The United States uses the "Sour Fox Platform" to launch cyber attacks on China and Russia!

Recently, many scientific research institutions in China have discovered traces of the activity of the "verifier" Trojan program.

A research report released by 360 on the 28th showed that according to the available US NSA confidential documents: "Authenticator" is a small implanted Trojan that can be deployed remotely or manually on any Windows system, from Windows 98 to Windows Server 2003 All suitable. At the same time, it has 7×24-hour online operation capabilities, allowing the US NSA system operators and data stealers to upload and download files, run programs remotely, obtain system information, forge IDs, and be able to self-destruct in an emergency under certain circumstances. With the help of this weapon, the US NSA can collect system environment information on attack targets, and also provide conditions for the installation (implantation) of more complex Trojan programs.

Previously, 360 discovered and publicly disclosed that the U.S. NSA used a series of cyber weapons to launch continuous attacks on government agencies, important organizations, and information infrastructure targets around the world, including China. During the entire attack process, the US NSA will implant backdoor programs represented by "authenticators" and lurk in target users' Internet terminals for a long time, and then use these backdoor programs to launch more complex network attacks and penetrations.

National Security Agency (NSA) Headquarters, Fort Meade, Maryland

The Trojan horse program is believed to be a standard program used by default on the NS "Acid Fox" vulnerability attack weapon platform. This situation shows that the Chinese scientific research institutions mentioned above have suffered cyber attacks on the U.S. NSA's "Acid Fox" vulnerability attack weapon platform.

According to reports, the "Sour Fox Platform" is an important infrastructure for the NSA's Special Invasion Operations Office (TAO) to carry out cyber espionage operations against other countries. It has now become the main equipment of the Computer Network Intrusion Operations Team (CNE). This weapon platform is mainly used to break through the host system located on the victim's office intranet and implant various Trojans, backdoors, etc. into it to achieve persistent control. The Sour Fox platform adopts a distributed architecture and is composed of multiple servers. It is classified according to task types, including: spam phishing emails, man-in-the-middle attacks, post-infiltration maintenance, etc.

CNE has one or more "Acid Fox" project instructors. These instructors can lead one or more "Acid Fox" action teams. The action team includes multiple team members, respectively responsible for directly supporting specific network intrusion operations and maintaining acid attacks. Fox server and other responsibilities. TAO deploys acid fox platform servers around the world. The servers are deployed in a distributed manner according to the target region, including the Middle East, Asia, Europe, etc. The server with the number prefix XS is the main server that coordinates multiple tasks. It is worth noting that the server numbered XS11 was clearly assigned to the British intelligence agency "UK Government Communications Headquarters" (GCHQ) to carry out man-in-the-middle cyber attack operations. In addition, TAO has set up dedicated "Acid Fox Platform" servers for Chinese and Russian targets. The series of servers numbered FOX00-64 are used to support the computer network intrusion action team's vulnerability attack operations. The server numbered FOX00-6401 is specifically Targeting Chinese targets, FOX00-6402’s server specifically targets Russian targets.

FA server distribution and task usage classification, among which the FOX00-6401 server is specifically for China, and the FOX00-6402 server is for Russia.

Relevant experts from the National Computer Virus Emergency Response Center told a reporter from the Global Times that the "Sour Fox Platform" will detect the software and hardware environment of the target host before exploiting vulnerabilities. The "Sour Fox Platform" rule configuration file disclosed in the report shows that the weapon platform clearly targets computer anti-virus software in my country and Russia as a "technical confrontation" target. Moreover, the United States has specially deployed cyber espionage servers targeting China and Russia on the international Internet to implant malicious programs and steal intelligence.

In order to maintain its cyber hegemony, the United States does not hesitate to "surveillance on all mankind." This has not changed in every US administration. Just on June 1 this year, Nakasone, director of the US National Security Agency and commander of the Cyber Command, confirmed that during the Russia-Ukraine conflict, the United States launched a series of offensive cyber operations against Russia to support Ukraine.

This expert also said that while the United States has intensified its attacks on global targets and stolen secrets, it has also spared no effort to "catch thieves", rallying its so-called allies, vigorously promoting the "China Cyber Threat Theory", and slandering and slandering our country.cyber securitypolicy and truly mutually beneficial and win-win international economic and cultural exchange and cooperation plans such as the "One Belt, One Road" initiative, suppressing Chinese enterprises and news media operating legally abroad, and even inciting civil opposition and inciting so-called civil "morality"hackerLaunch cyber attacks against targets in other countries.

Traces of the “authenticator” Trojan found in hundreds of important Chinese information systems

Based on the successful extraction of the "verifier" Trojan program sample from an important information system of a domestic scientific research institution, 360 Company immediately carried out scanning and detection in China. It was found that different versions of the Trojan horse program had been running in hundreds of important information systems in China, and that their implantation time was far earlier than the time when the "Sour Fox Platform" and its components were publicly exposed, indicating that the NSA has targeted at least hundreds of domestic Chinese systems. carry out cyber attacks on important information systems. To this day, multiple "verifier" Trojan programs are still running in some information systems, transmitting intelligence to NSA headquarters. 360 believes that "the discovery of 'authenticator' samples in local network servers or Internet terminals indicates that these devices have been attacked by the NSA, important information in the system has been stolen by the NSA, and other nodes in the target system's intranet have It may be penetrated by the NSA and remotely controlled.”

In addition, according to the filter rule fragment on the "Sour Fox Platform" server, it can be judged that the server mainly attacks Chinese host targets. The filter focuses on Kaspersky anti-virus software, Rising anti-virus software, Jiangmin anti-virus software in the target environment. Anti-virus software and other popular anti-virus software processes in China are matched and the conditions for implantation are judged.

A fragment of filter rules on the "Sour Fox Platform" server. The filter focuses on popular anti-virus software in China such as Kaspersky Anti-Virus Software, Rising Anti-Virus Software, and Jiangmin Anti-Virus Software in the target environment.

360 believes that not only China, but also other countries’ important information infrastructures are running a large number of “verifier” Trojan programs, and the number far exceeds that of China.

A report released by the National Computer Virus Emergency Response Center on the 28th showed that what is even more frightening is that the NSA used these weapon platforms to cooperate with other "Five Eyes Alliance" national intelligence agencies to establish a global network intelligence collection system. A large number of covert intelligence collection servers and cover springboard servers have been deployed, and a complete set of intelligence working mechanisms has been established around this intelligence collection system. The largest spy network in human history is maintained on a regular basis, and it continues to expand, becoming the basis for all mankind. common threats.

The experts mentioned above also believe that despite the irrefutable evidence, the United States will continue to carry out cyber espionage and cyber warfare in the future. On June 22 this year, the U.S. House of Representatives Appropriations Committee passed a U.S. defense spending bill of $761 billion for fiscal year 2023, which includes a U.S. Department of Defense cyberspace activity budget of $11.2 billion, an increase of 8% over the previous fiscal year, and will The number of cyber warfare units increased from 137 to 142. The U.S. military is also comprehensively advancing the JADC2 "land, sea, air, space, and network" all-domain command and combat capability improvement plan. Its goal is to have overwhelming military superiority in all space. The United States has also recently introduced a series of bills to increase the scale of its network security budget, strengthen the security defense level of its critical information infrastructure, hold various domestic and international network warfare exercises, and the government, military and civilians jointly carry out network security talent training, and encourage the development of network security. Security research, restricting the output of sensitive network security technologies, etc. The actions of the United States cannot help but make people suspect that it is actively preparing to launch a larger-scale cyber war.