It has been nearly ten years since the "Snowden Incident". With the exposure of the "Prism Gate", national cyber attacks have gradually surfaced. As early as before, there have been many sources of information showing that relevant US institutions use their technology and first-Mover advantage to launch cyber attacks against other countries. In order to systematically present the global cyber attacks carried out by US intelligence agencies, China Cyber Security Industry Alliance (CCIA) has carefully compiled and released "Historical Review of Cyber Attacks by US Intelligence Agencies — — Based on the analysis of information disclosed by the global network security community (hereinafter referred to as the "Report").
Based on the professional perspective of cyber security, the Report adheres to the principles of science, objectivity and neutrality. Based on nearly 1,000 research documents of dozens of cyber security enterprises, research institutions and experts and scholars around the world, it fully integrates the analysis processes and research results of all parties, and strives to present the cyber attacks of relevant US institutions on other countries through the analysis and demonstration of the industry and academic circles, and reveals the great damage and serious threat posed by cyber hegemony to the global cyberspace order.
According to time and events, the Report is divided into 13 articles, mainly including US intelligence agencies’ cyber attacks on other countries’ key infrastructure, indiscriminate cyber theft and monitoring, implantation of back door pollution standards and supply chain sources, development and leakage of cyber attack weapons, the commercial attack platforms sold out of control and become hackers’ sharp tools, interfering with and suppressing normal international technical exchanges and cooperation, creating standards and order in line with US interests, hindering the development of global information technology, and creating division and confrontation in cyberspace.
Each article is summarized as follows:
The opening of the first cyber war — — Analysis of "Seismic Network" Event
In 2010, American intelligence agencies used Stuxnet to attack Iran’s nuclear facilities, which opened the Pandora’s Box of cyber warfare. In the history of information technology development, there have been a large number of network viruses and attacks, but the "earthquake net" incident is the first network attack that has been fully proved by technology and caused damage to key industrial infrastructure in the real world equivalent to traditional physical damage. The relay analysis of global network security vendors and experts gave a very full portrait of this attack, and gradually locked the black hand behind the scenes into American intelligence agencies.
In June, 2010, technicians of VirusBlokAda, a Belarusian network security company, discovered a new worm virus in Iranian client computers, and named it "stuxnet" according to the characteristic word "Stux" appearing in the code.
In September 2010, Symantec, an American network security vendor, disclosed the basic situation, transmission method, attack target and virus evolution process of "Shenzhen" virus.
Kaspersky, a Russian network security vendor, has published dozens of reports on the "Shenzhen" virus, making a comprehensive analysis from many aspects, such as functional behavior, attack targets, vulnerability utilization, evasion of confrontation, command and control of servers, etc., especially discussing the LNK vulnerabilities and signed drivers used by the "Shenzhen" virus, and pointing out that such a complex attack can only be carried out with "state support";
Antian, a network security manufacturer in China, released three reports one after another, analyzing the attack process, propagation mode, attack intention, file derivation, multiple zero-day vulnerabilities, update mode and technical mechanism of USB ferry propagation conditions, summarizing its attack characteristics and the influence process on field equipment of industrial control system, speculating possible attack scenarios, and building an environment to simulate its attack process on industrial control system;
In November 2013, Ralph Langner, a German IT security expert, published two articles, calling the "Shenzhen" incident "a textbook example of cyber warfare". Based on the follow-up study of the two versions of the "Shenzhen" virus and the attack events, the specific implementation method and operational flow of "cyber warfare produces physical results" were outlined.
The chain reaction after the second "Shenzhen" — — Follow-up Analysis of "Poisonous Qu", "Flame" and "Gauss"
Global network security vendors have gradually confirmed that more complex viruses, such as Duqu, Flame and Gauss, are of the same origin as Shenzhen Net, and have started to spread at the same time or even earlier.
In October 2011, CrySyS, a Hungarian security team, discovered a virus sample very similar to "Shenzhen", which was called Duqu ("Poisonous Qu"). After comparing with "Shenzhen", the researchers determined that they were very similar.
