Around the time the FBI was investigating equipment recovered from the Chinese spy balloon shot down off the coast of South Carolina in February, U.S. intelligence agencies and Microsoft uncovered what they believe was a more concerning intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.
The code, which Microsoft says was installed by a Chinese government hacking group, raised alarm because Guam, with its Pacific ports and sprawling U.S. airbase, would be an important part of any U.S. military response to an invasion or blockade of Taiwan. The operation was conducted with great stealth, sometimes through home routers and other common consumer devices connected to the Internet to make the intrusion more difficult to track.
The code is called a “web shell,” in this case a malicious script that allows remote access to a server. Home routers are particularly vulnerable, especially older models that lack updated software and protections.
Unlike the balloon that captivated Americans as it pirouetted over sensitive nuclear sites, the computer code could not be shot down on live television. So instead, on Wednesday, Microsoft released details of the code that would allow business users, manufacturers and others to detect and remove it. In a coordinated release, the National Security Agency — along with other domestic agencies and counterparts in Australia, Britain, New Zealand and Canada — published a 24-page advisory that referenced Microsoft’s finding and offered broader warnings about a “recent discovered cluster of activities”. ” from China.
Microsoft dubbed the hacking group “Volt Typhoon” and said it was part of a state-sponsored Chinese effort targeting not only critical infrastructure such as communications, electricity and gas supplies, but also maritime operations and transportation. The break-ins appeared to be an espionage campaign for the time being. But the Chinese could use the code designed to breach firewalls to enable destructive attacks if they wanted to.
So far, Microsoft says, there is no evidence that the Chinese group has used the access for offensive attacks. Unlike Russian groups, China’s intelligence services and military hackers usually prioritize espionage.
In interviews, government officials said they believed the code was part of an extensive Chinese intelligence-gathering effort that spanned cyberspace, outer space, and, as Americans discovered with the balloon incident, the lower atmosphere.
The Biden administration has declined to comment on what the FBI found when examining the equipment recovered from the balloon. But the craft — better described as a massive aircraft — apparently contained specialized radars and communications intercept equipment that the FBI has been investigating since the balloon was shot down.
It’s unclear whether the government’s silence on the balloon’s discovery was motivated by a desire to dissuade the Chinese government from knowing what the United States learned or to get past the diplomatic rift that followed the raid.
On Sunday, at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident had paralyzed the already frosty exchanges between Washington and Beijing.
“And then this silly balloon with spy equipment flew across the United States in two boxcars,” he told reporters, “and he got shot down and everything changed in terms of talking to each other.”
He predicted that relations would “start to thaw very soon”.
China has never admitted to hacking American networks, not even in the greatest example of all: the theft of security clearance files of about 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. That data exfiltration took the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyber activity.
China sent a warning to its companies on Wednesday to be alert to US hacking. And there’s plenty of that: In documents released by Edward Snowden, the former NSA contractor, there was evidence of US attempts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.
Telecommunications networks are prime targets for hackers, and the system in Guam is especially important to China because military communications often piggyback on commercial networks.
Tom Burt, the executive overseeing Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — found the code “while investigating burglary activity that hit a US port”. When they traced the intrusion, they found other networks affected, “including some in the telecommunications sector in Guam.”
Anne Neuberger, deputy national security adviser for cyber and emerging technology, said covert efforts “such as the activity that came to light today are part of our focus on telecom network security and the urgency to use trusted vendors” whose equipment has met established standards. cybersecurity standards.
Ms. Neuberger has played a leading role with the federal government to enforce new cybersecurity standards for critical infrastructure. Officials were surprised by the magnitude of vulnerabilities in such infrastructure when a Russian ransomware attack on Colonial Pipeline in 2021 interrupted the flow of gasoline, diesel and jet fuel on the East Coast. In the aftermath of the attack, the Biden administration used little-known powers from the Transportation Security Administration — which regulates pipelines — to force private sector utilities to follow a series of cybersecurity mandates.
Now Ms. Neuberger is directing what she called a “relentless focus on improving the cybersecurity of our pipelines, rail systems, water systems and other critical services”, including cybersecurity practice mandates for these sectors and closer collaboration with companies with “unique visibility” . in threats to such infrastructure.
Those companies include Microsoft, Google, Amazon, and many telecommunications companies that can see activity on domestic networks. Intelligence agencies, including the NSA, are prohibited by law from operating in the United States. But the NSA, like Wednesday, is allowed to publish alerts along with the FBI and the Department of Homeland Security’s Cyber Infrastructure and Security Administration.
The agency’s report is part of a relatively new move by the US government to quickly publish such data in hopes of burning operations like the Chinese government’s. In recent years, the United States commonly withheld such information — sometimes by classifying it — and shared it with only a select few companies or organizations. But that almost always ensured that the hackers could stay well ahead of the government.
In this case, it was the focus on Guam that particularly caught the attention of officials assessing China’s capabilities — and its readiness — to attack or smother Taiwan. Mr Xi has ordered the People’s Liberation Army to take the island by 2027. But CIA Director William J. Burns has remarked to Congress that the order “does not mean he has decided to launch an invasion.”
In the dozens of US tabletop exercises conducted over the past few years to map out what such an attack might look like, one of China’s first expected moves would be to cut off US communications and enhance the United States’ ability to to slow down. The exercises thus provide for attacks on satellite and ground communications, especially around US installations where military assets would be mobilized.
None are bigger than Guam, where Andersen Air Force Base would be the launching point for many of the Air Force’s missions to help defend the island, and a naval port is crucial for U.S. submarines.