NSA‑Backed Attack on China’s Time‑keeping Center: Weapons, Tactics, Findings

Attack Overview

On October 19, the Chinese National Time Service Center disclosed a major cyber‑attack attributed to the United States National Security Agency (NSA). The National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) traced the incident and published technical details.

Attack Process

From August 3, 2023 to March 24, 2024, attackers implanted an early version of the malware "Back_eleven" on network‑admin computers, stealing data and erasing memory footprints after each operation. The weapon required remote disabling of the host’s antivirus before each launch.

From March to April 2024, the attackers upgraded the weapon suite, deploying "eHome_0cx", "Back_eleven", "New_Dsz_Implant" and more than 20 functional modules together with over ten configuration files.

From May to June 2024, the attackers used "Back_eleven" as a pivot to conduct lateral movement, compromising the internet authentication server and firewall. Notable events include activation of "eHome_0cx" and deployment of "Back_eleven" and "New_Dsz_Implant" on June 13 and July 13, 2024.

Weapon Library Analysis

The campaign employed a total of 42 weapons, modules, and malicious files, which can be grouped into three functional categories: sentinel‑control weapons, tunnel‑building weapons, and data‑exfiltration weapons.

Sentinel‑Control Weapons

The primary weapon, named "eHome_0cx", consists of four modules that hijack normal system services via DLL injection, achieve persistence, and hide execution traces by erasing executable headers in memory.

Tunnel‑Building Weapons

"Back_Eleven" establishes encrypted communication tunnels, sending a numeric identifier "11" to the command‑and‑control server during the initial connection phase.

Data‑Exfiltration Weapons

"New-Dsz-Implant" is a framework that loads various plugins to perform data theft. It shares a high degree of code similarity with the NSA weapon "DanderSpritz" and, in this incident, loaded 25 functional modules.

Technical Details

"New-Dsz-Implant" encrypts some function names and strings, disguises modules with legitimate system names, updates compilation timestamps to 2016‑2018, and simulates user actions (clicks, logins) to evade antivirus detection.

"eHome_0cx" modifies the InprocServer32 registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID to hijack system services for auto‑start, a technique also used by NSA’s "Equation Organization" tools.

All three weapons employ a two‑layer encryption scheme: an outer TLS layer and an inner RSA‑AES layer for key exchange and data encryption, resulting in four‑layer nested encryption during data transfer—an upgrade over the RSA‑RC6 scheme used by the "NOPEN" tool.

Command‑and‑Control Server IP Addresses

Servers used by the attackers from August 2023 to May 2024 are listed in the following images.