On the morning of October 19, the national security agency disclosed that the National Security Agency of the United States (hereinafter referred to as NSA) carried out a major cyber attack on the National Time Service Center (hereinafter referred to as the "Time Service Center"). The National Internet Emergency Response Center (CNCERT) obtained the overall situation of this attack through analysis, judgment and tracing the source. The specific technical details are now announced as follows:

1. Overview of the attack

Since March 2022, the NSA has used the vulnerability of a foreign brand mobile SMS service to secretly monitor more than 10 national timing center employees, illegally steal cell phone contacts, text messages, albums, location information and other data. Since April 2023, the NSA has been exposed to the "Triangle Measurement" operation, several times in the morning in Beijing, using the log in credentials stolen in a foreign brand mobile phone to invade the national timing center computers, spy on the construction of internal networks. From August 2023 to June 2024, the NSA has targeted the deployment of a new network warfare platform, infiltration activities on several internal business systems of the state timing center, and attempts to attack major technological infrastructure such as system baseline timing and navigation.

Thro the event, the NSA is still showing the world¡¯s leading level in tactical ideas, operational methods, encryption communications, immortal escape and so on. Hide the implementation of the attack, NSA by using normal business digital certificates, disguised Windows system modules, proxy network communications and other ways to hide its attack theft behavior, while the in-depth study of antivirus software mechanisms, can effectively avoid detection; communication multi-layer encryption, NSA use network attack weapons to build back-end embedded encryption model, encryption strength far beyond conventional TLS communications, communication traffic is more difficult to decrypt; activity is patient and cautious, throughout the activity cycle, the NSA will monitor the controlled hosts comprehensively, file changes

2. Network attack process

In this attack, the NSA used the "Triangle Measurement Operation" to obtain log-in credentials from the time center computer terminals, thereby obtaining control, deploying customized specialty cyber weapons, and upgrading cyber weapons for the time center network environment to further expand the scope of cyber attack theft to the purpose of long-term infiltration of the internal network and critical information system of the unit. The clearance found that the NSA used a total of 42 cyber weapons, can be divided into three categories: front-staff control guard ("eHome_0cx") , tunnel building ("Back_eleven") and data theft ("New_Dsz_Implant"), with overseas network assets as the main terminal control server carrying out attacks in total over thousIt is divided into the following four stages:

(A) Acquisition of control powers

From March 24, 2022 to April 11, 2023, the NSA used Triangle Measurement to steal data from more than 10 devices at the Time Center. In September 2022, an attacker obtained the ID of an office computer through a foreign-brand mobile phone of a Time Center Network Administrator and used the ID to gain remote control of the office computer.

From April 11 to August 3, 2023, the attacker used an anonymous communication network node to remotely log in to an office computer more than 80 times, and used the computer as a base to detect the time center network environment.

Attack on August 3, 2023

(2) Implanting special cyber attack weapons

From August 3, 2023 to March 24, 2024, attackers implanted an earlier version of "Back _ eleven" into the network management computer, stealing the data of the network management computer, and clearing the memory footprint and operation trace of the network attack weapon after each attack. At this stage, the "Back _ eleven" function is not yet mature, and the attacker needs to remotely control and close the host anti-virus software before each startup.

Some antivirus software shutdown records

Upgrading Special Net Attack Weapons

From March to April 2024, attackers targeted timecenter network environments, customized upgrades of cyber attack weapons, deployed a number of new cyber attack weapons to enable long-term residence and hidden control of computers. Attackers loaded ¡°eHome_0cx¡±, ¡°Back_eleven¡±, ¡°New_Dsz_Implant¡±, with over 20 functional modules in use, and over 10 cyber attack weapons profiles.

Load the "eHome_0cx" packet

The process of ¡°Back_eleven¡±

The process of loading ¡°New_Dsz_Implant¡± to memory

The attackers use multiple types of cyber-attack weapons to cooperate with each other to build a four-layer encryption tunnel, forming a highly disguised and well-functioned cyber-attack stealing platform.

