据央视新闻报道,9月5日,国家计算机病毒应急处理中心和360公司分别发布了关于西北工业大学遭受境外网络攻击的调查报告,调查发现,美国国家安全局(National Security Agency, NSA)下属的“特定入侵行动办公室(Office of Tailored Access Operation, TAO)”多年来对我国国内的网络目标实施了上万次的恶意网络攻击,控制了相关网络设备,疑似窃取了高价值数据。
The National Security Agency of the United States is responsible for the cyberattack on the e-mail system of Northwestern Polytechnical University in Xi'an, Shaanxi province, China's National Computer Virus Emergency Response Center reported on Monday, following the conclusion of the initial investigation.
视频来源:央视新闻
此次遭受攻击的西北工业大学位于陕西西安,隶属于工业和信息化部,是一所多科性、研究型、开放式大学。西北工业大学也是目前我国从事航空、航天、航海工程教育和科学研究领域的重点大学。
相关消息引发网友广泛关注,除了网络攻击本身,大家也注意到实施网络攻击的美国国家安全局相关机构。
补充5日外交部发言人回应:
西工大信息系统遭网络攻击
今年4月,西安市公安机关接到一起网络攻击的报警,西北工业大学的信息系统发现遭受网络攻击的痕迹。6月22日,西北工业大学发布《公开声明》称,有来自境外的黑客组织和不法分子向学校师生发送包含木马程序的钓鱼邮件,企图窃取相关师生邮件数据和公民个人信息。
西北工业大学信息化建设与管理处副处长兼信息中心主任宋强曾在接受央视新闻采访时表示,该校系统发现木马程序,企图非法获取权限,给学校的正常工作和生活秩序造成了重大的风险隐患。
On June 22, the university announced that it had found phishing emails in the guise of research reviews, invitations to academic events and opportunities to study abroad that contained Trojan horse programs. which had been sent to teachers and students at the university in an attempt to steal their data and personal information.
陕西省西安市公安局碑林分局随即发布《警情通报》,证实在西北工业大学的信息网络中发现了多款源于境外的木马样本,西安警方已对此正式立案调查。
","time":1662367832197,"comment":"https://global.chinadaily.com.cn/a/202206/23/WS62b3efc8a310fd2b29e68198.html","avatar":"","editting":false,"resume":[],"data-comment-id":"comment_id_1662367797257"}">An initial investigation found that the cyberattack was carried out by overseas hackers and has posed a grave threat to the university's information system, putting the personal data of students and teachers at risk. Phishing emails and their Trojan horse programs used in the attack have been obtained as key evidence, local police said.
国家计算机病毒应急处理中心和360公司联合组成技术团队,全程参与了此案的技术分析工作。技术团队先后从西北工业大学的多个信息系统和上网终端中提取到了多款木马样本,综合使用国内现有数据资源和分析手段,并得到了欧洲、南亚部分国家合作伙伴的通力支持,全面还原了相关攻击事件的总体概貌、技术特征、攻击武器、攻击路径和攻击源头,初步判明相关攻击活动源自美国国家安全局“特定入侵行动办公室”。
By extracting samples of Trojan horse programs from the university's internet terminals with the support of European and South Asian partners, the technical team was able to initially identify that the cyberattack had been conducted by TAO (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of the NSA, it added.
图源:央视新闻
本次调查还发现,在近年里,美国国家安全局下属特定入侵行动办公室对中国国内的网络目标实施了上万次的恶意网络攻击,控制了数以万计的网络设备,包括:网络服务器、上网终端、网络交换机、电话交换机、路由器、防火墙等,窃取了超过140GB的高价值数据。TAO在对西北工业大学的网络攻击行动中,先后使用了41种NSA的专用网络攻击武器装备。
Furthermore, the investigation has shown that the case is just one of tens of thousands of cyberattacks launched by the NSA's Office of Tailored Access Operation — a cyberwarfare intelligence-gathering unit — on targets in China in recent years. The malicious attacks have resulted in the leak of more than 140GB of high value data, the center said. During the attack targeting the university's computer network, more than 40 different cyberattack weapons were used to steal core technology data, including key network equipment configurations, network management data, and core operational data.
