As the FBI was examining equipment recovered from the downed Chinese spy balloon off the coast of South Carolina in February, American intelligence agencies and Microsoft detected what they feared to be a more worrisome intruder: mysterious computer code appearing in computer systems. telecommunications companies in Guam and other parts of the United States.
The code, which Microsoft said was installed by a group of Chinese government hackers, raised alarms because Guam, with its Pacific ports and vast US air base, would be a centerpiece of any US military response to an invasion or blockade. from Taiwan. The operation was conducted with great stealth, sometimes flowing through home routers and other common Internet-connected consumer devices, to make the hack more difficult to track.
The code is called a “web shell”, in this case a malicious script that allows remote access to a server. Home routers are particularly vulnerable, especially older models that haven’t had updated software and protections.
Unlike the balloon that fascinated Americans as it pirouetted over sensitive nuclear sites, the computer code could not be dropped on live television. So instead, Microsoft on Wednesday published details of the code that would make it possible for business users, manufacturers and others to detect and remove it. In a coordinated statement, the National Security Agency – along with other domestic agencies and their cyber counterparts in Australia, Britain, New Zealand and Canada – released a 24-page statement that referred to Microsoft’s discovery and offered broader warnings. about a “newly discovered cluster of activity” from China.
Microsoft called the hacking group “Volt Typhoon” and said it was part of a state-sponsored Chinese effort that targets not only critical infrastructure such as communications, electricity and gas utilities, but also maritime operations and transportation. The invasions appeared, for the time being, to be an espionage campaign. But the Chinese can use the code, designed to penetrate firewalls, to allow destructive attacks if they so choose.
So far, says Microsoft, there is no evidence that the Chinese group has used access for offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers often prioritize espionage.
In interviews, government officials said they believed the code was part of a vast Chinese intelligence-gathering effort that spans cyberspace, outer space and, as the Americans discovered with the balloon incident, the lower atmosphere.
The Biden administration declined to discuss what the FBI found when examining equipment recovered from the balloon. But the craft – best described as a massive aerial vehicle – apparently included specialized radar and communications interception devices that the FBI has been scrutinizing since the balloon was shot down.
It is unclear whether the government’s silence on the balloon discovery is motivated by a desire to keep the Chinese government from knowing what the United States discovered or to bridge the diplomatic rift that followed the incursion.
On Sunday, speaking at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident has stalled already frosty exchanges between Washington and Beijing.
“And then this idiotic balloon that was carrying two boxcars worth of spy equipment was flying over the United States,” he told reporters, “and it was shot down and everything changed conversationally.”
He predicted that relations “would start to thaw very soon”.
China has never acknowledged breaking into American networks, even in the biggest example of all: the theft of the security clearance files of some 22 million Americans – including six million sets of fingerprints – from the Office of Personnel Management during the administration. Obama. This data exfiltration took nearly a year and resulted in a deal between President Barack Obama and President Xi Jinping that resulted in a brief decline in Chinese malicious cyberactivity.
On Wednesday, China sent a warning to its companies to be on the lookout for American hackers. And there has been plenty of that too: in documents released by Edward Snowden, the former NSA contractor, there was evidence of American efforts to hack into the systems of Huawei, the Chinese telecoms giant, and military and leadership targets.
Telecommunications networks are prime targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks.
Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — found the code “while investigating hacking activity that affected a US port”. When tracking the breach, they found other networks that were hit, “including some in the telecommunications industry in Guam.”
Microsoft published a blog post on Wednesday with detailed pointers on the code to enable critical infrastructure operators to take preventative measures.
In a coordinated announcement, the NSA published a technical report on Chinese intrusions into critical American infrastructure. The US report described a wide range of threats of Chinese origin.
The Biden administration is racing to enforce newly created minimum cybersecurity standards for critical infrastructure. Following a Russian ransomware attack on the Colonial pipeline in 2021, which resulted in the interruption of the flow of gasoline, diesel and jet fuel on the east coast, the government used authorities from the Transportation Security Administration – which regulates pipelines – to force the Private sector public services follow a number of cybersecurity mandates.
A similar process is underway for water supplies, airports and soon to be hospitals, all of which have been targeted by hackers in recent times.
The National Security Agency report is part of a relatively new move by the US government to quickly publish this data in hopes of shutting down Chinese operations. In recent years, the United States generally withheld this information – sometimes classifying it – and shared it with only a few select companies or organizations. But this almost always ensured that hackers could stay well ahead of the government.
In this case, it was the focus on Guam that particularly caught the attention of officials who are assessing China’s capabilities — and willingness — to attack or suffocate Taiwan. Xi ordered the People’s Liberation Army to be able to take the island by 2027. But CIA Director William J. Burns told Congress that the order “does not mean he has decided to conduct an invasion.”
In the dozens of simulated US exercises conducted over the past few years to map out what such an attack would look like, one of China’s first anticipated moves would be to cut US communications and weaken US responsiveness. Thus, the exercises foresee attacks on satellites and terrestrial communications, especially around US installations where military means would be deployed.
None is bigger than Guam, where Andersen Air Force Base would be the launching point for many of the Air Force’s missions to help defend the island, and a Navy port is crucial for American submarines.