28.02.2024
15 min
1523
In this article, we will examine how Chinese cybersecurity organizations analyze and attribute NSA cyberattacks (APT-C-40), known for their Tailored Access Operations (TAO) methodology. By examining Chinese experts’ attribution of NSA cyberoperations, we will attempt to understand the methods used for hacking and espionage, particularly the attack on Northwestern Polytechnical University of China.
As Australia is part of the Five Eyes alliance, the discovery of four incidents of attacks by Chinese APT41 on organisations in ASEAN, particularly in relation to China’s cyber and political strategies, has sparked interest in examining what China is publishing about the alliance’s operations. This research has led to the examination of the TTPs of Chinese cyber organisations that attribute operations to the NSA, known as “APT-C-40”.
The findings are based on extensive research, including intelligence reports published by Chinese companies such as Qihoo 360, Pangu Lab and the National Computer Virus Emergency Response Center (CVERC). It is important to note that the credibility and scope of these allegations remain unverified by independent sources. The aim of the research was to collect and share information that Chinese sources are publishing about NSA cyber operations (APT-C-40) in order to explore possible new detection methods or offensive methods for further research.
During the research, it became clear that the Chinese incident response methodology differs significantly from practices used in the West. This has sparked interest in adapting some aspects of Chinese methods into our own practices. Additional material may be written in the future regarding Chinese reports on CIA cyber operations (APT-C-39) and a third North American group (APT-C-57), which Chinese organizations track separately from the NSA or CIA.
This is how Northwest Polytechnic University of China, a leading academic institution specializing in aerospace and defense, was allegedly targeted in a sophisticated cyberattack attributed to the NSA group APT-C-40 in 2022. Reports claim that the attack was carried out by Tailored Access Operations (TAO), a unit of the NSA that allegedly deployed over 40 unique strains of malware for data theft and espionage.
All information about the breach is being publicly disclosed online by Chinese cyber companies Qihoo 360 and the National Computer Virus Emergency Response Center on Weixin.
The attack was publicly announced by the University in a public information post in June 2022 (below). It said that the university received a series of phishing emails to staff and employees.
Through a joint investigation and forensics at the University, CVERC and 360 identified four IP addresses that the NSA allegedly acquired through two front companies, Jackson Smith Consultants and Mueller Diversified Systems. The four identified IP addresses are listed at the end of this report. CVERC and 360 allege that a TAO employee using the alias “Amanda Ramirez” anonymously acquired them for the NSA’s FoxAcid platform, which was later used in the attack on the University.
CVERC and 360 also alleged that the NSA used a registrar’s anonymous protection services in the United States to anonymize domain names and certificates to prevent them from being requested through public channels.
Investigators from CVERC and 360 were able to trace the attack back to the NSA’s TAO unit through a combination of human error, patterns in their analysis, and tool matches.
One of the frameworks used by TAO, which was discovered in the incident called “NOPEN,” requires human intervention. As such, the majority of attacks required hands-on keyboarding, and analysis of incident timeline data showed that 98% of all attacks occurred between 9:00 AM and 4:00 PM EST (US business hours).
There were no cyberattacks on Saturday and Sunday, with all attacks concentrated between Monday and Friday.
No attacks occurred during the Memorial Day and Independence Day holidays, which were uniquely American holidays.
There were no attacks during Christmas.
The attacker used American English.
All devices used by the attacker had an English OS and English-language applications.
The keyboard used was American.
Due to the length and scope of the incident, when one of the alleged NSA “attackers” attempted to download and run the Pyscript tool, they forgot to change the parameters. This returned an error – the error message revealed the working directory and filename of the attacker’s internet terminal.
This was then used to identify that they were running on a Linux system, and the directory “etc/autoutils” is known to be a special directory name for the TAO network attack tools.
The error message is: quantifier follows nothing in regular expression; marked <– HERE in m/* <– HERE .log/ in .. /etc/autoutils line 4569
Northwestern Polytechnic University has allegedly suffered multiple breaches over the years, with several pieces of malware discovered in previous investigations (prior to the Shadow Broker leak) allegedly being the same tools described in the Shadow Broker leak. They did not provide further information on the matter.
Forensic analysis revealed 41 different tools and malware samples.
16 of these tools matched the TAO weapons exposed in the Shadow Brokers leak.
23 tools had approximately 97% similarity to the tools in the Shadow Brokers leak.
2 of these tools were not found in Shadow Brokers, but TAO used them in other cyberattacks (according to 360).
