CHINA / SOCIETY
Exclusive: US plants Trojan horse programs in hundreds of important Chinese information systems; new cyber weapon targets China, Russia
Published: Jun 29, 2022 11:59 AM
hacker Photo: VCG

hacker Photo: VCG



On Wednesday, China's National Computer Virus Emergency Response Center and a leading cybersecurity company disclosed a new vulnerability attack weapon platform deployed by the US National Security Agency (NSA), which experts believe is the main equipment of the NSA's computer network hacking operation team, and it targets the world with a focus on China and Russia. 

The US' move raised wide suspicions that the country might be preparing for a bigger cyberwar, experts noted. 

Recently, a number of Chinese research institutions have found traces of activity of the validator Trojan. A report the Global Times obtained from Internet Security Company 360 on Wednesday shows "validator" is a small embedded Trojan that can be deployed remotely or manually on any Windows operating system. 

It has a 24/7 online operation capability, allowing NSA system operators and data thieves to upload and download files, remotely run programs, obtain system information, forge IDs and self-destruct in emergency situations. The weapon allows the NSA to collect information about the environment of a targeted system, while also enabling the installation of more sophisticated trojans, the report shows. 

Earlier, the company discovered that the NSA had used a series of cyber weapons to launch continuous attacks against government agencies, important organizations and information infrastructure targets in countries around the world, including China. During the attack, the NSA would implant backdoor programs represented by "validator," which could be hidden in the internet terminals of target users for a long time, and then launch more complex network attacks through these backdoor programs.

The Trojan is believed to be the default version of the NSA's "Acid Fox" weapon. This indicates that the Chinese research institutes mentioned above were subjected to cyberattacks by the NSA's Acid Fox vulnerability attack weapon platform. 

According to the report, the Acid Fox platform is an important infrastructure for the Tailored Access Operations (TAO), the cyber warfare intelligence agency under the NSA, to carry out cyber espionage operations against other countries. 

Notably, the server numbered XS11 was explicitly assigned to GCHQ, the British intelligence agency, to conduct man-in-the-middle cyberattacks. In addition, TAO has dedicated servers for targets in China and Russia.

An expert from China's National Computer Virus Emergency Response Center told the Global Times, on condition of anonymity, that the "Acid Fox" platform will detect the software and hardware environments of target hosts before exploiting their vulnerability. Details disclosed in the report shows that the weapon explicitly targets computer anti-virus software in China and Russia for "technical confrontation."

In addition, the US has deployed cyber espionage servers targeting China and Russia on the internet to implant malicious programs and steal intelligence, the expert said. 

In order to maintain its cyber hegemony, the US has been monitoring the world. As recently as June 1, NSA Director and Cyber Command head Gen Nakasone confirmed that the US had launched a series of offensive cyber operations against Russia in support of Ukraine amid the conflict between Russia and Ukraine.

While conducting espionage against global targets, the US also spares no effort to perform "a thief shout to catch a thief," calling on its so-called allies to trumpet the "China threat" theory, slander China's network security policy and international economic and cultural exchanges plans, the expert said, then continued slamming the US for cracking down on Chinese companies and news media operating legally abroad, for inciting discord, and for encouraging so-called hackers to launch cyberattacks on foreign targets.

Based on the successful extraction of the "validator" Trojan horse program samples from the important information system of a domestic scientific research institution, 360 company carried out scanning and detection and found that different versions of the Trojan horse program had been running in hundreds of important information systems in China, and its implantation time was much earlier than the time when "Acid Fox" platform and its components were publicly exposed, indicating that the NSA carried out internet attacks on at least hundreds of important information systems in China. 

Multiple "validator" trojans are still running in some information systems, relaying information to NSA headquarters. According to 360 company's report, the discovery of "validator" samples in local network servers or internet access terminals indicates that these devices have been attacked by the NSA and important information in the system has been stolen by the agency.

A large number of "validator" trojans are running in critical information infrastructure in other countries, which is far more than in China, the company said. 

According to a report published by the National Computer Virus Emergency Response Center, the NSA has used these weapons to cooperate with other "Five Eyes" countries' intelligence agencies to set up a global network information gathering system. The system deploys a global scale covert intelligence-gathering servers and springboard servers, which has maintained the largest scale of spy network in human history. It is still expanding and is becoming a common threat to all mankind.

The expert from the center said despite the overwhelming evidence, the US will continue to conduct cyber espionage and cyber warfare in the future.

On June 22, the US Congress passed a $761 billion defense spending bill for fiscal year 2023, which includes the $11.2 billion cyber space activities budget for the US Department of Defense, an increase of 8 percent compared with the previous fiscal year. The country also increased its cyber warfare forces from 137 to 142.

The US has also introduced a series of consecutive bill, increased the scale of network security budget, strengthened their own critical information infrastructure security defense level, held all kinds of domestic and international cyber warfare exercises, and limited the export of sensitive network security technology.

"Based on US' move, we cannot help raising the suspicion that the country is actively preparing for a larger cyberwar," the expert said.