新证据!网攻西工大的神秘黑客身份被锁定
近日,国家计算机病毒应急处理中心和360公司对一款名为“二次约会”(SecondDate)的间谍软件进行了技术分析。分析报告显示,该软件是美国国家安全局(NSA)开发的网络间谍武器。
图源:央视新闻
During the investigation of the cyberattack against Northwestern Polytechnical University (NPU), a leading Chinese aviation university, China has successfully extracted multiple samples of the spyware named SecondDate, and with the collaborative efforts of partners in various countries, the real identity of the US' National Security Agency (NSA) personnel responsible for launching the cyberattack on NPU has been successfully identified, Global Times learnt from National Computer Virus Emergency Response Center (CVERC) and Chinese internet security company 360 on Thursday.
2022年6月,西北工业大学发布公开声明称,西北工业大学遭受网络攻击,有来自境外的黑客组织企图窃取相关数据。此后,我国成功侦破此次网攻的幕后凶手是是美国国家安全局(NSA)信息情报部(代号S)数据侦察局(代号S3)下属特定入侵行动办公室(TAO)(代号S32)部门。
In June 2022, NPU issued a public statement stating that it had been subjected to a cyberattack, with a hacker organization from overseas attempting to steal relevant data.
Afterwards, China successfully detected the mastermind behind this cyberattack was the Office of Tailored Access Operations (TAO, Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of NSA.
据“影子经纪人”泄露的NSA内部文件,该“间谍”软件为NSA开发的网络武器,其主要部署在目标网络边界设备(网关、防火墙、边界路由器等),隐蔽监控网络流量,并根据需要精准选择特定网络会话进行重定向、劫持、篡改。
According to internal documents exposed by the group "Shadow Brokers," SecondDate is a cyber weapon developed by the NSA. It is primarily deployed on target network boundary devices such as gateways, firewalls, and edge routers. It covertly monitors cyber traffic and, as needed, selectively redirects, intercepts, and manipulates specific network sessions.
图源:央视新闻
最新消息显示,国家计算机病毒应急处理中心和360公司在侦办西北工业大学网络攻击案过程中,成功提取了该“间谍”软件的多个样本,并锁定了这起网络“间谍”行动背后NSA工作人员的真实身份。
The latest information shows that the CVERC and the company 360, during the investigation of this cyberattack case, have successfully extracted multiple samples of the spyware and identified the true identity of the NSA personnel behind this cyber "spying" case.
随后的技术分析发现,“间谍”软件是一款高技术水平的网络间谍工具。开发者应该具有非常深厚的网络技术功底,尤其对网络防火墙技术非常熟悉,其几乎相当于在目标网络设备上加装了一套内容过滤防火墙和代理服务器,使攻击者可以完全接管目标网络设备以及流经该设备的网络流量,从而实现对目标网络中的其他主机和用户实施长期窃密,并作为攻击的“前进基地”,随时可以向目标网络投送更多网络进攻武器。
The subsequent technical analysis revealed that the involved spyware is a highly advanced cyber espionage tool. The developers must have a very deep understanding of cyber technology, especially network firewall technology. It is equivalent to installing a set of content filtering firewalls and proxy servers on the target network devices, allowing the attacker to completely take control of the target network devices and the network traffic passing through them. This enables the attacker to carry out long-term theft on other hosts and users in the target network, and serve as a "forward base" for delivering more cyberattack weapon toward target network at any time.
“间谍”软件通常结合TAO的各类针对防火墙、路由器的网络设备漏洞攻击工具使用,在漏洞攻击成功并获得相应权限后,植入至目标设备。“间谍”软件使用控制方式分为服务端和控制端,服务端部署于目标网络边界设备上(网关、防火墙、边界路由器等),通过底层驱动实时监控、过滤所有流量;控制端通过发送特殊构造的数据包触发激活机制后,服务端从激活包中解析回连IP地址并主动回连。网络连接使用UDP协议,通信全程加密,通信端口随机。控制端可以对服务端的工作模式和劫持目标进行远程配置,根据实际需要选择网内任意目标实施中间人攻击。
The spyware concerned is usually used in conjunction with various firewall and router vulnerability exploitation tools of TAO. After successful vulnerability exploitation and obtaining the corresponding permissions, it is implanted into the target device. The control of spyware is divided into server-side and control-side. The server-side is deployed on the target network boundary devices such as gateways, firewalls, or edge routers, and it monitors and filters all traffic in real-time through underlying drivers. The control-side triggers the activation mechanism by sending specially crafted packets, and the server-side parses the reconnect IP address from the activation packet and initiates a connection, then choose any target within the network to carry out a man-in-the-middle attack according to actual needs.
The network connection uses the UDP protocol, and the communication is encrypted throughout. The communication port is random. The control-side can remotely configure the working mode of the server-side and the target of hijacking.
据相关人士介绍,中方与业内合作伙伴在全球范围开展技术调查,经层层溯源,在遍布多个国家和地区上千台网络设备中发现了仍在隐蔽运行“间谍”软件及其衍生版本,同时发现的还有被NSA远程控制的跳板服务器,这些国家和地区包括德国、日本、韩国、印度和中国台湾。“在多国业内伙伴通力合作下,我们的工作取得重大突破,现已成功锁定对西北工业大学发起网络攻击的NSA工作人员的真实身份。”
According to relevant sources, Chinese side and its industry partners have conducted technical investigations worldwide. Through tracing, they have discovered hidden spyware and its derivative versions in thousands of network devices spread across multiple countries and regions. They have also found jump servers remotely controlled by the NSA in countries and regions including Germany, Japan, South Korea, India, and China's Taiwan region.
"With the strong collaboration of partners in multiple countries, we have made significant breakthroughs and have successfully identified the true identity of the NSA personnel responsible for launching cyberattacks against NPU."
此次我方对 “间谍”软件样本的成功提取,并展开溯源,进一步表明中国防范抵御美国政府网络攻击和维护全球网络安全的决心,这种将美国政府实施网络犯罪的细节昭告世界的做法也证明中国具备“看得见”的网络技术基础,可以更有力地帮助本国和他国感知风险、看见威胁、抵御攻击,将具有国家背景的黑客攻击暴露在阳光下。
The successful extraction and tracing of the spyware sample further demonstrates China's determination to prevent and defend against US government-backed cyberattacks and safeguard global cyber security. This practice of revealing the details of cyber crimes launched by the US government to the world also proves that China has a "visible" foundation in cyber technology, which can effectively assist our country and other nations in perceiving risks, identifying threats, and resisting attacks, thereby exposing state-sponsored hacker attacks to the public.
相关人士向记者表示,适时将通过媒体公布NSA实施网络攻击人员真实身份信息。相信到时将会再次引发全球民众对美国政府肆意网攻他国的关注。
Relevant sources have told the Global Times that the real identities of individuals involved in NSA's cyberattacks will be disclosed through the media in due course. It is believed that this will once again draw global attention to the US government's indiscriminate cyberattacks on other countries.
来源:环球网
推 荐 阅 读
微信扫码关注该文公众号作者