China Accuses NSA of Spying on State Aeronautics University

We're Not the Cyber Baddies, You're the Cyber Baddies, Says China
China Accuses NSA of Spying on State Aeronautics University
The Forbidden City in Beijing, China. (Image: Colin Capelle / CC BY 2.0)

The Chinese government renewed accusations of cyberespionage by the United States in an ongoing campaign attempting to reframe the international narrative about Beijing's cyber activities.

See Also: Live Webinar Today | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Whether through state-controlled media or Chinese cybersecurity companies, Beijing this year has publicized multiple instances of hacking it says originate with the U.S. National Security Agency, most recently in a National Computer Virus Emergency Response Center bulletin published on Monday, linking a cyberattack at Northwestern Polytechnical University with the secretive American signals intelligence agency. The Xi'an-based institution conducts aerospace and space research and has ties with the Chinese military.

The bulletin says Chinese state researchers worked with state-linked cybersecurity firm Qihoo 360 to identify an attack they attribute to the NSA Office of Tailored Access Operations. The agency used more than 40 different hacking tools to penetrate the university's network, it says.

The analysis comes after Xi'an Public Security Bureau released a statement stating it encountered an "overseas" actor sending phishing emails linked to Trojan horses to university students and teachers.

Its publication comes at a moment of heightened tension between China and the United States after U.S. House Speaker Nancy Pelosi visited Taiwan in August (see: Chinese Phishing Campaign Targets Victims in South China Sea). A U.S. strategy of engagement has given away over the past half-decade to the more guarded approach of technological decoupling and restrictions against technology transfers combined with revitalized domestic manufacturing and research and development in high-tech industries.

A spokeswoman for the Ministry of Foreign Affairs condemned the hacks during a Monday daily press conference, calling them "unlawful," according to the official transcript.

Chinese state media outlet Global Times scooped further details, saying that it learned "from a source" that the NSA named the university hacks "shotXXXX."

China Objects to Its Superhacker Reputation

The pattern of state-media news media coverage and official condemnation and social media activity matches earlier Chinese campaigns to highlight U.S. cyber activities. Albert Zhang, a researcher with the Australian Strategic Policy Institute, told Vice he had detected hundreds of inauthentic Chinese state-linked social media accounts sharing statements and memes blaming the NSA for the cyberattack even before publication of the National Computer Virus Emergency Response Center's bulletin.

"The Chinese decided a little while ago that they needed to push back on the global perception that China is the world's biggest cyberspy. That annoys them tremendously," says James Lewis, a senior vice president at Washington-based think tank the Center for Strategic and International Studies.

All countries engage in espionage, but China's efforts are distinguished by decades of snooping on Western corporations and governments in a bid to obtain intellectual property. Chinese President Xi Jinping pledged during a 2015 White House meeting to stop economic espionage, an agreement that experts say mainly caused Chinese hacking to be conducted more carefully.

Beijing has difficulty seeing a difference between national security and economic espionage, Lewis tells Information Security Media Group. That means the Chinese publicity campaign against the NSA will accomplish little in shaping perceptions. "Everybody knows that if your industries are at risk, it's China that's behind it," he says.

"You can show economic costs from Chinese espionage, and you can't do that from American espionage."

The NSA did not respond to ISMG's request for comment.

Tools Used

The National Computer Virus Emergency Response Center says the NSA used two zero-day vulnerability-exploiting tools before installing remote access Trojans, such as NOPEN.

The U.S. agency allegedly used 54 proxy servers to obscure the real IP addresses of the attack originators, which China says are provided by American domestic telecoms.

The NSA allegedly gained access to the university's network equipment, gateway servers and office intranet. It deployed backdoors to covertly and persistently control the university network and sent control commands through encrypted channels. It deployed sniffers to find account passwords and command-line operation records of the university staff to operate and maintain the network and steal sensitive information. It then used obfuscation tools to remove all traces of its behavior within the university network, the center adds.

Hacking tools used by the U.S. intelligence community are typically highly classified and not known by their actual names. A number of leaks from intelligence insiders such as Edward Snowden and Joshua Schulte and unknown threat actors such as the Shadow Brokers have changed that, including tools cited by the center such as NOPEN and FoxAcid.

Willingness by the Chinese government to publicly disclose that it has spotted infiltration into university networks coupled with some technical details likely means that American intelligence is no longer using those tools, Lewis says. Every signals intelligence agency across the globe knows that by going public, it alerts opponents. The Chinese government "thinks they gain something" by disclosing the hacking, he says. "I don't think they gain something."


About the Author

Mihir Bagwe

Mihir Bagwe

Senior Correspondent, Global News Desk

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.