Cyber attack weapon encryption mode

Horizontal penetration of the internal network

From May to June 2024, attackers used "Back _ eleven" to use the network management computer as a springboard to attack the Internet authentication server and firewall.

At 9 a.m. on June 13, the attacker activated "eHome_0cx" on the network, implanted "Back_eleven" and "New_Dsz_Implant" on the computer and used it to steal authentication server data for the jumpboard.

At 9 a.m. on July 13, the attackers activated ¡°eHome_0cx¡± on the networking computer, releasing ¡°Back_eleven¡± and ¡°New_Dsz_Implant¡± to steal data.

June 13, 2024 Internet attack to steal secret data packages

3. Analysis of cyber attack weapons arsenal

The attacker in this cyber attack.A total of 42 cyber attack weapons, function modules, malicious files, etc. were usedThe main cyber-attack weapons can be divided into front-stage control weapons, tunnel-built weapons, and data theft weapons according to their functions.

(A) Advance guard weapons

The attacker uses the hidden residence and heartbeat back-connection functions of this type of network attack weapon to achieve the purpose of controlling the target computer terminal for a long time and loading subsequent network attack weapons. Name the main weapon of this type "eHome _ 0cx" according to its resource loading path.

"EHome _ 0cx" consists of four cyber attack modules, which realize self-start by hijacking the normal services of the system (such as resource manager and event log service) through DLL. After startup, it erases the header data of executable files in memory to hide the running traces of cyber attack weapons.

"eHome_0cx" information table of each network attack module

Construction of Tunnel Weapons

Attackers use this type of network attack weapon to build network communication and data transmission tunnels, realizing remote control of other types of network attack weapons and encrypted transmission of stolen data. At the same time, they also have the functions of information acquisition and command execution, and send to the master during the initial connection stage. The control end sends a logo with the number "11" and is named "Back _ Eleven".

"Back_Eleven" detection operating environment

Data theft of weapons

Attackers use such cyber attack weapons to steal data. When the weapon is running, the specific secret theft function is realized by starting the modular cyber attack weapon framework and loading various plug-in modules. This weapon has a high degree of homology with the NSA's cyber-attack weapon "DanderSpritz" and named it "New-Dsz-Implant".

¡°New-Dsz-Implant¡± is loaded by ¡°eHome_0cx¡± and is used in the attack activity in conjunction with the data transmission link built by ¡°Back_Eleven¡±. It has no specific theft function, it needs to load the function module by receiving the main control command to the theft functionality. In this cyber attack, the attacker used the ¡°New-Dsz-Implant¡± loaded 25 function modules, the functionality of each module as shown in the table below.

The New-Dsz-Implant Module

4. Background analysis

(1) Technical function details

"New-Dsz-Implant" is a web attack weapon framework, by loading different modules to specific functions, this functional implementation method is consistent with the NSA weapon library "DanderSpritz" web attack platform, and in code details is highly homogeneous, and has been partly upgraded: one is encrypted part of the function name and string; the second is the use of the system's regular scale block name mask functional module; the third is the functional module compilation time from 2012 to 2013 up to 2016 to 2018, the various functional modules have added analyzing user operation functions, masquerading user clicks, logins and other normal behavior to destroy virus detection.

Comparison of functional modules loaded in "New-Dsz-Implant" and "DanderSpritz"

(2) Sample retention method

Some resident files of "eHome_0cx" hijack the normal services of the system by modifying the key value of the registry InprocServer32, and are loaded before the system's normal program starts to achieve self-start. The registry modification location is the same as the cyber attack weapon used by the NSA Equation Organization, both located in the InProcServer32 sub-key of the random ID entry under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.

c) Data encryption model

The attackers used 3 types of weapons using 2 layers of encryption, the outer layer using TLS protocol encryption, the inner layer using RSA + AES method for key negotiation and encryption, in the key phases such as theft data transmission, functional module deployment, the mutual cooperation of the weapons achieved 4 layers embedded encryption.

V. Place of disclosure

From August 2023 to May 2024, some server IPs used by the United States for command and control are as follows:

(Source: National Internet Emergency Center CNCERT)