NSA TAO Cyber Attack on Northwestern Polytechnical University: Investigation and Technical Analysis

In April 2023, Northwestern Polytechnical University’s information systems detected a network intrusion, later identified by the China National Computer Virus Emergency Response Center and 360 Company as a foreign cyber‑attack orchestrated by the U.S. National Security Agency’s Tailored Access Operations (TAO) unit.

The investigation revealed that TAO had conducted thousands of malicious attacks on Chinese networks, compromising devices such as servers, routers, firewalls and stealing over 140 GB of high‑value data.

Technical analysis showed TAO used a layered infrastructure of 49 jump‑boxes and 5 proxy servers, primarily located in non‑Five‑Eyes countries (e.g., Japan, South Korea), to mask the true source IPs and route commands to target systems.

Four categories of weaponised tools were identified: (1) vulnerability‑exploitation weapons used to breach boundary devices and internal hosts; (2) persistent‑control tools enabling covert, long‑term access; (3) sniffing‑exfiltration utilities that captured credentials and operational data; and (4) stealth‑covering mechanisms that erased traces of the intrusion.

Among the tools were two SunOS zero‑day exploits named EXTREMEPARR and EBBISLAND, a backdoor called NOPEN, and multiple variants of a tool dubbed “狡诈异端犯”.

NSA also employed anonymising services from a U.S. register company, using domains and certificates without clear attribution, and leveraged cooperation from major U.S. internet providers to gain control over Chinese communication equipment, facilitating sustained espionage.

While Northwestern Polytechnical University’s strong ties to aerospace, defense and shipbuilding made it a high‑value target, the report stresses that many Chinese enterprises, government agencies, universities and research institutes face similar state‑sponsored cyber‑threats.

Overall, the disclosure breaks the long‑standing one‑way transparency advantage the United States held over China in cyber‑espionage, urging heightened vigilance for national defense, critical infrastructure, financial, societal and personal data security.