In October 2011, Symantec released a report, which analyzed the global infection, installation process and loading logic of "Poisonous Qu" virus in detail.
Since October 2011, Kaspersky has released ten analysis reports on the virus "Poisonous Qu" one after another, believing that "Poisonous Qu" is a multifunctional framework with high customization and universality. In June 2015, Kaspersky captured the attack of "Poisonous Music" virus, and analyzed that the attacker intended to monitor and steal its source code, and only the team supported by the state could do it.
In May 2012, Antian released a report to analyze the module structure, compiler architecture and key functions of "Poisonous Qu" virus, pointing out that "Poisonous Qu" and "Shenzhen Net" have certain similarities in structure and function, and judging that they have homology according to coding psychology;
In April 2012, the Iranian Ministry of Oil and the Iranian National Oil Company were attacked by the "Flame" virus. Kaspersky analyzed that "Flame" was one of the computer viruses with the most complicated attack mechanism and the highest threat at that time, and its structural complexity was 20 times that of "Shenzhen" virus, and the behind-the-scenes team was likely to be manipulated by government agencies.
In May, 2012, Antian released a report, analyzing the running logic, propagation mechanism and main module functions of the "Flame" virus. It is believed that "Flame" is a complex component Trojan with more modules than "Shenzhen", and its vulnerability attack module includes a USB attack module used by the "Shenzhen" virus, which proves the homologous relationship between the two.
In August 2012, Kaspersky discovered the Gaussian virus, claiming that there was sufficient evidence to show that Gaussian was closely related to the flame and the earthquake net, and was created by organizations related to the earthquake net, the poisonous song and the flame.
In September, 2019, Antian released the report "Nine-year Reexamination and Thinking of the Stuxnet Incident" after continuous follow-up research, and analyzed the characteristics, causes, mechanism of action, related advanced malicious code engineering framework of each version of Stuxnet, and the correlation between malicious codes used in Stuxnet, Poisonous Music, Flame, Gaussian Equation Organization.
The third panorama of supercomputers — — Follow-up analysis of Snowden incident
On June 5th, 2013, The Guardian was the first to report the secret project of NSA code-named PRISM, which was revealed by Snowden, an intelligence officer of the US Central Intelligence Agency (CIA), and exposed nine international internet giants including Microsoft, Yahoo, Google and Apple, and cooperated with the US government to secretly monitor information such as phone records, emails, videos and photos, and even invaded network equipment in many countries including Germany and South Korea. With the gradual disclosure of Snowden’s leaked documents, global cyber security vendors have more documents to analyze about the relevant engineering systems and equipment systems of American intelligence agencies’ cyberspace operations, and the overall picture of American cyberspace supercomputers has gradually emerged.
In July 2013, Antian published an analysis article, pointing out that the key contents exposed by Snowden incident mainly include: First, the "Prism" project, as an integral part of the NSA network intelligence system, mainly uses the interfaces provided by American Internet companies for data retrieval, query and collection; Second, Google, Microsoft, Apple, Facebook and other large American Internet companies are mostly related to this plan; Third, the Specific Invasion Action Office (TAO) under the NSA has attacked China for 15 years, and related actions have been helped by Cisco;
In December 2017, Antian released a series of articles to deeply analyze the "Star Wind" plan in Snowden’s leaked documents, pointing out that the United States has carried out a large number of network intelligence eavesdropping projects and plans represented by "Prism", forming a global network intelligence acquisition capability, and on this basis, established an offensive capability support system represented by "TURBULENCE". The complete cyberspace intelligence cycle is realized through the relevant modules such as passive signal intelligence acquisition, active signal intelligence acquisition, task logic control, information diffusion and aggregation, and directional positioning, and then the intelligence-driven cyberspace active defense and offensive actions are further realized by combining the cyberspace attack and defense capability modules such as "TUTELAGE" and "QUANTUM".
