Since I reside in a Five Eyes country (Australia) and have publicly presented four cases I led on China’s APT41 attacking organisations in ASEAN, particularly concerning China’s cyber and political strategies, I was curious to explore what China publishes about Five Eyes operations. This led me down a rabbit hole of research into TTPs that Chinese cybersecurity entities have attributed to the NSA – or, as they coin “APT-C-40”.
These insights stem from extensive research I did on Weixin containing intelligence reports published by China’s Qihoo 360, Pangu Lab, and the National Computer Virus Emergency Response Center (CVERC). It is important to note that the authenticity and extent of these allegations remain unverified by independent sources. My goal in writing this blog is simply to aggregate and share what Chinese sources are publishing about NSA’s cyber operations (APT-C-40) to see if I could learn any new detection techniques or offensive techniques to research for fun.
As I did this research, I had a realisation that the Chinese methodology of Incident Response appears very different to how we perform IR in the West and had me thinking more about how I could modify some of my own methodologies to include some of the learnings. Maybe I will write a blog on this in the future. Ultimately, depending on the reception of this blog, I may continue this series by sharing my other findings on Chinese reports regarding CIA (APT-C-39) cyber operations and a third North American group (not NSA or CIA) that Chinese firms are tracking named APT-C-57.
How the
NSA Allegedly Hacked China’s Northwestern
Polytechnical University
This is how China’s Northwestern Polytechnical University,
a leading institution specializing in aerospace and defence, allegedly became
the target of a sophisticated cyberattack attributed to the NSA’s APT-C-40 group back in 2022.
Reports claim that the attack was executed by Tailored Access Operations (TAO), a
division within the NSA, which allegedly deployed over 40 unique malware strains
to conduct data theft and
espionage.
All the information regarding this breach is publicly disclosed on the internet
by Chinese cyber companies Qihoo 360 and National Computer Virus Emergency
Response Centre on Weixin.
How did China
perform the attribution?Through the joint investigation and forensics on
the University, CVERC and 360 identified 4 IPs that the NSA supposedly purchased
through two cover companies “Jackson Smith Consultants” and “Mueller
Diversified Systems”. The four IPs identified are listed at the end of this
report. CVERC and 360 alleged a TAO employee with the pseudonym “Amanda
Ramirez” anonymously purchased these for the NSA’s FoxAcid platform which was
later used in the attack on the University.
CVERC and 360 also alleged that the NSA had used anonymous protection services
of a Registrar in the US to anonymize domain names and certificates to prevent
them from being queried by public channels.
Investigators from CVERC
and 360 were able to trace the attack back to NSA’s TAO unit
through a mix of human error, patterns in their analysis and tool overlap.
1. Attack Times
- One of the frameworks used by TAO that was
forensically uncovered during the incident named “NOPEN” requires human
operation. As such, a lot of the attack required hands-on-keyboard and data analysis
of the incident timeline showed 98% of all the attacks occurred during 9am –
16pm EST (US working hours). - There were zero cyber-attacks on Saturdays and Sundays
with all attacks centralised between Mon-Fri. - No attacks occurred during Memorial Day and
Independence Day holidays which were unique American holidays. - No attacks occurred during Christmas.
2. Keyboard Inputs
- Attacker used American English.
- All devices used by the attacker had English OS and
English applications. - American keyboard was utilised.
3. Human Errors
- Due to the length and scale of the incident, when one
of the alleged NSA “attackers” tried to upload and run a Pyscript tool, they
forgot to modify the parameters. This returned an error – the error message
exposed the working directory and file name of the attacker’s internet
terminal. - This was then used to identify that they were running on a Linux
system and the directory “etc/autoutils” was known to be the special name of
the TAO network attack tool directory. - The error message is as follows: Quantifier follows nothing in regex; marked
by <-- HERE in m/* <-- HERE .log/ at .. /etc/autoutils line 4569
4.
10 Comments
themark
It seems like the lack of operations during US holidays would be a big oversight.
vednig
can I comment freely here
rdtsc
> No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.
Simple but effective. A good non-NSA agency should also learn from this to be able to effectively false-flag as NSA, as long as they are flexible enough to allow off-hours and overtime pay and remember to respect the US federal holidays.
> Two zero-days were used to breach any company with SunOS-exposed systems in neighbouring countries to China
SunOS? Wonder if it's because it's genuinely used still quite a bit or they simply had zero-days for it since many of those are old and unpatched?
markus_zhang
This is really interesting. I wonder how red-teams in State sponsored teams operate in real life. I guess every one has an NDA, but would love to get a general idea.
I assume it's a jungle out there, so teams need to protect themselves 24/7/365 and I'm surprised to find no activities in holidays.
breppp
It seems like the most efficient way of detecting NSA tools is a regular expression of two all caps dictionary words
motohagiography
glad to see the same basic tradecraft from 90s hacking, only very refined and industrialized. it's a durable skill. the focus on switches and routers is very pro, as they are the most opaque infra with the fewest forensic capabilities. iot is less reliable as RE'ing cheap devices and firmware for IoCs is accessible, where almost nobody outside the IC did core gear (word to phenolit from back in the day tho).
the traffic redirection is interesting in that i would be curious if they rate limited it or used on device selectors in their implant to redirect traffic. the trade off between memory caching packets to sort on selectors vs.stealthy throughput would have been a fun design meeting.
hunting these kinds of actors would be supremely fun. the main thing that protects them is few outside massive bureaucracies really care enough or find it economical, as the rewards are more in finding new zero day and not hunting state level threat actors. the exceptions who do (p0, citizenlab etc) are attached to massive orgs and dont really led themselves to privateering. amazing write up anyway.
thaumasiotes
> These insights stem from extensive research I did on Weixin
Someone doing extensive research on Weixin might ordinarily realize that it's called "Wechat" in English.
kridsdale1
I love the Windows 98 clip art.
alphalite
I originally came here to comment how crazy it seems that DoD employees at NSA cannot be bothered to cover their tracks by working nonstandard hours/holidays (obviously Mil & Intel folks do this, they even get deployed!). But the thought occurred to me that attribution to NSA was likely a desired outcome here (“We can hack you too”) and there are probably many people at NSA working nonstandard hours/days to prevent attribution.
I think the English language aspect is much more interesting and difficult/impossible to prevent.
quanto
> Chinese cyber organizations openly acknowledge and publicize their partnerships. This openness was particularly interesting to observe and may be influenced by cultural factors, such as the Confucian emphasis on shared knowledge and a political framework that encourages collective efforts.
I or anyone outside obviously cannot verify the technical details. However, the above statement struck as particularly uninformed. As any engineer in East Asia can tell you, there is nothing especially collaborative about tech in Confucian culture; if anything, the engineers in that region admire the free speech and discussion traditionally prized in the Western culture. Calling Chinese political framework, especially in the context of national security, conducive to open public discussion was quite ironic to see.
source: I regularly work with engineers from that culture.