Chinese cybersecurity authorities have alleged that the U.S. National Security Agency (NSA) breached Northwestern Polytechnical University (NPU), a leading institution in aerospace and defense research, in a multi-year cyber espionage campaign.
According to joint reports published on February 18, 2025, by China’s National Computer Virus Emergency Response Center (CVERC) and cybersecurity firm Qihoo 360, the NSA’s Tailored Access Operations (TAO) unit—labeled “APT-C-40” by Chinese analysts—deployed over 40 bespoke malware strains to infiltrate NPU’s networks between 2020 and 2022.
The operation reportedly exfiltrated sensitive research data, network infrastructure blueprints, and operational credential.
While the Inversecos cybersecurity analysts detected that this is done via a blend of zero-day exploits, compromised edge devices, and browser-hijacking frameworks.
Technical Architecture of the Alleged Attack
The attackers allegedly gained initial access by compromising Solaris-based servers in China’s neighboring countries using SHAVER, an automated exploitation tool targeting x86/SPARC systems with RPC services.
These servers served as proxies, masking the origin of subsequent phishing campaigns against NPU staff.
Forensic analysis revealed that TAO operators leveraged SECONDDATE, a network surveillance tool installed on border routers and firewalls, to intercept and redirect internal traffic to the NSA’s FOXACID platform.
.webp)
FOXACID, a browser exploitation framework linked to Snowden-era disclosures, fingerprinteda victims’ devices and delivered zero-day payloads when users accessed platforms like Bilibili.
This Man-in-the-Middle (MiTM) technique enabled silent deployment of backdoors such as NOPEN (Linux/Solaris) and FLAME SPRAY (Windows), both equipped with anti-analysis features.
A critical slip occurred when an NSA operator mishandled a Perl script, exposing a Linux directory path:-
Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE .log/ at
/etc/autoutils line 4569 .webp)
This error confirmed the use of TAO’s proprietary tool directory structure. Persistent access was maintained through STOIC SURGEON, a stealthy Linux/FreeBSD backdoor, and CUNNING HERETICS, which reestablished communication channels post-cleanup.
Data exfiltration relied on OPERATION BEHIND ENEMY LINES, a toolkit that encrypted stolen files (var/tmp/.2e434fd8aeae73e1/erf/out/f/) before routing them through 54 proxy servers across 17 countries, including Sweden, Japan, and Mexico.
CVERC attributed the attack to TAO through temporal patterns—98% of activity occurred during U.S. workdays (9 AM–4 PM EST) with pauses on federal holidays—and linguistic artifacts like U.S. English keyboard inputs.
While independent verification remains pending, the disclosure shows the escalating tensions in cross-border cyber operations and underscores the vulnerability of network edge systems to state-sponsored exploitation.
IoCs
Key infrastructure IoCs included the SECONDDATE payload:-
- MD5: 485a83b9175b50df214519d875b2ec93
- SHA-256: d799ab9b616be179f24dbe8af6ff76ff9e56874f298dab9096854ea228fc0aeb
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here