China’s top cybersecurity authority has accused the US National Security Agency (NSA) of stealing information from a top Chinese university through a trojan virus, an allegation that threatens to escalate already high and rising bilateral tensions.
China’s National Computer Virus Emergency Response Center (CVERC) claimed in a recent report that NSA’s Office of Tailored Access Operation (TAO) had used a cyber weapon known as “Suctionchar” to take control of computer servers at Northwestern Polytechnical University (NPU) in the city of Xi’an.
The CVERC claims to have analyzed over 1,000 NSA cyberattacks on the university and said in a statement that it hoped nations worldwide could use the analysis to prevent themselves from being attacked by the US.
China’s foreign ministry, meanwhile, urged the US to immediately stop infringing on the technology secrets of Chinese institutions and offer a responsible explanation for the alleged cyberattacks. The NSA, an intelligence arm of the US Department of Defense, has not responded to the accusations.
According to the CVERC, the attacks have been ongoing for a long period but were only discovered in June this year by Northwestern Polytechnical University (NPU), which specializes in aeronautical, astronautical and marine engineering research and works closely with China’s defense industry.
On June 22, NPU said it had called the police after it found malware and trojan viruses in its computer servers with the help of Qihoo 360, a Chinese internet security company that develops and sells antivirus software programs.
The CVERC released three separate reports on the alleged NSA attacks in September and accused the NSA-affiliated TAO of attacking the university with 41 types of “cyber weapons.”
In a report released on September 5, the CVERC said TAO had launched more than 10,000 attacks on China’s computer networks in recent years and supposedly controlled tens of thousands of servers, terminals, telephones, routers and firewalls across the country.
It claimed TAO had stolen 140 gigabytes of high-value data from China over the years and identified 13 people by name in the US who allegedly launched or were somehow responsible for the attacks.
The CVERC claimed TAO had used 54 so-called “jump servers” in 17 countries, 70% of which were based near China, including in Japan and South Korea, to attack NPU.
First, the CVERC claimed TAO used platforms such as “Foxacid,” “Ebbisland” and “ebbshave” to penetrate NPU’s computer system. Then the NSA allegedly used trojan viruses such as “NOPEN,” “Seconddate” and “DanderSpritz” to seize control of the university’s servers and core network facilities.
After that, spyware such as “Suctionchar” and “Enemyrun” was released on NPU’s computers to steal user passwords. Finally, malware including “Toast” was used to clean and erase any cyber tracks of the attacks.
The CVERC said Robert Edward Joyce, a former deputy director at TAO and the current director of the NSA’s Cybersecurity Directorate, was in charge of all the attacks. Joyce has not publicly commented on the allegations and Asia Times could not immediately contact him for comment.
On September 13, the CVERC published a more detailed report about how “Suctionchar” was used to steal login information from NPU’s computer users. On Tuesday, it released an updated report on its investigations into the cyber-attacks and said that many pieces of evidence showed the NSA had initiated them.
CVERC said all the attacks were launched during working hours in the US while the attackers used American English, keyboards and codes. It pointed to one case where the alleged NSA attacker made a mistake by leaving traces after using the trojan virus NOPEN. It added that most “cyber weapons” used in the attacks were similar to known NSA tools.
Mao Ning, a Chinse foreign ministry spokesperson, said in a media briefing on September 5: “The US’s behavior poses a serious danger to China’s national security and citizens’ personal information security. China strongly condemns this and asks the US side to offer an explanation and immediately stop its unlawful moves.”
Mao said on September 13 that China had asked the US via various channels to explain its “malicious cyberattacks” and immediately stop its “unlawful behavior” but had yet to receive any substantive response from the contacted US units and agencies.
It is not the first time that the CVERC or Chinese officials have accused the US Central Intelligence Agency (CIA) and NSA of targeting China with cyberattacks.
In a June 29 report, the CVERC said “Foxacid” remained one of the NSA’s main platforms for launching cyber-attacks globally, particularly against China and Russia. It likened Foxacid and related malware to a “black hole in the universe” that could suck information from all kinds of connected devices.
The report said it was able to analyze the Foxacid platform as it used the highly-classified information leaked by Edward Snowden, the renowned whistleblower former NSA employee and subcontractor.
In May 2013, Snowden fled to Hong Kong and leaked thousands of NSA documents that showed how the NSA and its associated “Five Eyes” intelligence alliance operated online surveillance programs worldwide. He later moved to Russia to escape prosecution in the US.
Snowden was granted permanent residency in Russia in 2020 and this month was granted Russian citizenship by President Vladimir Putin.
The Global Times, a mouthpiece of the Chinese Communist Party, in a commentary on September 29 criticized the US DoD for treating cyberspace as a “fifth battlefield”, along with land, sea, air and space.
It said the US used malware to attack other countries’ computer networks in order to maintain its cyber hegemony and called on countries to join together to fight against US cybersecurity threats.
Follow Jeff Pao on Twitter at @jeffpao3