撰写[Global Times-Global Network Report Special Reporter Yuan Hong] The Global Times reporter learned from relevant departments on the 13th that in the cyber attack of the National Security Agency (NSA) in Northwestern Polytechnical University, the network weapon named "drinking tea" was one of the most direct "culprits" that led to the theft of a large number of sensitive data. In this regard, network security experts suggest that domestic products and "zero trust" security solutions should be selected in the process of information construction.
On September 5th, relevant departments in China announced to the outside world that Northwestern Polytechnical University had previously claimed that it had been attacked by an overseas network, and the attacker was the Office of Specific Invasion Operations (TAO) of the National Security Agency (NSA). Since then, the National Computer Virus Emergency Response Center and Beijing Qi ‘an Pangu Laboratory have further analyzed the invasion. In the latest investigation report, the technical details of the attack in the United States have been made public: that is, among 41 kinds of cyber weapons, the sniffing and stealing cyber weapon named "drinking tea" is one of the most direct "culprits" that lead to the theft of a large number of sensitive data.
According to relevant network security experts, TAO used "tea drinking" as a tool to sniff and steal secrets, implanted it into the internal network server of Northwestern Polytechnical University, and stole the login password of remote management and remote file transfer services such as SSH, so as to gain access to other servers in the intranet, realize the lateral movement of the intranet, and send other network weapons such as sniffing and stealing secrets, persistent control and hidden trace elimination to other high-value servers, resulting in the theft of large-scale and persistent sensitive data.
After technical analysis and judgment, "drinking tea" can not only steal the account passwords of various remote management and remote file transfer services on the server, but also has strong concealment and environmental adaptability. According to the network security experts in the above article, "tea drinking" will disguise itself as a normal background service process after being implanted in the target server and network equipment, and deliver malicious loads in stages in a modular way, which is very concealed and difficult to find. "Tea drinking" can run in the server in secret, monitor the user’s input on the terminal program of the operating system console in real time, and intercept all kinds of user names and passwords from it, just like a "peeping Tom" standing behind the user. Network security experts said: "Once these user names and passwords are obtained by TAO, they can be used for the next stage of attack, that is, using these user names and passwords to access other servers and network devices, and then stealing files on the server or delivering other network weapons."
Technical analysis shows that "drinking tea" can be effectively integrated and linked with other NSA cyber weapons to achieve "seamless docking". In February of this year, Beijing Qi ‘an Pangu Laboratory publicly disclosed the hacking organization affiliated to the National Security Agency (NSA) — — Technical analysis of the exclusive top weapon "Telescreen Action" (Bvp47) of Equation, which was used in the attack activities named "Telescreen Action" by Chian Pangu. In TAO’s cyber attack on Northwestern Polytechnical University, the "tea-drinking" secret-sniffing tool cooperated with other components of Bvp47 Trojan to carry out a joint attack. According to the introduction, Bvp47 Trojan has extremely high technical complexity, architectural flexibility and ultra-high strength of analysis and evidence collection countermeasures. It is used to spy on and control the information network of the victim organization and secretly steal important data in cooperation with the "tea drinking" component. Among them, the secret of the "tea-drinking" sniffer Trojan lurks in the information system of the victim institution, which is responsible for listening, recording and sending back the "victory" — — The account number and password used by the victim, whether it is in the intranet or the extranet.
source map
The report also pointed out that with the gradual deepening of the investigation, the technical team also found traces of "tea drinking" attacks in the networks of other institutions outside Northwestern Polytechnical University, and it is likely that TAO used "tea drinking" to launch a large-scale cyber attack on China.
IT is worth noting that in the many cyber attacks carried out by the United States against other countries, American IT industry giants have repeatedly appeared. For example, in the "Prism" project, the intelligence department in the United States has the authority of senior administrator, and can access the servers of Microsoft, Yahoo, Google, Apple and other companies at any time to secretly mine data for a long time. In the hacking tools used by Equation published by Shadow Broker, there have been many "zero-0Day vulnerabilities" or backdoors of products of Microsoft, Cisco and even some Internet service providers in China. "The United States is taking advantage of its leading position in the field of network information system software and hardware, and with the full cooperation of American IT industry giants, using a variety of cutting-edge cyber weapons, launching indiscriminate cyber attacks on a global scale and continuously stealing account passwords of Internet devices around the world, so as to prepare for the follow-up at any time ‘ Legal ’ Logging in to the victim information system and carrying out a larger-scale stealing or even sabotage activity, its cyber hegemonic behavior is undoubtedly revealed. " Therefore, network security experts advise users to strengthen key servers, especially network operation and maintenance servers, change the administrator passwords of servers and network devices regularly, strengthen the audit of intranet network traffic, and find abnormal remote access requests in time. At the same time, in the process of information construction,It is suggested to choose domestic products and "zero trust" security solutions. ("Zero trust" is a new generation of network security protection concept. By default, it doesn’t trust anyone, equipment and systems inside and outside the enterprise network. )
The expert further pointed out that whether it is data theft or system destruction, cyber attacks will cause great damage to cyberspace and even the real world, especially attacks on important key information infrastructure. "Cyberspace is largely a mapping of physical space, and the characteristics of network activities easily crossing national borders make it the forerunner of continuous struggle. Without network security, there is no national security. Only by developing our asymmetric competitive advantage in the field of science and technology can we establish an independent network protection and confrontation capability that belongs to China. "