When the FBI was examining equipment recovered from the Chinese spy balloon shot down off the coast of South Carolina in February, US intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code appearing on systems Guam Telecommunications. and in other parts of the United States.
The code, which Microsoft says was installed by a group of Chinese government hackers, set off alarm bells because Guam, with its Pacific ports and vast US airbase, would be a centerpiece of any US military response to an invasion or Taiwan blockade. The operation was carried out in great secrecy, sometimes flowing through home routers and other common consumer devices connected to the Internet, to make the intrusion more difficult to trace.
The code is called a “web shell”, in this case a malicious script that allows remote access to a server. Home routers are particularly vulnerable, especially older models that have not had up-to-date protections and software.
Unlike the balloon that fascinated the Americans as it pirouetted over sensitive nuclear sites, the computer code couldn’t be shot down on live television. So instead, Microsoft on Wednesday published code details that would make it possible for corporate users, manufacturers, and others to detect and remove it. In a coordinated statement, the National Security Agency, together with other national agencies and counterparts in Australia, Great Britain, New Zealand and Canada, published a 24-page ad which referred to the Microsoft finding and offered broader warnings about a “recently discovered cluster of activity” in China.
Microsoft called the hacking group “Volt Typhoon” and said it was part of a state-sponsored Chinese effort aimed not only at critical infrastructure like communications, electric and gas utilities, but also at maritime operations and the transport. The intrusions appeared, for now, to be a spying campaign. But the Chinese could use the code, which is designed to pierce firewalls, to allow destructive attacks, if they wish.
So far, Microsoft says, there is no evidence that the Chinese group has used the access for offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers often prioritize espionage.
In interviews, administration officials said they believed the code was part of a vast Chinese intelligence-gathering effort spanning cyberspace, outer space and, as the Americans discovered with the balloon incident, the lower atmosphere.
The Biden administration has refused to discuss what the FBI found while examining equipment recovered from the balloon. But the craft, best described as a huge air vehicle, apparently included specialized radar and communications interception devices that the FBI has been examining since the balloon was shot down.
It is not clear if the government’s silence on its discovery of the balloon is motivated by a desire to prevent the Chinese government from learning what the United States has discovered or to bridge the diplomatic rift that followed the raid.
On Sunday, speaking at a press conference in Hiroshima, Japan, President Biden addressed how the balloon incident brought already icy exchanges between Washington and Beijing to a standstill.
“And then this dumb balloon carrying two freight car equivalents of spy equipment was flying over the United States,” he told reporters, “and it got shot down, and everything changed in terms of communication between them.”
He predicted that relations “would start to thaw very soon.”
China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of the security clearance files of an estimated 22 million Americans, including six million sets of fingerprints, from the Office of Personnel Management. during the Obama administration. That data breach took the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyberactivity.
On Wednesday, China sent a warning to its companies to be vigilant against US hacking. And there has been a lot of that, too: In the documents released by Edward Snowden, the former NSA contractor, there was evidence of US efforts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.
Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often take advantage of commercial networks.
Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that company analysts, many of them veterans of the National Security Agency and other intelligence agencies, had found the code “while investigating intrusion activity affecting a US port.” While tracking the intrusion, they found other affected networks, “including some in the telecommunications sector on Guam.”
Anne Neuberger, deputy national security adviser for cyber and emerging technology, said covert efforts “like the activity exposed today are part of what drives our focus on telecommunication network security and the urgency to use trusted vendors” whose equipment has complied with cybersecurity standards.
Ms. Neuberger has been spearheading a federal government-wide effort to enforce new cybersecurity standards for critical infrastructure. Officials were shocked by the extent of the vulnerabilities in such infrastructure when a Russian ransomware attack on the Colonial Pipeline in 2021 disrupted the flow of gasoline, diesel and jet fuel on the East Coast. In the aftermath of the attack, the Biden administration used little-known powers of the Transportation Security Administration, which regulates pipelines, to force private-sector utilities to follow a series of cybersecurity mandates.
Now, Ms. Neuberger is pushing for what she called a “relentless focus on improving the cybersecurity of our pipelines, rail systems, water systems and other critical services,” including mandates on cybersecurity practices for these sectors and a collaboration closer with companies with “single visibility”. ” on threats to said infrastructure.
Those companies include Microsoft, Google, Amazon, and many telcos that may see activity on national networks. Intelligence agencies, including the NSA, are prohibited by law from operating within the United States. But the NSA can issue warnings, as it did on Wednesday, along with the FBI and the Department of Homeland Security’s Cyber Security and Infrastructure Administration.
The agency’s report is part of a relatively new move by the US government to release such data quickly in hopes of burning operations like the one mounted by the Chinese government. In previous years, the United States generally withheld such information, sometimes classified it, and shared it with only a few select companies or organizations. But that almost always ensured that hackers could stay well ahead of the government.
In this case, it was the focus on Guam that particularly caught the attention of officials who are assessing China’s capabilities, and willingness, to attack or strangle Taiwan. Mr. Xi has ordered that the People’s Liberation Army be able to take the island by 2027. But CIA director William J. Burns has told Congress that the order “does not mean that he has decided to carry out a invasion”.
In the dozens of American simulation exercises conducted in recent years to map out what such an attack might look like, one of China’s first anticipated moves would be to cut off American communications and slow down America’s ability to respond. So, the exercises provide for attacks on terrestrial and satellite communications, especially around US installations where military assets would be mobilized.
None is bigger than Guam, where Andersen Air Force Base would be the starting point for many of the Air Force’s missions to help defend the island, and a Navy port is crucial for US submarines.