The NSA Accused of Targeting Chinese Research Hub

NSA Faces Scrutiny Over Alleged Cyberattack on Chinese University

The U.S. National Security Agency (NSA) is at the center of new allegations following a detailed analysis by Australian cyber security researcher Lina Lau. Her report outlines how China traced an alleged NSA cyberattack on Northwestern Polytechnical University, a key institution for aerospace and defense research.

Lau’s findings, based on intelligence from Chinese cyber security firms and government sources, suggest that NSA hackers, operating under the alias “Amanda Ramirez,” followed a strict U.S. work schedule, inadvertently exposing operational details. The attackers reportedly used American English keyboards and mistakenly revealed internal system directories due to scripting errors.

Technical Architecture of the Alleged Attack

The attackers allegedly gained initial access by compromising Solaris-based servers in China’s neighboring countries using SHAVER, an automated exploitation tool targeting x86/SPARC systems with RPC services.

These servers served as proxies, masking the origin of subsequent phishing campaigns against NPU staff.

Forensic analysis revealed that TAO operators leveraged SECONDDATE, a network surveillance tool installed on border routers and firewalls, to intercept and redirect internal traffic to the NSA’s FOXACID platform.

In response, an NSA official did not deny the allegations but emphasized its role in cyber security defense, stating:

“NSA is unwavering in its commitment to equipping network defenders with timely, actionable guidance to safeguard critical infrastructure against the growing and evolving landscape of cyber threats.”

The report claims NSA operatives systematically extracted classified research, infrastructure data, and sensitive operational documents. The attack allegedly leveraged a hacking platform previously exposed by former NSA contractor Edward Snowden. Lau also noted that China had tracked similar activity dating back years, suggesting a prolonged cyber espionage effort.

Despite growing evidence, the NSA has consistently avoided direct responses regarding its alleged cyber operations. Instead, officials continue to highlight China’s cyber activities, contending that:

“China’s aim is to gain access to our critical networks to sow disruption and chaos.”

The case underscores the ongoing cyber warfare between the U.S. and China, with both nations leveraging digital espionage to gain strategic advantages. As one NSA official reaffirmed:

“It is imperative that we stay committed to providing the most up-to-date guidance and actionable intelligence to those defending our networks.”

The Accusation in Context

The CVERC, China’s equivalent to a national cyber security watchdog, has been vocal about alleged U.S. cyber operations since at least 2022, when the Northwestern Polytechnical University (NPU) incident first came to light. According to their reports, the NSA has been systematically targeting Chinese institutions—universities, government agencies, tech companies, and critical infrastructure—for years.

The claim of “tens of thousands” of attacks isn’t just hyperbole; it’s part of a broader narrative China has pushed to depict the U.S. as the aggressor in cyberspace, flipping the script on Washington’s frequent accusations against Chinese hackers such as APT41 or the Ministry of State Security.

The Global Times, a nationalist tabloid run by the Chinese Communist Party’s People’s Daily, has amplified these claims with detailed articles. For instance, in September 2022, it reported that the NSA’s Tailored Access Operations (TAO) unit had conducted over 10,000 cyberattacks against Chinese targets over an unspecified period, later escalating that figure to “tens of thousands” in subsequent coverage. These attacks allegedly aimed to steal sensitive data, disrupt networks, and map out China’s digital infrastructure for future exploitation.