How the NSA (Equation Group) allegedly hacked into China's Polytechnical University 👀

I analysed intelligence reports from Chinese cyber firms (360, Pangu, CVERC) to aggregate TTPs attributed to Equation Group.

🔗inversecos.com/2025/02/an-ins…

2\ In a joint report, Qihoo 360 and CVERC accused the NSA’s TAO unit of breaching China's Northwestern Polytechnical University in 2022 (a key institution in aerospace and defense research).

Chinese firms track NSA TAO unit as APT-C-40. Their reports allege APT-C-40 deployed over 40 malware strains to conduct cyber espionage and steal sensitive information.

3\ How did China attribute this attack to the NSA (APT-C-40) ?

- Over 40 unique tools were forensically uncovered with several sharing similarities to tools mentioned in Shadow Brokers leak

- Attack timestamps aligned with US working hours (9 AM–4 PM EST)

- No activity on US holidays OR weekends (Memorial Day, Independence Day, Christmas)

- English OS used with American keyboard settings

- A human error exposed NSA’s attack directory when the operator made a mistake running a tool

1\ My thoughts on the Chinese APT contractor leak 🇨🇳

Specifically, I want to talk about the leaked
- iOS Spyware
- Physical implantable devices
- Email surveillance system

Let's consider detection and how these would be installed.

https://twitter.com/AzakaSekai_/status/1759326049262019025

2\ The iOS spyware requires no jailbreak.

This should not "scare" you at all.

The capabilities of the leaked Chinese APT contractor "iOS Spyware" are accessing:

- basic mobile phone data
- GPS location
- Contacts
- Photos / multimedia files
- Recording sounds

If this sounds familiar, it should. These are settings accessible...Accessible ANY application requesting these permissions on a phone :)

This means, the delivery for the "spyware" would likely (my guess) be in the form of an application that the user installs on their device and must approve these permissions. If you've ever done mobile forensics, this is almost one of the first things you would check.

3\ The implantable devices are very similar in concept to the Hak5 devices.

This is not a new attack vector and NOT novel.

However, this should serve as a push for businesses to consider their threat models and playbooks for this kind of event.

Specifically the vendor's devices are disguised as:
- A power strip
- A power adapter

The way they work (as per the document) is:
1. Cracks WiFi password, sets up socks proxy
3. Cracks routing device
4. Self destruction to clear all system data

From an ops standpoint this targets a weak point of most businesses as most orgs do not have the best logging set up for their peripheral devices. It's why a lot nation states target edge devices for initial access (EDR blindspot / logging blindspot and difficulty of analysis for blue teamers).

However, once they pivot onto a vulnerable device or onto the network... the work of the detection team stays the same, it may just be difficult (in the absence of logs) to piece together what occurred.

1\ #DFIR: Chrome Forensics - How to Recover CLEARED History

If a user just cleared their browser history, you can still recover everything they were just looking at from the session files:

%appdata%\Local\Google\Chrome\User Data\Default\Sessions

inversecos.com/2022/10/recove…

2\ In some instances (more on this) the session and tab files inside that folder show the webkit/chrome date for when the session was exited.

This allowed me to put together a full timeline of what this naughty boy was doing *BONK*

3\ Historically, evidence of cleared history was in the Favicons file, but this is INCONSISTENT. Specifically under the table named "icon_mapping".

%appdata%\Local\Google\Chrome\User Data\Default\Favicons

1\ #DFIR: How to investigate insider threats

Sharing the forensic methodology I follow when I'm investigating insiders 😍

This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o

inversecos.com/2022/10/how-to…

2\ The questions that I use to guide the analysis and prioritisation of analysis are:

1. How was the device accessed around the suspected behaviour?

2. Where was the user/device when this occurred?

3. Was the insider active on their system?

4. What did the user do?

3\ To answer the first question, I look at SRUM, specifically the App Timeline Provider details.

I pull:
> Execution time of the malicious thingz
> Duration of execution
> User SID

Then, I cross correlate that user info with their corresponding ActivitiesCache.db. #DFIRISS3XY

1\ #ThreatHunting: Detecting OAuth Token Theft in Azure / M365

This technique is STILL being abused by Chinese APT groups. This blog covers several methods of detecting this technique😈.

It's also a good reminder to always perform browser forensics ;)

inversecos.com/2022/08/how-to…

2\ METHOD 1: Look for the OAuth redirect consent link in browser history and/or proxy logs.

Take note of the following fields:
- client_id (malicious app id)
- redirect_uri (malicious domain)
- scope (API permissions requested)

3\ Review permissions requested in the scope field (I'll show you where else to find these permissions in the logs).

Take note of these:
- User.Read
- User.ReadWrite
- User.ReadWrite.All
- Mail.ReadWrite
- Calendars.ReadWrite
- Files.ReadWrite
- User.Export.All

1\ #DFIR: How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of "touch". But you can timestomp without using "touch". 😈

Check out my blog below 👇
inversecos.com/2022/08/detect…

2\ The file "filesystem.db" (enabled by default) tracks:
> fileCreated time
> fileLastAccessed time

Look for discrepancies in the fileCreated time in this DB file vs the times that "stat" show on a file.

There's also a correlating WAL that contains uncommitted data :3

3\ As you can see, this has caught an instance of timestomping where you can observe the creation time is after the access time.

You can query the db using this command:
sqlite3 *filesystem.db .dump | grep <filename>