According to the WeChat official account "China Internet Security Association", on April 28th, the National Computer Emergency Response Team (CNCERT) of China discovered and dealt with a network attack event by US intelligence agencies targeting a large commercial cryptographic product provider in China. This report will disclose the details of this network attack, providing reference for relevant countries and organizations worldwide to effectively detect and prevent US cyber attack behaviors. I. Network Attack Process (1) Exploiting Vulnerabilities in Customer Relationship Management Systems for Attack Infiltration The company used a certain customer relationship management system mainly for storing customer relationships and contract information. The attackers exploited an unpublicized vulnerability in this system to carry out an intrusion and achieve arbitrary file upload. After successfully infiltrating, the attackers deleted some log records to cover their tracks. (2) Attacking Two Systems and Planting Special Trojans On March 5, 2024, the attackers planted a special Trojan program in the customer relationship management system via the path /crm/WxxxxApp/xxxxxx/xxx.php. Through this Trojan program, attackers could execute any network attack commands. To prevent detection, the communication data of the Trojan program was fully encrypted, and complex processing such as feature string encoding, encryption, compression, etc., was carried out. On May 20, 2024, the attackers began attacking the company's system for product and project code management through lateral movement. II. Theft of a Large Amount of Commercial Secrets (1) Theft of Customer and Contract Information From March to September 2024, attackers used 14 overseas jump server IPs to connect to the special Trojan program and steal data from the customer relationship management system, accumulating up to 950MB of stolen data. The customer relationship management system had over 600 users, storing more than 8,000 customer profile lists and over 10,000 contract orders. Contract customers included several important units such as relevant government departments in our country. Attackers could view detailed information such as the name, procurement content, and amount of contracts. (2) Theft of Project Information From May to July 2024, attackers used 3 overseas jump server IPs to attack the company's code management system, accumulating a total of 6.2GB of stolen data. The code management system had 44 users and stored important information such as the code of 3 password development projects. III. Characteristics of Attack Behavior (1) Attack Weapons Through reverse analysis of the xxx.php special Trojan program, it was found that it has clear homologous relations with the attack weapons previously used by US intelligence agencies. (2) Attack Time Analysis shows that the attack time was mainly concentrated between 22:00 Beijing Time and 08:00 the next day, corresponding to 10:00 to 20:00 US Eastern Time. The attack time was mainly distributed on weekdays from Monday to Friday in the US, with no attack behavior during major US holidays. (3) Attack Resources The 17 attack IPs used by the attackers were completely non-repetitive and could switch attack IPs at a second-level rate. These attack IPs were located in places like the Netherlands, Germany, and South Korea, reflecting their high awareness of anti-tracing and rich attack resource reserves. (4) Attack Methods Firstly, they are good at using open-source or general tools to disguise and avoid tracing, such as finding two common web Trojans temporarily implanted by the attackers in the customer relationship management system. Secondly, attackers are skilled at hiding their attack behaviors by deleting logs and Trojan programs. IV. Partial List of Jump Server IPs Original article: https://www.toutiao.com/article/7498231174792348187/ Statement: The article represents the author's personal views. Please express your attitude by clicking the 【Like/Dislike】 buttons below.