An inside look at NSA tactics, techniques and procedures from China's lens

> Chinese cyber organizations openly acknowledge and publicize their partnerships. This openness was particularly interesting to observe and may be influenced by cultural factors, such as the Confucian emphasis on shared knowledge and a political framework that encourages collective efforts.

I or anyone outside obviously cannot verify the technical details. However, the above statement struck as particularly uninformed. As any engineer in East Asia can tell you, there is nothing especially collaborative about tech in Confucian culture; if anything, the engineers in that region admire the free speech and discussion traditionally prized in the Western culture. Calling Chinese political framework, especially in the context of national security, conducive to open public discussion was quite ironic to see.

Edit: the punchline is this. If a friend who is always secretive and deceptive about his personal life is suddenly openly discussing his life, what does that say about the details he just disclosed and/or the situation he is currently in?

source: I regularly work with engineers from that culture and studied relevant geopolitics.

> No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.

Simple but effective. A good non-NSA agency should also learn from this to be able to effectively false-flag as NSA, as long as they are flexible enough to allow off-hours and overtime pay and remember to respect the US federal holidays.

> Two zero-days were used to breach any company with SunOS-exposed systems in neighbouring countries to China

SunOS? Wonder if it's because it's genuinely used still quite a bit or they simply had zero-days for it since many of those are old and unpatched?

It seems like the most efficient way of detecting NSA tools is a regular expression of two all caps dictionary words

> In total, 54 jump servers and 5 proxy servers were used to perform the attack coming from 17 different countries including Japan, South Korea, Sweden, Poland and Ukraine with 70% of the attacks coming from China’s neighbouring countries.

I'm guessing this is so when they do data exfiltration (and hosted MITM) it's not sending a ton of data to a single server, but spreads them out.

> SECONDDATE: This tool was allegedly used by TAO (NSA) to hack into the office intranet of the University. Attribution of SECONDDATE was discovered through collaboration with other industry partners. They found thousands of network devices running this spyware – where the communications went back to NSA servers located in Germany, Japan, South Korea and Taiwan. This tool was used to redirect user traffic to the FOXACID platform.

> SECONDDATE – Backdoor installed on network edge devices such as gateways and border routers to filter, and hijack mass amounts of data in a MiTM. This was placed on the border routers of the University to hijack traffic to redirect to NSA’s FOXACID platform.

Given how US is attacking their enemies and at times their allies, 24/7 it is amazing how little we ever hear about it.

> 1. Attack Times

> * One of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN” requires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the incident timeline showed 98% of all the attacks occurred during 9am – 4pm EST (US working hours).

> * There were zero cyber-attacks on Saturdays and Sundays with all attacks centralised between Mon-Fri.

> * No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays.

> * No attacks occurred during Christmas.

It's surprising the NSA would be this sloppy and obvious, or maybe they don't care about attribution in this situation, or maybe someone else did it. But I've read attribution of Chinese attackers using work hours and thought the attackers were sloppy and obvious.

> A key observation from the Chinese case notes was the extensive use of big data analysis, particularly in tracking “hands-on keyboard” activity. This approach enabled Qihoo 360 to identify patterns, such as the alleged absence of activity on Memorial Day, and precisely documenting the operational hours of the attackers, allowing 360 to isolate activity to Monday-Friday, EST working hours.

If the blogger's claim of experience is true, they must know about the things I've read. I wonder what they are thinking of.

I originally came here to comment how crazy it seems that DoD employees at NSA cannot be bothered to cover their tracks by working nonstandard hours/holidays (obviously Mil & Intel folks do this, they even get deployed!). But the thought occurred to me that attribution to NSA was likely a desired outcome here (“We can hack you too”) and there are probably many people at NSA working nonstandard hours/days to prevent attribution.

I think the English language aspect is much more interesting and difficult/impossible to prevent.

This is really interesting. I wonder how red-teams in State sponsored teams operate in real life. I guess every one has an NDA, but would love to get a general idea.

I assume it's a jungle out there, so teams need to protect themselves 24/7/365 and I'm surprised to find no activities in holidays.

> Second date has capabilities of network eavesdropping, MiTM, and code injection

This is probably a dumb question but doesn't that require an SSL cert? Obviously the NSA can get someone to issue a cert for a domain they don't own but wouldn't that be visible?

Couldn't you have every user device log the SSL certs it sees to detect this attack? What about CT?

> The Northwestern Polytechnical University had allegedly suffered multiple breaches throughout the years where several pieces of malware uncovered in prior investigations (prior to Shadow Broker’s leak) were allegedly the same tools described in the Shadow Broker’s leak.

What is Shadow Broker, does anyone know?

glad to see the same basic tradecraft from 90s hacking, only very refined and industrialized. it's a durable skill. the focus on switches and routers is very pro, as they are the most opaque infra with the fewest forensic capabilities. iot is less reliable as RE'ing cheap devices and firmware for IoCs is accessible, where almost nobody outside the IC did core gear (word to phenolit from back in the day tho).

the traffic redirection is interesting in that i would be curious if they rate limited it or used on device selectors in their implant to redirect traffic. the trade off between memory caching packets to sort on selectors vs.stealthy throughput would have been a fun design meeting.

hunting these kinds of actors would be supremely fun. the main thing that protects them is few outside massive bureaucracies really care enough or find it economical, as the rewards are more in finding new zero day and not hunting state level threat actors. the exceptions who do (p0, citizenlab etc) are attached to massive orgs and dont really led themselves to privateering. amazing write up anyway.

> 98% of all the attacks occurred during 9am – 4pm EST (US working hours). > There were zero cyber-attacks on Saturdays and Sundays with all attacks centralised between Mon-Fri. > No attacks occurred during Memorial Day and Independence Day holidays which were unique American holidays. > No attacks occurred during Christmas.

Come on guys, if Satoshi can cover his timezones tracks, so can you.

It seems like the lack of operations during US holidays would be a big oversight.

I love the Windows 98 clip art.

> These insights stem from extensive research I did on Weixin

Someone doing extensive research on Weixin might ordinarily realize that it's called "Wechat" in English.