Recently, a hot topic in the news is the accusation by China's National Security Agency that the United States breached China's National Time Service Center. I have read several news articles that generally introduce this event, but none mention the detailed process. Later, I found a detailed analysis in an official tweet by the National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT), titled "Technical Analysis Report on the Cyber Attack by the U.S. National Security Agency on the National Time Service Center". The content is very professional and provides detailed data, so experts can refer to this article.

I skimmed through it and found that although the introduction is detailed, the initial step of obtaining login credentials for the computer terminals is only briefly mentioned. How did the NSA obtain the login permissions for the computers at the Time Service Center? How was the first breach in the security defense opened?

Triangulation

According to the disclosure by CNCERT, the initial breach occurred between March 24, 2022, and April 11, 2023, when the NSA attacked and stole secrets from more than 10 devices at the Time Service Center through "Triangulation". In September 2022, the attacker obtained the login credentials for an office computer through a foreign-brand mobile phone used by a network administrator at the Time Service Center, and used these credentials to gain remote control of the office computer.

No further information was provided, so I searched for this Triangulation. This is not the triangulation in surveying, but rather a term first disclosed by the renowned Russian security firm Kaspersky. The original article is Operation Triangulation: The last (hardware) mystery. The core attack chain is shown in the figure below:

Still not clear? That's okay. In simpler terms, this is a security vulnerability on Apple devices (it's unclear why CNCERT's description was vague), which exploits the built-in iMessage service and four 0-day vulnerabilities in the iOS system to achieve a "zero-click" attack on Apple devices.

"Zero-click" attack refers to an attack that does not require any interaction from the mobile user throughout the process to complete the implantation on the target mobile device.

Since more information has not been disclosed by official sources, we can roughly speculate the attack path:

  1. Employees of the National Time Service Center used Apple-related devices (in 2022).
  2. The attacker first sent an iMessage containing a hidden malicious attachment to the target iOS device via the iMessage server.
  3. Upon receiving the message, the device automatically triggered the four vulnerabilities in the iOS system, completing the subsequent implantation of malicious programs.
  4. The compromised Apple device received the login password for the office computer at the National Time Service Center (this step is currently speculative, as no official information has been disclosed).
  5. The leaked information was obtained by the pre-implanted malicious program and automatically transmitted to the NSA.

Subsequent Attack Process

The subsequent process has been disclosed in analysis articles by CNCERT and many experts. Here, we quote the plain explanation from "A Carefully Planned Attack: The U.S. National Security Agency's Breach of China's National Time Service Center".

In August 2023, the first "seed" was officially planted—a Trojan named Back_Eleven was implanted into the system.

In 2024, three advanced Trojans were implanted: eHome_0cx: responsible for persistent residency and heartbeat communication, acting as an "outpost". Back_Eleven: this is an upgraded version, responsible for building encrypted tunnels, serving as the "transport aircraft" of the entire attack chain. New_Dsz_Implant: a modular spy framework, truly responsible for data theft and infiltration.

In May 2024, using Back_eleven, the attacker used the network administrator's computer as a springboard to attack the internet authentication server and firewall. Large-scale attacks began in June and July.

It can be seen that the entire process was highly潜伏, lasting for several years, and the attack behavior was professional and systematic.

The Peculiar Bounty

One interesting aspect here is that Apple has a security bounty program, which means that if you discover a system vulnerability, ordinary payments are $2 million, and special vulnerabilities can reach $5 million. Based on my search, for the Triangulation described in this article, the four vulnerabilities would be worth over a hundred million dollars. Although Apple issued a hot fix immediately, they did not follow the usual practice of paying the bounty. More ironically, Kaspersky was later banned across the United States...

Summary

The description of how Triangulation obtained the login credentials for the computer in this article is speculative and has not been officially disclosed; it is only based on the attack method of the Triangulation vulnerability. Additionally, the information on how the malicious iMessage attachment activates the hidden 0-day vulnerabilities in iOS is quite professional and beyond my understanding. Those interested can refer to the original official article. One point worth pondering is that when Kaspersky disclosed the Triangulation attack, it implied that the Apple vulnerability was an intentionally left backdoor rather than a bug. The truth remains unknown. However, it was around this time that employees in slightly confidential units in China started switching their mobile phones...