CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 730
- Points
- 113
Cyber espionage at any cost: 5 hacking tools were used at once.
According to a recent report by the Chinese National Computer Virus Response Center, as well as data from Qihoo 360, an American hacker group with state support used 5 different remote access tools at once to break into the computer systems of the Northwestern Polytechnic University of China.
Experts described each malware separately. In addition to the already well-known NOPEN, the names for tracking all other malware carriers are presented exclusively in Chinese, so we will list them immediately in Russian:
Thus, the use of various tools allowed the American APT group to effectively penetrate the internal network of the university and establish hidden control over the systems.
NOPEN was used at the first stage — to compromise firewalls. Then, through vulnerabilities in the browser, internal systems were attacked using a "Second Date". Further, the "Rage Explosion" RAT was entered on the workstations to establish constant control. The "Treacherous Heretic" provided a hidden presence, and the "Persistent Surgeon" masked the traces of an attack.
Such a comprehensive approach to using different tools indicates a high level of training and technical capabilities of the attacking side. American hackers demonstrated a deep understanding of the architecture of the attacked network and the ability to select the optimal set of malicious programs for each stage of the attack.
It seems that some of the tools used were designed specifically to carry out such attacks. In particular, "Second Date" and "Insidious Heretic" have not previously been found in the wild (ITW) and are poorly studied by experts.
Chinese experts believe that it is quite likely that these are the developments of the NSA (NSA), created as part of the Tailored Access Operations (TAO) program aimed at cyber espionage and hacking foreign information systems.
In recent decades, the already complex relations between the world's major powers have increasingly shifted online. The cyberattack on China's Northwestern Polytechnic University is just the tip of the iceberg in the ongoing cold cyber war.
Such incidents only emphasize that information security and data protection are becoming key vectors of national security for any country.
Each such event not only demonstrates the technical capabilities of the attackers, but also deepens the gulf of distrust between states, making the search for ways to a diplomatic settlement even more difficult.
According to a recent report by the Chinese National Computer Virus Response Center, as well as data from Qihoo 360, an American hacker group with state support used 5 different remote access tools at once to break into the computer systems of the Northwestern Polytechnic University of China.
Experts described each malware separately. In addition to the already well-known NOPEN, the names for tracking all other malware carriers are presented exclusively in Chinese, so we will list them immediately in Russian:
- NOPEN is a Trojan for Unix/Linux systems, including firewalls. It consists of a client and a server part. The connection is established over an encrypted channel. NOPEN was used to infect firewalls through vulnerabilities.
- Rage Explosion is a remote access Trojan for Windows with many "useful" features, such as keylogging, screenshots, file explorer, etc. It allows you to establish a connection in various ways, including via HTTP. This particular RAT was used on workstations for long-term monitoring.
- "Second Date" is a Proxy Trojan for intercepting traffic on firewalls and routers. Allows you to filter traffic by specified rules and embed malicious code. It was used in conjunction with the FoxAcid platform.
- "Insidious Heretic" — a hidden backdoor for long-term control of systems. Deletes traces of its presence. It can be used to load other tools, for example, the same NOPEN.
- Persistent Surgeon is a multifunctional rootkit for Linux, Solaris, and FreeBSD. Allows you to hide files, processes, and network connections. It was used to hide NOPEN on infected systems.
Thus, the use of various tools allowed the American APT group to effectively penetrate the internal network of the university and establish hidden control over the systems.
NOPEN was used at the first stage — to compromise firewalls. Then, through vulnerabilities in the browser, internal systems were attacked using a "Second Date". Further, the "Rage Explosion" RAT was entered on the workstations to establish constant control. The "Treacherous Heretic" provided a hidden presence, and the "Persistent Surgeon" masked the traces of an attack.
Such a comprehensive approach to using different tools indicates a high level of training and technical capabilities of the attacking side. American hackers demonstrated a deep understanding of the architecture of the attacked network and the ability to select the optimal set of malicious programs for each stage of the attack.
It seems that some of the tools used were designed specifically to carry out such attacks. In particular, "Second Date" and "Insidious Heretic" have not previously been found in the wild (ITW) and are poorly studied by experts.
Chinese experts believe that it is quite likely that these are the developments of the NSA (NSA), created as part of the Tailored Access Operations (TAO) program aimed at cyber espionage and hacking foreign information systems.
In recent decades, the already complex relations between the world's major powers have increasingly shifted online. The cyberattack on China's Northwestern Polytechnic University is just the tip of the iceberg in the ongoing cold cyber war.
Such incidents only emphasize that information security and data protection are becoming key vectors of national security for any country.
Each such event not only demonstrates the technical capabilities of the attackers, but also deepens the gulf of distrust between states, making the search for ways to a diplomatic settlement even more difficult.
