Skip to content

Search the site

China details custom offensive tools, says NSA hacked “tens of thousands of devices”

Multiple versions of "Stoic surgeon" backdoor used in attack says CVERC

China claims the US’s National Security Agency (NSA)’s “Office of Tailored Access Operations” (TAO) carried out “tens of thousands of malicious network attacks on network targets in China, and controlled tens of thousands of network devices” as well as breaching a university – Northwestern Polytechnical University, which operates a government-backed aeronautics programme – with a range of custom offensive security tools.

The university is governed by China’s Ministry of Industry and Information Technology and describes itself has having "programmes in aeronautics, astronautics, and marine technology engineering... [and] strong programmes in materials, mechanical engineering and mechanics, as well as computer science."

The report, posted Monday (September 5) by China’s National Computer Virus Emergency Response Center (CVERC) said TAO had “successively used 41 kinds of NSA's special network attack weapons and equipment in the network attack [on the university]”, citing names like “Sour Fox” and “Cunning Heresy” – the TAO used 12 different versions of a single backdoor, called “Stoic Surgeon” in the attacks on the university, it claimed.

These included tools ("Nopen" that can carry out "precise filtering and automatic hijacking of massive data traffic to achieve man-in-the-middle attack functions" and "Second date" which CVERC said can "receive commands through encrypted tunnels to perform file management, process management, system command execution and other operations" as well as a tool dubbed "Drinking tea" which it said can "obtain account passwords exposed by various remote login methods such as ssh, telnet, and rlogin by sniffing inter-process communication."

See also: 7 free cybersecurity tools Blue Teams should know

The TAO has “stolen over 140 gigabytes of high-value data” CVERC said in the report, co-authored by the private Chinese cybersecurity firm Qihoo 360. Although CVERC posted some details on the offensive security tools and approach allegedly used by TAO in a highly public bid to demonstrate that it had blown the operation, it did not provide a meaningfully detailed breakdown on the campaigns or Indicators of Compromise (IOCs).

The report is one China’s most open acknowledgements yet that it has faced sustained breaches by western intelligence agencies and comes as the US and allies have taken an increasingly public approach to attributing campaigns by foreign Advanced Persistent Threat (APT) groups backed by nation states. These efforts have included detailing Tools, Techniques and Procedures (TTPs) and releasing indictments that often name and include photographs of alleged members of foreign hacking groups who have launched attacks on US targets.

The NSA, CISA and FBI on July 19, 2021 detailed over 50 TTPs used by China’s state-sponsored hackers, warning starkly that the threat groups often exploit public security vulnerabilities “within days of their public disclosure” including in Pulse Secure, Apache, F5 Big-IP, and Microsoft products. The TTPs and attribution come the same day that a US Department of Justice indictment named four Chinese nationals working with the Ministry of State Security for a sweeping espionage campaign between 2011 and 2018 that targeted countries around the world — including the UK — to steal data on “aviation, defense, education, government, health care, biopharmaceutical and maritime. China did not name any TAO operatives in today’s report.

Follow The Stack on LinkedIn