Last April, Northwestern Polytechnical University experienced a cyber attack. The university had issued a statement acknowledging that they received phishing emails containing Trojan horse malware from overseas hacker organizations and criminal groups, aiming to steal the email data and personal information of staff and students.
Recently, a technical analysis on a spyware called “SecondDate” was conducted by the National Computer Virus Emergency Response Center and 360 Company. Their report revealed that the software is a cyber espionage tool developed by the US National Security Agency (NSA). Further investigation confirmed the identity of the NSA agents behind this cyber assault.
The analysis indicates that “SecondDate” is designed to perform cyber operations such as eavesdropping on network traffic, man-in-the-middle attacks, and injecting malicious code. When combined with other malicious software, it can undertake sophisticated cyber espionage activities.
Du Zhenhua, a senior engineer at the National Computer Virus Emergency Response Center, explained that the spyware is a highly advanced cyber espionage tool. It allows attackers to take control of the target network devices, monitor the network traffic passing through these devices, and carry out long-term espionage on the hosts and users within the target network. Additionally, it serves as a launch pad for further cyber attacks, deploying more cyber weapons when required.
Experts note that “SecondDate” continuously resides on gateway devices, border routers, firewalls, and other perimeter network devices. Its primary functions include sniffing network traffic, tracking network sessions, redirecting and altering traffic. Moreover, “SecondDate” is capable of running on various operating systems and supports multiple architectures, making its range of application quite broad.
Du Zhenhua further stated that this spyware is often utilized in conjunction with specific attack tools of the Tailored Access Operations (TAO) targeting vulnerabilities in firewalls and network routers. Once these attacks succeed, the infiltrators gain control of the target network device and can then plant the spyware.
The report showcased that the National Computer Virus Emergency Response Center, 360 Company, and industry partners have been conducting a global technical investigation. Through their research, they found thousands of network devices across various countries still covertly running “SecondDate” and its derivative versions. They also identified jump servers remotely controlled by the US National Security Agency, with a majority located in Germany, Japan, South Korea, India, and Taiwan.
In conclusion, Du Zhenhua emphasized that, thanks to the joint efforts of international industry partners, significant progress has been made in the investigation. They have now successfully identified the real identities of the US National Security Agency personnel responsible for the cyber attack on Northwestern Polytechnical University.