Cyber Incident Victim: Northwestern Polytechnical University
Date:
Sep 2022
Location:
China
Summary
Chinese authorities accused the U.S. National Security Agency of conducting a cyberattack against Northwestern Polytechnical University, a military-affiliated research institution, alleging theft of sensitive information and endangering critical infrastructure security. The accusation stemmed from a joint report by China's National Computer Virus Emergency Response Center and cybersecurity firm 360, which referenced historical NSA-linked malware and named specific personnel allegedly involved. China's Foreign Affairs Ministry formally protested to the U.S. Embassy, framing the incident within broader diplomatic tensions over cyber espionage allegations between the two nations. While some security researchers questioned the technical credibility of China's report, the incident reflected ongoing reciprocal accusations regarding state-sponsored hacking activities targeting institutions with military and technological significance.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In September 2022, Chinese authorities accused the U.S. National Security Agency (NSA) of conducting a cyberattack against Northwestern Polytechnical University, a Chinese military-affiliated institution heavily involved in defense research. The allegations were detailed in a joint report published by China’s National Computer Virus Emergency Response Center (CVERC) and cybersecurity firm 360, which claimed the NSA stole sensitive technical secrets and personal information. The report specifically attributed the intrusion to tools linked to the NSA’s Tailored Access Operations unit, referencing malware associated with the 2016 Shadow Brokers leaks. It identified Rob Joyce, the NSA’s cybersecurity director, and alleged the use of front companies and fictional identities to register malicious domains and SSL certificates. China’s Ministry of Foreign Affairs (MFA) publicly condemned the operation on September 11, 2022, with Director-General Yang Tao stating the attack "seriously violated" Chinese institutional secrets and endangered critical infrastructure security. Yang lodged formal diplomatic protests ("solemn representations") with the U.S. Embassy in Beijing, demanding immediate cessation of the activities.
The incident escalated ongoing tensions between China and Western nations regarding state-sponsored cyber operations. Chinese officials framed the attack as part of a broader pattern of U.S. cyber aggression, with MFA cyber affairs coordinator Wang Lei criticizing American "cybersecurity cooperation" initiatives near China’s borders as threats to national security. Independent cybersecurity researchers, including Juan Andres Guerrero-Saade of SentinelOne, questioned the technical depth of CVERC/360’s analysis, noting it recycled publicly known malware artifacts rather than revealing novel threats. The allegations emerged against a backdrop of reciprocal accusations: Western governments had repeatedly criticized China for cyber espionage targeting commercial entities, including the 2021 Microsoft Exchange attacks that drew coordinated international condemnation. China’s public attribution mirrored its private diplomatic counterarguments at international summits, where it deflected criticism by positioning the U.S. as the primary global cyber threat. No technical evidence of data exfiltration or specific operational disruptions at the university was disclosed in public reporting. The U.S. State Department did not issue an immediate response to the allegations.