China has released a report that reveals the US National Security Agency (NSA) used multiple cybersecurity tools in its recent attacks against a Chinese university. Amongst these are sniffing and Trojan programs, which Chinese researchers say led to the theft of a “large amount of sensitive data”. 

China’s National Computer Virus Emergency Response Center (CVERC) on Tuesday said “41 types of cyber weapons” were tapped by NSA’s hacking unit, Tailored Access Operations (TAO), in the cyber attacks targeting China’s Northwestern Polytechnical University. 

Located in the Chinese city of Xi’an, the university describes itself as a research-focused institution with disciplines in aeronautics, astronautics, and marine technology engineering. It is affiliated with China’s Ministry of Industry and Information Technology.

The university is on the US government’s Entity List alongside several other Chinese educational institutions, including Sichuan University and Beijing University of Aeronautics and Astronautics. US companies are prohibited from exporting or transferring specific items to companies on the list unless they have procured a licence from their government to do so.

According to a report by state-owned news agency Xinhua, CVERC revealed that amongst the security tools TAO used was a sniffing program CVERC dubbed “Suctionchar”. 

One of the key components that resulted in the data theft, Suctionchar was capable of stealing accounts and passwords used in remote management and file transfer services on targeted servers, CVERC said in its report, which was released in collaboration with Chinese cybersecurity vendor, Beijing Qi’an Pangu Laboratory Technology.

“Suctionchar can run stealthily on target servers, monitor in real-time users’ input on the terminal program of the operating system console, and intercept all kinds of user names and passwords,” the report noted, adding that these credentials then could be used to breach other servers and network devices.

In its attacks against Northwestern Polytechnical University, TAO had used Suctionchar with other components of a Trojan program, Bvp47, which Pagu Lab referred to as a backdoor tool developed by the Equation Group, which reportedly was linked to TAO.

According to the Chinese security vendor, Bvp47 had been deployed in attacks targeting 45 global markets for more than a decade and had breached 64 systems in China. 

Attack tools not new

A cybersecurity vendor, though, noted that the technical research detailed in the report appeared to focus on “years-old implants” that had been widely known for several years now. 

Speaking to ZDNET on the condition of anonymity, a spokesperson from the security vendor said there was consensus amongst cybersecurity experts from the West that the attacks targeting Northwestern Polytechnical University appeared to be an espionage operation. 

He noted that the Chinese university seemed to be involved in the development of modern weapons, which might make it an attractive target. 

Pointing to the report released by CVERC and Pangu Labs, he said the details appeared to focus on hacking tools used in previous leaks that were uncovered in 2016, collectively known as Shadow Brokers. He added that it remained unclear what new technical evidence was disclosed in Tuesday’s announcement, but noted that he drew his reference from information that was available in English. 

He said cyber espionage was “nothing new” and the US had not denied their involvement in such operations

China first unveiled the breach against Northwestern Polytechnical University early last week, with the national State Council Information Office publicly condemning the cyberattacks. 

The Chinese foreign ministry’s spokesperson Mao Ning said NSA’s cyber attacks and data theft had involved 13 personnel from the US government agency. She revealed that more than 1,000 attacks were launched against the university, during which “core technical data” was stolen. 

Mao said: “Security of the cyberspace is a common issue facing all countries in the world. As the country that possesses the most powerful cyber technologies and capabilities, the US should immediately stop using its prowess as an advantage to conduct theft and attacks against other countries, [and] responsibly participate in global cyberspace governance and play a constructive role in defending cybersecurity.” 

She added that the US had “long carried out indiscriminate audio surveillance” against Chinese users, stealing text messages and conducting geolocation positioning. She said the US posed a “serious danger” to China’s national security and citizens’ personal data security.