One of the NSA’s main strategies in hacking the university was to use zero-days. However, to launch the attack, the attackers first carried out a phase of preparation for the attack with a lot of work. Two zero-days were used to hack any company with systems exposed to SunOS in countries neighboring China. 360 and CVERC did not specify which vulnerabilities were targeted in their reports.
Specifically, the NSA would target any server with high network traffic (i.e. educational institutions and commercial organizations). Once the attack was successful, they would install NOPEN (more on this later) to create a foothold. By deploying zero-days on these systems, they established access to these systems, which would later be used as springboards for the main attack on the university.
In total, 54 relay servers and 5 proxy servers from 17 different countries, including Japan, South Korea, Sweden, Poland, and Ukraine, were used to carry out the attack, with 70% of the attacks coming from countries neighboring China.
The patented tool that allegedly launched:
SHAVER: This tool was used to attack open SunOS servers used for staging servers. It was identified as an automated exploitation tool designed for x86 and SPARC architectures with RPC services enabled.
To gain access to the network, they used MiTM and sent phishing emails. Around April, phishing emails appeared with links to “research reviews” targeting university employees (students and faculty). These phishing emails contained malware, and some were designed to steal credentials from these users.
In addition, 360 and CVERC also reported that one of the platforms used was a platform called “FOXACID”, which was part of the Snowden leaks. This platform, according to Wikileaks, 360 and CVERC, is a vulnerability attack platform developed by the NSA to automate the delivery of browser exploits (IE, Chrome, FireFox, Safari, Android Webkit, etc.) to workstations, servers and mobile devices. When a user tries to access a website like Gmail, BiliBili (Chinese YouTube), instead of the normal server response, the response is hijacked to redirect to a server controlled by APT-C-40 (NSA), which injects malware into the user’s browser. Below is a 360 diagram of how this works (I translated it into English using Google).
The question would be, how did they use FOXACID without compromising the systems? Judging by the reports, this is a logical sequence of events:
The university’s external servers were compromised, allowing APT-C-40 to infiltrate the environment using a tool called ISLAND (manual exploitation of Solaris systems).
APT-C-40 installed a framework called SECONDDATE, a spyware software designed to be installed on network devices (gateways, border routers, and firewalls). The tool has a server and a control side. The server runs on the network edge device, and traffic is monitored/spoofed via a driver. The feedback to the controller is encrypted, and the port used is randomized. Second Date has network listening, MiTM, and code injection capabilities. It can be used with other malware for espionage activities. It is mainly used to steal large amounts of data traffic, forgery, and misdirection.
SECONDDATE redirects traffic from users on the university network who access popular sites like BiliBili to the FOXACID platform, which uses the browser on student/staff devices to gain control.
Using this MiTM platform, they allegedly hijacked internal hosts and servers at the university before deploying further tools to remotely control the systems. This allowed them to gain access to basic network equipment, servers, and terminals related to the operation and maintenance of the university network. Interestingly (and this seems to be a pattern), APT-C-40 (according to 360 and CVERC) had a strong interest in network devices such as routers and switches.
The proprietary tools that were allegedly launched include:
ISLAND: This tool was allegedly run on external university servers to gain control. It is a manual exploitation tool used to compromise Solaris-based systems.
FOXACID: a browser usage framework that captures browser fingerprints and deploys a 0-day.
SECONDDATE: This tool was allegedly used by TAO (NSA) to hack into a university office intranet. The SECONDDATE attribution was discovered through collaboration with other industry partners. They found thousands of network devices running this spyware, from where data was sent back to NSA servers located in Germany, Japan, South Korea, and Taiwan. This tool was used to redirect user traffic to the FOXACID platform.
After securing initial access, APT-C-40 focused on long-term persistence and lateral movement within the university network. They allegedly employed a combination of backdoors and credential theft techniques to evade detection.
SECONDDATE – Backdoor installed on network peripherals such as gateways and border routers to filter and steal massive amounts of data in MiTM. This was placed on university border routers to intercept traffic for redirection to the NSA’s FOXACID platform.
NOPEN: Remote control malware that gave NSA operators permanent access to compromised systems. It allowed them to execute files, control processes, execute system commands, and elevate privileges. TAO used this to gain permanent control over core business servers and key network equipment.
FLAME SPRAY – Windows-based remote control malware with powerful anti-analysis features. Can be configured to create various types of servers. Works with the “Acid Fox” platform to manage personal office network hosts. It has powerful anti-analysis/anti-hacking capabilities.
