China Accuses NSA of Cyber Attacks Targeting Military University
In a significant escalation of cybersecurity tensions, China has leveled accusations against the U.S. National Security Agency (NSA) for conducting multiple cyberattacks on Northwestern Polytechnical University, a prominent military research institution located in Xi’an. Authorities assert that these attacks occurred in June 2022 and were aimed specifically at the university’s aeronautical and military research objectives.
The National Computer Virus Emergency Response Centre (NCVERC) recently released findings detailing the attacks, claiming that the NSA’s Tailored Access Operations (TAO) unit was behind these malicious activities. The report outlines that thousands of cyberattacks targeted various Chinese entities, with claims that the NSA manipulated extensive network devices such as servers, terminals, and routers to gain unauthorized access. This reportedly resulted in the theft of over 140GB of sensitive data.
The U.S. Department of Justice characterized Northwestern Polytechnical University as a “Chinese military university” that collaborates closely with the People’s Liberation Army on advancing military technologies. Within the cyberattack framework, the Department noted that at least 40 distinct cyber weapons were employed to extract critical information like passwords, network configurations, and operational data.
Particularly alarming was the revelation that the TAO utilized two zero-day exploits targeting the SunOS Unix-based operating system, allowing it to breach educational and commercial servers. The method of attack involved the deployment of proxy servers located in various countries including Japan, South Korea, and Ukraine, which helped obfuscate the operation’s origins. This sophisticated approach raises concerns about the NSA’s ability to anonymize activities that might otherwise be traceable.
Alongside the OPEN Trojan, it appears that a suite of malware, including “Fury Spray,” “Cunning Heretics,” “Stoic Surgeon,” and “Fox Acid,” was utilized for prolonged control over compromised systems and the exfiltration of sensitive data. These tools suggest a strategic focus on persistence and privilege escalation, key adversary tactics as defined by the MITRE ATT&CK framework. The implications of these tactics indicate a coordinated effort aimed at not just immediate gains, but long-term operational control.
Spokesperson Mao Ning voiced strong concerns over U.S. actions, stating that such behavior compromises China’s national security and risks the personal information of its citizens. This statement follows a pattern of accusations from China aimed at the U.S. for its cyber espionage activities, with this case representing the latest incident in an ongoing narrative of mutual distrust regarding cybersecurity practices.
Throughout recent months, previous disclosures from Chinese cybersecurity entities have uncovered additional instances of alleged U.S. cyber activities, including a backdoor called Bvp47 linked to global attacks and a malware platform named Hive attributed to the CIA. These revelations further emphasize the increasing scrutiny of U.S. cyber operations on an international scale.
The recent accusations by China illustrate the growing complexity of global cybersecurity threats and the potential for escalating conflict rooted in cyber actions. The spotlight on these incidents underscores the pressing need for businesses based in the U.S. to remain vigilant against potential cybersecurity risks that may arise from geopolitical tensions.
As this story unfolds, it is imperative for organizations to understand the tactics likely utilized in these attacks as outlined in the MITRE ATT&CK framework, and to reinforce their cybersecurity strategies against a backdrop of evolving threats.