In March, 2022, 360, a network security vendor in China, released a report, revealing the indiscriminate attacks launched by NSA on the world for more than ten years, especially analyzing the "quantum" attack system, the zero-day attack platform of "FOXACID", the "VALIDATOR" and the back door of "UNITEDRAKE". The analysis shows that the number of infected units in the world may reach millions.
The fourth rumor of the back door — Exposing American Pollution Encrypted Communication Standards
Through unremitting efforts, the global network security industry and academic circles have confirmed that the United States manipulated international information security standards by implanting back doors. Its practice has shaken the technical trust foundation of the whole Internet and caused extremely bad influence on the ecological environment of global international relations.
In 2007, Microsoft cryptographer made an analysis from the technical point of view, which showed that the algorithm of deterministic random bit generator (DRBG) with double elliptic curve (Dual EC) recommended by NIST in 2006 was possible to be implanted in the back door.
Snowden’s leaked documents in 2013 not only confirmed the previous backdoor speculation, but also exposed the NSA’s long-term and systematic manipulation of the password system, and used the loopholes in encryption standards to monitor the world;
In 2015, Wired magazine in the United States disclosed Logjam;, an encryption vulnerability of NSA to VPN communication attacks;
In 2020, the media in the United States, Germany and Switzerland jointly disclosed that the CIA had long stolen the encrypted communication content of government and enterprise users in many countries around the world by manipulating Crypto AG, a crypto machine manufacturer.
The fifth chapter is the demonstration of firmware Trojan horse — — "Equation Organization" officially surfaced.
Firmware is software written into hardware, which is lower than the operating system and even loaded before the operating system. If the virus is written into the firmware, it will be more hidden and difficult to find. The global network security industry and academic circles have gradually confirmed that the United States uses hard disk firmware to complete the "persistent" attack.
In January 2014, Darmawan Salihun, a network security expert who specializes in BIOS security, wrote an article to analyze the BIOS backdoors of NSA, such as DEITYBOUNCE and GODSURGE, and called these malware "god mode";
From February to March, 2015, Kaspersky released a series of reports, exposing the APT organization named Equation Group, saying that it has been active for nearly 20 years, is the behind-the-scenes manipulator of the "Shenzhen" and "Flame" viruses, and has surpassed all cyber attack organizations in history in terms of attack complexity and attack skills.
In 2016, according to the constant value of RC algorithm, Kaspersky verified that the NSA data leaked by the hacker organization "shadow broker" belonged to "equation organization", pointing out that "equation organization" achieved persistent attack implantation against hard disk firmware in high-value targets;
In March and April, 2015, Antian released two reports, analyzing the composition structure, correlation, return information, instruction branch, C2 address and plug-in function of the main attack platform of Equation Organization, and analyzing the attack technology principle of the key plug-in "hard disk reprogramming" module, as well as the local configuration of multiple components and the encryption algorithm and key of network communication;
In February, 2022, Chianxin, a network security vendor in China, released a report saying that the data leaked by the "shadow broker" and Snowden verified that Bvp47 belonged to the top-level back door of the NSA "Equation Organization", and restored the scene that Dewrop S, Suctionchar_Agent sniffer Trojan cooperated with other components such as Bvp47 back door program to carry out joint attacks.
The sixth network attack covering all platforms — — The exposure of Solaris and Linux samples of Equation Organization
Network security researchers have found that super attack organizations try to expand their load capacity to all scenarios that can achieve invasion and persistence. In these scenarios, various server operating systems, such as Linux, Solaris, FreeBSD, etc., are highly concerned. Based on this judgment, network security vendors have carried out detailed and in-depth tracking research on the super APT attack organization "Equation Organization".
In February, 2015, Kaspersky suggested that Equation Organization might have multi-platform attack capability, and there are examples to prove that the malicious software DOUBLEFANTASY of Equation Organization has a Mac OS X version.
In November 2016, Antian released a report, which analyzed the attack samples of Equation Organization against various architectures and systems. It was the first in the world to expose the organization’s attack capability against Solaris(SPARC architecture) and Linux systems through real samples.