技术团队将此次攻击活动中所使用的武器类别分为四大类,具体包括:
1、漏洞攻击突破类武器;
2、持久化控制类武器;
3、嗅探窃密类武器;
4、隐蔽消痕类武器。
特定入侵行动办公室(TAO)在针对西北工业大学的网络攻击行动中先后使用了54台跳板机和代理服务器,主要分布在日本、韩国、瑞典、波兰、乌克兰等17个国家,其中70%位于中国周边国家,如日本、韩国等。其中,用以掩盖真实IP的跳板机都是精心挑选,所有IP均归属于非“五眼联盟”国家。
In addition, 54 jumpers and proxy servers in 17 countries were used in the attack, about 70 percent of which were based in countries near China, including Japan and South Korea, the center said.
针对西北工业大学攻击平台所使用的网络资源涉及代理服务器,美国国家安全局(NSA)通过秘密成立的两家掩护公司购买了埃及、荷兰和哥伦比亚等地的IP,并租用一批服务器。
起底“特定入侵行动办公室”
据调查报告显示,美国国家安全局下属的“特定入侵行动办公室”不仅对中国国内的各重点企业和机构实施恶意网络攻击,而且还长期对中国的手机用户进行无差别的语音监听,非法窃取手机用户的短信内容,并对其进行无线定位。
TAO成立于1998年,其力量部署主要依托美国国家安全局在美国和欧洲的各密码中心。特定入侵行动办公室TAO是目前美国政府专门从事对他国实施大规模网络攻击窃密活动的战术实施单位,由1000多名军人、技术人员、网络黑客、软硬件设计师以及其他文职人员组成。
TAO is the largest and most important part of the intelligence division of the NSA. Founded in 1998, the main responsibility of TAO is to use the internet to secretly access to insider information of its competitors, including secretly invading target countries' key information infrastructure to steal account codes, break or destroy computer security systems, monitor network traffic, invade privacy and steal sensitive data, and gain access to phone calls, emails, network communications and messages. The various departments of TAO are composed of more than 1,000 active military personnel, network hackers, intelligence analysts, academics, computer hardware and software designers, and electronics engineers.
目前已被公布的六个密码中心分别是:
1、国安局马里兰州的米德堡总部;
2、瓦湖岛的国安局夏威夷密码中心(NSAH);
3、戈登堡的国安局乔治亚密码中心(NSAG);
4、圣安东尼奥的国安局得克萨斯密码中心(NSAT);
5、丹佛马克利空军基地的国安局科罗拉罗密码中心(NSAC);
6、德国达姆施塔特美军基地的国安局欧洲密码中心(NSAE)。
图源:央视新闻
美国国家安全局针对西北工业大学的攻击行动代号为“阻击XXXX”(shotXXXX)。在窃密期间,TAO负责人是罗伯特·乔伊斯(Robert Edward Joyce)。此人1967年9月13日出生,1989年进入美国国家安全局工作。曾经担任过TAO副主任,2013年至2017年担任TAO主任。2017年10月开始担任代理美国国土安全顾问。2018年4月至5月,担任美国白宫国务安全顾问,后回到NSA担任美国国家安全局局长网络安全战略高级顾问,现担任NSA网络安全局主管。
The cyberattack operation was code-named "shotXXXX" by the NSA under the direct command of the head of TAO.
TAO was headed by Rob Joyce. Born September 13, 1967, he attended Hannibal High School and graduated from Clarkson University with a bachelor’s degree in 1989 and Johns Hopkins University with a master’s degree in 1993. He joined the NSA in 1989 and served as Deputy Director of TAO from 2013 to 2017. He began serving as Acting US Homeland Security Advisor in October 2017. From April to May 2018, he served as the State Security Advisor to the White House, and then returned to the NSA as the Senior Advisor to the Director of Cybersecurity Strategy of the NSA. He now serves as the Director of Cybersecurity.
图源:央视新闻
报告显示,经技术分析与溯源,涉及在美国国内对中国直接发起网络攻击的人员13名,以及NSA通过掩护公司为构建网络攻击环境而与美国电信运营商签订的合同60余份,电子文件170余份。
Thirteen people from the US have been found to be directly involved in the attack, and 170 electronic documents and 60 contracts between the NSA and American telecom operators were arranged through a cover company to create an environment for cyberattacks.
综合来源:央视新闻,中国日报网,Global Times