Cyberattack on Xi'an university traced to NSA in US

Updated: Sept 5, 2022

The National Security Agency of the United States is responsible for the cyberattack on the e-mail system of Northwestern Polytechnical University in Xi'an, Shaanxi province, China's National Computer Virus Emergency Response Center reported on Monday, following the conclusion of the initial investigation.

Furthermore, the investigation has shown that the case is just one of tens of thousands of cyberattacks launched by the NSA's Office of Tailored Access Operation — a cyberwarfare intelligence-gathering unit — on targets in China in recent years. The malicious attacks have resulted in the leak of more than 140GB of high value data, the center said.

On June 22, the university announced that it had found phishing emails in the guise of research reviews, invitations to academic events and opportunities to study abroad that contained Trojan horse programs. which had been sent to teachers and students at the university in an attempt to steal their data and personal information.

The emails tried to trick students and teachers at the university — known for its education and research programs in the fields of aeronautics, astronautics and marine technology engineering — into clicking on links and giving away their sign-in information, which could result in potential data leaks.

During the attack targeting the university's computer network, more than 40 different cyberattack weapons were used to steal core technology data, including key network equipment configurations, network management data, and core operational data. The university said in June that the attack had not led to any key data leaks so far.

By extracting samples of Trojan horse programs from the university's internet terminals with the support of European and South Asian partners, the technical team was able to initially identify that the cyberattack had been conducted by TAO (Code S32) under the Data Reconnaissance Bureau (Code S3) of the Information Department (Code S) of the NSA, it added.

The cyberattack operation was code-named "shotXXXX" by the NSA under the direct command of the head of TAO. At the time of the attack, Robert Joyce, who is the Director of Cybersecurity at NSA, was in charge of TAO, according to the investigation jointed launched by the center and internet security company, 360.

Thirteen people from the US have been found to be directly involved in the attack, and 170 electronic documents and 60 contracts between the NSA and American telecom operators were arranged through a cover company to create an environment for cyberattacks. In addition, 54 jumpers and proxy servers in 17 countries were used in the attack, about 70 percent of which were based in countries near China, including Japan and South Korea, the center said.

It added that the case has exposed the fact that the NSA has been carrying out cyber espionage activities in China for a long period of time. More details about the case will be published in the future.

If you have any problems with this article, please contact us at and we'll immediately get back to you.