In January 2017, Antian drew the building block diagram of the "Equation Organization" operation module based on the sample analysis of "Equation Organization" leaked by the "shadow broker", revealing the operation mode of the United States to realize front and back field control and deliver malicious code on demand through refined modules.
The seventh leaked arms — — The out-of-control management of cyber weapons in the United States has become a tool of cyber crime.
On May 12th, 2017, WannaCry ransomware made use of the "Eternalblue" vulnerability in NSA cyber weapons to create a huge cyber disaster all over the world. Superpowers develop cyber armaments without restraint, but they do not keep them strictly, which seriously endangers global cyber security.
Microsoft released the patch of the "Eternal Blue" vulnerability in March 2017, and the cyber weapon used by the "Equation Organization" released by the "Shadow Broker" in April 2017 included the exploitation program of this vulnerability. The hacker used this cyber weapon to carry out this global large-scale attack on all Windows system computers that were not patched in time;
China National Internet Emergency Center (CNCERT) confirmed that WannaCry ransomware was spread based on port 445 and exploited the SMB service vulnerability (MS17-010). Generally speaking, it can be judged that it was a black product attack threat caused by the disclosure of vulnerability attack tools by "shadow brokers".
Kaspersky analysis believes that the hacking tool "eternal blue" used in cyber attacks was previously disclosed on the Internet by "shadow brokers" and came from the network arsenal of NSA;
Antian analyzed the SMB vulnerability MS17-010 exploited by the ransomware, characterized it as "uncontrolled use of arms-level attack equipment", and subsequently issued the "Operation Manual on Systematic Response to NSA Network Arms and Equipment";
360 quickly issued an alarm after detecting the spread of the ransomware, calling on people to install system patches and security software in time, and launched a series of solutions after obtaining samples.
Once leaked, other "arms" in the American network arsenal may be used in a targeted way, and their derived harm may be no less than the "eternal blue". Their existence and leakage are even more worrying.
Article 8: Proliferation of armaments — — American penetration test platform has become a tool widely used by hackers.
The United States did not effectively restrict and control the automated attack platform it sold, which led to the pervasive attack test platform Cobalt Strike and other tools commonly used by hackers, which not only buried security risks in the global cyberspace, but also caused unpredictable potential impacts on the security of other countries.
In May, 2015, Antian discovered that in a quasi-APT attack against a government agency in China, the attacker relied on the Shellcode generated by Cobalt Strike platform and communicated in Beacon mode to realize remote control of the target host. At the 2015 China Internet Security Conference (ISC 2015), Antian systematically combed major commercial cyber weapons such as Regin and Cobalt Strike, and pointed out that the service and research background of Rafael mutch, the founder of Cobalt Strike, in the active and reserve cyber forces of the US military clearly reflected the spillover and destructiveness of the US military network technology and capabilities;
According to the survey conducted by American security company Proofpoint, the use of Cobalt Strike by threat actors increased by 161% in 2020 compared with the previous year. From 2019 to 2021, 15% of the attacks that abused Cobalt Strike were related to known hacker organizations.
Sentinelone, an American network security company, shows that the main distribution method of Egregor ransomware is Cobalt Strike;;
Chianxin monitoring found that the threat organization "Blue Mockingbird" exploited the Telerik UI vulnerability (CVE-2019-18935) to capture the server, and then installed Cobalt Strike beacons and hijacked system resources to mine Monroe coins.
The exposure of the ninth "arch" plan — — Coping with American Monitoring of Network Security Vendors
On June 22, 2015, Snowden disclosed the "CamberDADA" implemented by the relevant intelligence agencies in the United States and Britain. The plan mainly uses the traffic acquisition ability of American invading global operators to monitor the communication between Kaspersky and other anti-virus vendors and users in order to obtain new virus samples and other information. The follow-up targets of the plan include 23 global key network security vendors in 16 countries in Europe and Asia, including China network security vendor Antian.
According to the analysis, the purpose of the "Arch" plan is: firstly, to capture the samples reported by global users to anti-virus vendors; secondly, to provide reusable sample resources for TAO; thirdly, to monitor the processing capacity of anti-virus vendors and whether to release some malicious code samples.