CUNNING HERETICS: A lightweight implant that established encrypted communication channels for the NSA to remotely reactivate access points even after wipe attempts.
STOIC SURGEON: A stealthy backdoor targeting Linux, Solaris, JunOS, and FreeBSD systems that allows the NSA to maintain control while avoiding security checks.
APT-C-40 focused on targeting edge network devices. From an IR perspective, this makes perfect sense (no EDR, no logs, no visibility, and different OSes make large-scale investigation incredibly difficult and very manual). At this stage of the attack, they used legitimate credentials to access firewall devices and focused some of their attacks on the university’s telecom operators. This was highlighted by 360 and CVERC as their method of fingerprinting and accessing personal data associated with key researchers.
Legitimate credentials: The NSA allegedly used legitimate credentials for Cisco PIX firewalls, Tianrongxin firewalls, and other equipment to penetrate the intranet, monitor data, and monitor SMS gateways and carriers. They then relied on other tools such as MAGIC SCHOOL to query sensitive personnel, encrypt information, and steal it. The query result was saved in: var/tmp/.2e434fd8aeae73e1/erf/out/f/ before being encrypted and stolen.
Hijacking intranet updaters: The NSA allegedly hacked software update mechanisms to distribute malware disguised as legitimate updates.
Credential collection using the DRINKING TEA tool: This tool sniffed out SSH, Telnet, and Rlogin passwords used by university IT administrators, giving the NSA full access to internal systems. The NSA allegedly used this to capture command line logs, passwords generated by university employees during work and maintenance. This data was compressed and encrypted for exfil using NOPEN. These credentials gave them more access to peripherals and business devices.
Hijacking of Border Routers: The NSA installed Second Date spyware on university routers, allowing them to intercept, manipulate, and redirect network traffic.
Once inside, NSA agents allegedly systematically stole classified research data, network infrastructure details, and confidential operational documents.
Exfiltration methods used:
BACK ENEMY OPERATION: A set of tools used to query, package, and encrypt stolen data before transferring it to NSA-controlled servers.
School of Magic, Clown Food, and Cursed Fire: These NSA tools were specifically designed to extract sensitive files from telecommunications and defense research systems.
Use of Proxy Servers and VPNs: To avoid detection, the stolen data was routed through 54 transit servers and proxy nodes in 17 countries, masking the attackers’ true origins.
To minimize the risks of detection and forensic investigation, the NSA employed several anti-forensic techniques (but most of them are built into the tools and frameworks they used):
TOAST BREAD: A log manipulation tool that erases evidence of unauthorized access, including UTMP, WTMP, and LASTLOG files.
Encrypted Communications: All NSA tools used encryption, ensuring that traffic to their command and control (C2) servers remained undetected.
There is a clear and structured collaboration among Chinese cybersecurity organizations when handling cases. Unlike Western practice, where industry collaboration is conducted through closed, invitation-only groups, Chinese organizations openly acknowledge and publicize their partnerships. This openness may be driven by cultural factors, including the Confucian emphasis on collective knowledge, as well as a political framework that encourages collaborative efforts. In addition, this collaboration extends beyond the borders of a single country, involving cybersecurity organizations from different states.
In incident response, Western methodologies typically focus on constructing a chronology of attacks, detailing events over time. This includes creating graphs, documenting indicators of compromise (IoCs), and reporting to intelligence teams, often accompanied by verbal debriefings. However, large-scale data analysis using artificial intelligence is not common practice. A key aspect of the Chinese investigation was the extensive use of big data analytics, particularly to monitor “hands-on keyboard” activity. This allowed Qihoo 360 to identify patterns such as a lack of activity on Memorial Day and accurately document the attackers’ work hours, allowing them to isolate activity during business hours Monday through Friday EST.
Attacks on peripherals, IoT, and network devices are becoming the norm. From a threat perspective, this makes sense, as most attackers realize that XDR/EDR solutions are deployed on traditional endpoints, making peripherals an attractive target for initial access and maintaining resilience. Protecting against and detecting such threats is challenging due to the diversity of operating systems, proprietary coding practices, and the need for detailed forensic analysis. Focusing on peripherals is not only a trend for the NSA, but a general trend that is likely to continue. Chinese APTs and Russian actors have been observed using similar techniques, including firmware manipulation. It will be interesting to see how this area develops.
Finally, the reports mentioned that most attack frameworks operated in memory, without writing files to disk. This is not a new phenomenon, but it is always interesting to observe investigative and forensic methods.
