Around the time the FBI was examining the equipment recovered from the Chinese spy balloon shot down off the coast of South Carolina in February, US intelligence agencies and Microsoft discovered what they feared was a more troubling intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.
The code, which Microsoft said was installed by a Chinese government hacking group, raised alarm because Guam, with its Pacific ports and major US air base, would be central to any US military response to an invasion or blockade of Taiwan. The operation was carried out with great stealth, sometimes through home routers and other common Internet-connected consumer devices, to make the breach more difficult to trace.
The code is called a “webshell”, in this case a malicious script that enables remote access to a server. Home routers are particularly vulnerable, especially older models that haven’t updated software and protection.
Unlike balloon that fascinated Americans as it performed pirouettes over sensitive nuclear facilities, the computer code could not be shot down on live television. So instead Microsoft on Wednesday published information about the code which would allow business users, manufacturers and others to detect and remove it. In a coordinated release, the National Security Agency – along with other domestic agencies and counterparts in Australia, the UK, New Zealand and Canada – published a 24-page advisory which referred to Microsoft’s discovery and offered broader warnings about a “recently discovered cluster of activity” from China.
Microsoft dubbed the hacker group “Volt Typhoon” and said it was part of a state-sponsored Chinese effort that targeted not only critical infrastructure such as communications, electricity and gas, but also shipping and transportation. The breach currently appeared to be an espionage campaign. But the Chinese could use the code, which is designed to penetrate firewalls, to enable destructive attacks if they wanted to.
So far, Microsoft says, there is no evidence that the Chinese group has used the access for any offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers tend to prioritize espionage.
In interviews, administration officials said they believed the code was part of extensive Chinese intelligence gathering that spanned cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere.
The Biden administration has declined to discuss what the FBI found when it examined the equipment recovered from the balloon. But the craft — better described as a massive aerial vehicle — apparently included specialized radar and communications interception devices that the FBI has been investigating since the balloon was shot down.
It is unclear whether the government’s silence about its find from the balloon is motivated by a desire to keep the Chinese government from knowing what the US has learned or to sidestep the diplomatic fallout that followed the breach.
On Sunday, at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident had crippled the already frosty exchanges between Washington and Beijing.
“And then this silly balloon carrying spy equipment for two freight cars was flying over the United States,” he told reporters, “and it was shot down, and everything changed when it came to talking to each other.”
He predicted that relations would “start to thaw very soon.”
China has never acknowledged breaching American networks, even in the biggest example of all: the theft of security clearance files for roughly 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. This exfiltration of data took the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyber activity.
On Wednesday, China sent a warning to its companies to be alert to US hacking. And there’s been plenty of that, too: In documents released by Edward Snowden, the former NSA contractor, there was evidence of American attempts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.
Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications are often rolled back on commercial networks.
Tom Burt, the head who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — had found the code “while investigating intrusion activity affecting a U.S. port.” When they traced back the breach, they found other networks affected, “including some in the telecommunications sector in Guam.”
Anne Neuberger, deputy national security adviser for cyber and emerging technologies, said covert efforts “like the activity disclosed today are part of what drives our focus on the security of telecom networks and the need to use trusted vendors” whose equipment has met established cybersecurity standards .
Neuberger has spearheaded an effort across the federal government to enforce new cybersecurity standards for critical infrastructure. Officials were surprised by the extent of the vulnerabilities in such infrastructure when a Russian ransomware attack on Colonial Pipeline 2021 interrupted the flow of gasoline, diesel and jet fuel on the East Coast. In the wake of the attack, the Biden administration used little-known powers of the Transportation Security Administration — which regulates pipelines — to force private companies to comply with a series of cybersecurity mandates.
Now, Ms. Neuberger is driving what she called a “relentless focus on improving the cybersecurity of our pipelines, rail systems, water systems and other critical services,” including mandating cybersecurity practices for those sectors and working more closely with companies with “unique visibility” into threats to such infrastructure .
These companies include Microsoft, Google, Amazon and many telecommunications companies that can see activity on domestic networks. Intelligence agencies, including the NSA, are prohibited by law from operating in the United States. But the NSA is allowed to publish alerts, as it did Wednesday, along with the FBI and the Department of Homeland Security’s Cyber Infrastructure and Security Administration.
The agency’s report is part of a relatively recent move by the U.S. government to release such data quickly in hopes of sting operations like the one the Chinese government conducted. In the past, the United States has typically withheld such information — sometimes classified it — and shared it with only a select few companies or organizations. But it almost always guaranteed that the hackers could stay far ahead of the government.
In this case, it was the focus on Guam that particularly caught the attention of officials assessing China’s capacity — and its willingness — to attack or strangle Taiwan. Mr. Xi has ordered the People’s Liberation Army to be capable of taking the island by 2027. But the CIA director, William J. Burns, has noted to Congress that the order “does not mean that he has decided to carry out an invasion.”
In the dozens of U.S. tabletop exercises conducted in recent years to map out what such an attack might look like, one of China’s first expected moves would be to shut down U.S. communications and slow the U.S. ability to respond. So the exercises envision attacks on satellite and ground communications, particularly around US installations where military assets would be mobilized.
None is bigger than Guam, where Andersen Air Force Base would be the launch point for many of the Air Force’s missions to help defend the island, and a naval port vital to U.S. submarines.
[pub1]