific incidents. This new report is a change in approach from China."
The report also said that the attackers used American English, the devices associated with the hackers had an English-language operating system and they used an American keyboard for input.
In August of this year, The Washington Post reported that Former X employees, experts doubt Musk claim of cyberattack on Trump talk. Must claimed that a 40-minute delay in his audio conversation with Donald Trump was caused by a distributed denial of service, or DDoS, attack.
Following Musk's claim, XLab, part of 奇安信 Qi An Xin (QAX), one of the largest cybersecurity companies in China, confirmed in its Chinese-language blogpost on WeChat that it detected the DDoS attack. The XLab threat perception system identified the attack on the X platform in real time as it unfolded. Zichen Wang covered this in his Pekingnology newsletter.
In an English-language post entitled Behind the Scenes: A Brief Overview of the DDoS Attack on the Trump-Musk Livestream, XLab provided more technical details.
"Monitoring shows that the four botnet controllers launched at least 34 waves of DDoS attacks. The four control servers were mainly located in the UK (two), Germany (one), and Canada (one). The attacks lasted from 8:37 AM to 9:28 AM Beijing time, spanning 50 minutes, which closely matches the delay observed during the broadcast." the post read.
 | A guest post by
|
Strange, it wasn't in the Daily Telegraph!