As the FBI examined equipment recovered from a Chinese spy balloon shot down off the coast of South Carolina in February, American intelligence agencies and Microsoft detected what they feared would be a more sinister intruder: a mysterious computer. code found on Guam’s telecommunications systems. and elsewhere in the United States.
The code, which Microsoft says was installed by a Chinese government hacking group, has raised alarms because Guam, with its Pacific ports and vast American air bases, could be a central of any American military response to an invasion or blockade of Taiwan. The operation is carried out with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the entry more difficult to trace.
The code is called a “web shell,” in this case a malicious script that allows remote access to a server. Home routers are particularly vulnerable, especially older models without updated software and protection.
Unlike the balloon that captivated Americans as it made pirouettes over sensitive nuclear sites, computer code could not be shot down on live television. So instead, Microsoft on Wednesday published details of the code that might make it possible for corporate users, manufacturers and others to find and extract it. In a coordinated release, the National Security Agency – along with other domestic agencies and their cyber counterparts in Australia, Britain, New Zealand and Canada – published a 24-page advisory aimed at finding Microsoft and offered broader warnings about a “newly discovered cluster. of activity” from China.
Microsoft called the hacking group “Volt Typhoon” and said it was part of a state-sponsored Chinese effort aimed not only at critical infrastructure such as communications, power and gas utilities, but also marine operations and transportation. The intrusions appear, for now, to be an espionage campaign. But the Chinese can use the code, which is designed to break through firewalls, to carry out malicious attacks, if they want to.
Currently, Microsoft says, there is no evidence that the Chinese group used access for any offensive attack. Unlike Russian groups, Chinese intelligence and military hackers are often primarily espionage.
In interviews, administration officials have said they believe the code is part of a larger Chinese intelligence-gathering effort that spans cyberspace, outer space and, as the Americans discovered in the balloon incident. , the lower atmosphere.
The Biden administration has declined to discuss what the FBI found as it examined equipment recovered from the balloon. But the craft – better described as a large aerial vehicle – apparently includes special radar and communications interception devices that the FBI has been investigating since the balloon was shot down.
It is unclear whether the government’s silence about its search from the balloon was motivated by a desire to prevent the Chinese government from learning what the United States knew or to bypass the diplomatic breach that followed the invasion.
On Sunday, speaking at a news conference in Hiroshima, Japan, President Biden pointed out how the balloon incident had paralyzed the already frozen exchange between Washington and Beijing.
“And then this stupid balloon carrying two cargoes worth of spy equipment flew over the United States,” he told reporters, “and it was shot down, and everything changed in terms of communicating with each other.”
He predicted that relations would “start to thaw soon.”
China has never acknowledged the hacking of American networks, even in the biggest example of all: the theft of the security clearance files of nearly 22 million Americans — including six million sets of fingerprints – from the Office of Personnel Management during the Obama administration. That exfiltration of data took the better part of a year, and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief reduction in malicious Chinese cyberactivity.
On Wednesday, China sent a warning to its companies alerting them to American hacking. And there’s a lot of that too: In the documents released by Edward Snowden, the former NSA contractor, there is evidence of American efforts to hack the systems of Huawei, the Chinese telecommunications giant, and military targets and leadership.
Telecommunications networks are prime targets for hackers, and the Guam system is particularly important to China because military communications often piggyback on commercial networks.
Tom Burt, the executive in charge of Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — found the code. “while investigating immigration activity affecting a US port.” As they tracked back in, they found other networks had been hit, “including some in Guam’s telecommunications sector.”
Microsoft published a blog post on Wednesday with detailed indications about the code, to allow operators of critical infrastructure to take preventive measures. In a coordinated announcement, the NSA published a technical report on an extensive Chinese penetration of critical American infrastructure.
The Biden administration is racing to implement newly created minimum cybersecurity standards for critical infrastructure. After the Russian ransomware attack on the Colonial Pipeline in 2021 resulted in the disruption of the flow of gasoline, diesel and aircraft on the East Coast, the administration used the authorities of the Transportation Security Administration – which regulates pipelines – to force private sector utilities. to comply with a series of cybersecurity mandates.
A similar process is now underway for water supplies, airports and soon hospitals, all of which have been targeted by hackers in recent times.
The National Security Agency’s report is part of a new move by the US government to easily publish such data in the hope of igniting operations in China. In past years, the United States has often kept such information under wraps – sometimes classified it – and shared it with only a few companies or organizations. But that almost always ensures that hackers can stay well ahead of the government.
In this case, the focus on Guam has particularly caught the attention of officials assessing China’s capabilities — and its willingness — to attack or strangle Taiwan. Ordered by Mr. Xi is the People’s Liberation Army that will be able to seize the island in 2027. But the director of the CIA, William J. Burns, noted in Congress that the order “does not mean that he has decided to carry out an invasion.”
With several US tabletop exercises conducted in recent years to determine what such an attack would look like, one of the first expected moves by China was to cut communications with America. and slowing the ability of the United States to respond. So the exercises envision satellite and ground communications attacks, especially around American installations where military assets can be mobilized.
None bigger than Guam, where Andersen Air Force Base is the launch pad for many Air Force missions to help defend the island, and a Navy port is essential for American submarines.