The American "Interceptor" published an article saying that the "Arch" plan shows that since 2008, NSA has launched systematic espionage activities against the software of Kaspersky and other anti-virus vendors;
According to the American Wired article, the "Arched" plan depicts a systematic software "reverse engineering" activity, by monitoring network security vendors to find software vulnerabilities, so as to help intelligence agencies bypass these software;
Forbes published in the United States that the "Arch" plan monitoring list is a "blacklist" of security vendors outside the "Five Eyes Alliance" countries that have the ability to discover and contain their network activities;
China Xinhua News Agency published an article saying that anti-virus companies that were included in the monitoring scope expressed anxiety about this, and at the same time all said that they had confidence in their security products and found that their products were not weakened;
Antian issued a statement saying that the leaked documents mainly disclosed the emails reported by users to vendors by relevant intelligence agencies through public network channels, not the attacks on the network systems and products of security vendors themselves. The introduction of this monitoring "target list" will further split the global security industry that has already appeared cracks and suspicions.
Article 10 Broken Window Effect — — Iterative analysis of data leaked by "shadow broker" and Wikileaks
The data leaked by "shadow broker" and Wikileaks further revealed the true face of the network arsenals of NSA and CIA in the United States. "Shadow Broker" exposed the NSA’s attack equipment for network security equipment, the list of attacks against global servers, the information of SWIFT invading institutions, the FuzzBunch(FB) vulnerability attack platform and the DanderSpritz(DSZ) remote control platform in batches, and said that these attack equipment was related to "Equation Organization". NSA targets 287 targets in more than 45 countries, including Russia, Japan, Spain, Germany, Italy, etc., lasting for more than ten years. Wikileaks exposed 8,761 secret documents that were alleged to be CIA cyber attacks, including 7,818 web pages and 943 attachments. The leaked files contain the document information of a huge attack equipment library, which covers a wide range of platforms, including not only common operating systems such as Windows, Linux, iOS and Android, but also network node units and intelligent devices such as smart TVs, in-vehicle intelligent systems and routers.
In addition to being shocked, the academic and industrial circles of global network security began to sort out and analyze the leaked information. According to the materials exposed by "shadow brokers", the three core modules represented by FB, Operation Center(OC) and DSZ in NSA network operation system are sorted out. The "Vault 7" exposed by Wikileaks contains 15 tools (sets) and 5 frameworks for CIA network operations, which have also been comprehensively sorted out.
From December 2017 to November 2018, Antian released a series of reports on "Analysis of American Cyberspace Attack and Active Defense Capability", which systematically combed the American Cyberspace attack and defense capability from the perspectives of intelligence circulation, offensive capability support, attack equipment and active defense;
In October 2018, Kaspersky conducted an in-depth analysis of the DarkPulsar backdoor in DSZ. The research results of its persistence and latent ability show that the developers behind it are very professional, aiming at targets with long-term monitoring and control value;
In December, 2021, Israeli security vendor Checkpoint analyzed the Double Feature component in DSZ and concluded that DSZ (as well as FB and OC) are huge tool sets of "equation organization".
In March, 2020, 360 disclosed the eleven-year network infiltration attacks by the CIA attack organization (APT-C-39) on China’s aerospace, scientific research institutions, oil industry, large Internet companies and government agencies. In March 2022, 360 released an analysis report on the NSA attack organization APT-C-40, saying that the organization began to attack leading companies in a series of industries in China as early as 2010;
In March 2022, China National Computer Virus Emergency Response Center (CVERC) officially released an analysis report on NSA’s use of "NOPEN" Trojan. In the attack on China’s Northwestern Polytechnical University exposed in September, 2022, the NSA used as many as 41 kinds of cyber weapons, including NOPEN leaked by the "shadow broker".
