Around the time the Federal Bureau of Investigation was examining material recovered from the wreckage of the Chinese spy balloon shot down off South Carolina in February, US intelligence agencies and Microsoft detected what they feared was to be a more disturbing intruder: a mysterious computer code. which has appeared in telecommunications systems in Guam and elsewhere in the United States.
The code, which Microsoft says was installed by a Chinese government hacking group, raised alarm bells as Guam, with its Pacific ports and sprawling US airbase, would be the centerpiece of any US military response to an invasion or blockade of Taiwan. It was installed with great stealth, sometimes sneaking through routers and other Internet-connected consumer devices, to make the intrusion harder to track.
But unlike the balloon that fascinated the Americans as he performed pirouettes at sensitive nuclear sites, the computer code could not be shot live on television. Instead, Microsoft and the National Security Agency were to release details of the code on Wednesday that would allow enterprise users, manufacturers and others to detect and remove it.
The code is called a “web shell”, in this case a malicious script that allows remote access to a server. Home routers are especially vulnerable, especially older models that haven’t had updated software and protections.
Microsoft called the hacking group “Volt Typhoon” and said it was part of a Chinese state-sponsored effort targeting not only critical infrastructure such as communications, electric and gas utilities, but also maritime operations and transport. The intrusions seemed, for now, to be an espionage campaign. But the Chinese could use the code, which is designed to break through firewalls, to enable destructive attacks, if they so choose.
So far, according to Microsoft, there is no evidence that the Chinese group has used the access for offensive attacks. Unlike Russian groups, Chinese hackers and military generally prioritize espionage.
In interviews, administration officials said they believe the code is part of a broad Chinese intelligence-gathering effort that spans cyberspace, outer space, and, as the Americans discovered with the balloon incident, the lower atmosphere.
The Biden administration declined to discuss what the FBI discovered while examining equipment recovered from the balloon. But the craft – best described as a huge aerial vehicle – apparently included specialized radars and communications intercept devices that the FBI has been examining since the balloon was shot down.
It is unclear whether the government’s silence on its discovery of the balloon is motivated by a desire to prevent the Chinese government from knowing what the United States has learned or to overcome the diplomatic breach that followed the incursion.
At a press conference in Hiroshima, Japan on Sunday, President Biden spoke about how the balloon incident had crippled the already frosty exchanges between Washington and Beijing.
“And then this stupid balloon that was carrying two freight cars’ worth of spy equipment was flying over the United States,” he told reporters, “and it was shot down, and everything changed in terms of communication”.
He predicted that relations would “start to unfreeze very soon”.
China has never admitted to hacking into American networks, even in the biggest example of all: stealing the security clearance files of an estimated 22 million Americans — including six million fingerprints — from the Bureau personnel management under the Obama administration. This data exfiltration lasted nearly a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief drop in Chinese malicious cyber activity.
On Wednesday, China sent a new warning to its companies to be vigilant against American piracy. And there were plenty, too: In documents released by former NSA contractor Edward Snowden, there was evidence of US efforts to hack Huawei, the Chinese telecommunications giant, and military targets. and direction.
Telecommunications networks are key targets for hackers, and Guam’s system is particularly important to China because military communications often overlap commercial networks.
Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts – many of whom were veterans of the National Security Agency and other intelligence agencies – had found the code “while investigating intrusion activity affecting a US port”. In tracing the intrusion, they found other affected networks, “including some in the telecommunications sector in Guam”.
Microsoft planned to release a blog post on Wednesday with detailed pointers to the code, to help critical infrastructure operators take preventative action.
In a coordinated announcement, the NSA is expected to release a technical report on Chinese intrusions into a wide swath of US critical infrastructure. The US report is not expected to directly reference the Guam incident reported by Microsoft, but it will describe a broader range of Chinese-originated threats.
The Biden administration moved quickly to enforce newly created minimum cybersecurity standards for critical infrastructure. After a Russian ransomware attack on Colonial Pipeline in 2021 that caused a disruption in the flow of gasoline, diesel and jet fuel to the East Coast, the administration used authorities from the Transportation Security Administration — which regulates pipelines — to force utilities from the private sector to follow a series of cybersecurity mandates.
A similar process is now underway for water supplies, airports and soon hospitals, all of which have been targeted by hackers lately.
The National Security Agency report is part of a relatively new move by the US government to quickly release such data in hopes of burning Chinese operations. In years past, the United States has generally withheld this information — sometimes categorizing it — and shared it with only a few select companies or organizations. But it almost always ensured that the hackers could stay well ahead of the government.
In this case, it’s the focus on Guam that has particularly captured the attention of officials assessing China’s capabilities — and willingness — to attack or stifle Taiwan. Mr. Xi ordered the People’s Liberation Army to be able to take the island by 2027. But CIA Director William J. Burns told Congress that the order “does not mean not that he has decided to lead an invasion”.
In the dozens of tabletop exercises conducted by the United States in recent years to determine what such an attack might look like, one of the first measures planned by China would be to cut off American communications and slow down the reaction capacity. the United States. Thus, the exercises envisage attacks on satellite and ground communications, in particular around American installations where military means would be mobilized.
None are bigger than Guam, where Andersen Air Force Base is said to be the launching point for many Air Force missions to help defend the island, and a Navy port is crucial for American submarines.