The eleventh article is the first complete traceability — — The complete process of the attack on technical facilities in the Middle East by Formula Organization
On April 14, 2017, the data related to cyber attacks in the United States exposed by "Shadow Broker" included a folder named SWIFT, which contained an attack against EastNets, the largest SWIFT service provider in the Middle East, from July 2012 to September 2013. The operation successfully stole thousands of employee accounts, host information, login credentials and administrator accounts of EastNets in Belgium, Jordan, Egypt and the United Arab Emirates.
In June, 2019, Antian conducted a correlation analysis based on the data leaked by the "shadow broker" and the historical capture analysis results, and completely recovered the attack of the "Formula Organization" on EastNets, the largest SWIFT financial service provider in the Middle East, restored the US attack springboard, operation path, equipment application, tactical process, scene environment and operation consequences, summarized the attack equipment information used in this operation in the United States, and pointed out that the United States has the attack capability covering the whole platform and the whole system and a large number of zero-day vulnerability reserves.
Chapter XII Struggles in International Forums — — Expose American manipulation of cyberspace security.
The United States uses its right to speak in cyberspace to interfere with and suppress normal international exchanges and obstruct the dissemination and sharing of information, while global network security vendors and academics continue to make efforts in various international conferences and forums to expose American network behaviors, intentions and activities.
In 2015, Der Spiegel in Germany disclosed the "fourth-party intelligence gathering" method and project of NSA by invading (and using) the third-party network infrastructure to obtain intelligence or carry out cyber attacks. Kaspersky researchers analyzed the concealment and high complexity of this attack at the annual conference of Virus Bulletin in 2017.
In 2016, Jason Healey, a senior researcher at the School of International and Public Affairs of Columbia University in the United States, wrote an article, deeply analyzing the development process of the Vulnerability Fair Adjudication Procedure (VEP) in the United States from 2008 to 2016, and carefully estimating the number of zero-day loophole arms that the United States may hoard at present (2016);
Professor Shen Yi from Fudan University, China, made a historical review of American state monitoring behavior at the seminar "The Road to Cyber Threats in the New Era" in 2013;
At the 2015 "China-China Cyberspace Development and Security Forum", Antian analyzed the characteristics, capabilities and attacks on key basic industrial enterprises in.
Article 13 Restriction and Suppression — — The United States generalizes the concept of security and sanctions other countries’ network security vendors.
In recent years, in order to maintain its political hegemony, economic interests and military technology and capability advantages, the United States has generalized the concept of "national security" and sanctioned well-known cyber security enterprises in other countries with technological competitiveness, regardless of undermining international order and market rules, at the expense of harming the interests of global consumers, including the United States. Its main practices include:
Disable Kaspersky’s software products.On September 13, 2017, the US Department of Homeland Security asked all federal agencies to uninstall Kaspersky software products used within 90 days on the grounds that Kaspersky may threaten the security of the US federal information system;
Restricting the development of enterprises in China by using entity list.On May 22, 2020, the network security enterprise — — Qihoo 360 was listed in the "Entity List" by the US Department of Commerce;
Put pressure on other countries’ security companies that expose US cyber attacks.On December 22, 2016, NetScout Company of the United States issued a document saying that Antian, a network security company in China, is the spokesperson of "China’s anti-APT"; On February 17, 2022, the hearing of the US-China Economic and Security Review Commission (USCC) of the US Congress specifically named Antian and Qihoo 360, because they publicly published their analysis of the cyberspace actions of NSA and CIA.
Rank China Netan Enterprises in another volume and suppress them accordingly.Since 2019, the "Top 500 Cyber Security Companies" list of Cybersecurity Ventures has been replaced by the "Top 150 Cyber Security Companies", all of which are European and American manufacturers. In September, 2020, Cybersecurity Ventures released the list of the most popular and innovative "China Cyber Security Companies" in China, including 20 companies, including Antian, Qihoo 360, Chianxin, Shanshi Net Branch, Anheng, Shenxin, ThreatBook, etc. Based on this list, the USCC hearing experts in 2022 suggested that the US Department of Commerce and the Ministry of Finance put them on the entity list and the sanctions list.
