Around the time the FBI was investigating equipment recovered from the Chinese spy balloon shot down off the coast of South Carolina in February, American intelligence agencies and Microsoft discovered what they believe to be an even more worrying intruder: mysterious computer code embedded in telecommunications systems in Guam showed up and elsewhere in the United States.
The code, which Microsoft says was installed by a Chinese government hacker group, raised alarm because Guam, with its Pacific ports and massive American air force base, would be at the heart of any American military response to an invasion or blockade of Taiwan. The operation was carried out with utmost secrecy, sometimes through home routers and other common internet-connected consumer devices, to make tracking the intrusion more difficult.
The code is called a “web shell,” in this case a malicious script that allows remote access to a server. Home routers are particularly vulnerable, especially older models that don’t have updated software and protections.
Unlike the balloon that fascinated Americans as it pirouetted over sensitive nuclear facilities, the computer code couldn’t be launched live on television. Instead, on Wednesday Microsoft released details of the code that would allow enterprise users, manufacturers and others to detect and remove it. In a coordinated release, the National Security Agency — along with other domestic agencies and their cyber counterparts in Australia, the UK, New Zealand and Canada — issued a 24-page advisory that referenced Microsoft’s findings and issued broader warnings of a “recently discovered cluster containing activity from China.
Microsoft dubbed the hacking group “Volt Typhoon” and said it was part of a state-sponsored Chinese initiative targeting not only critical infrastructure such as communications, electricity and gas utilities, but also marine operations and transportation. The break-ins initially appeared to be a spy campaign. But the Chinese could use the code designed to penetrate firewalls to enable destructive attacks if they want.
So far, according to Microsoft, there is no evidence that the Chinese company has used the access for offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers usually prioritize espionage.
In interviews, government officials said they believed the code was part of a vast Chinese intelligence collection spanning cyberspace, outer space and, as Americans discovered in the balloon accident, the lower atmosphere.
The Biden administration has declined to talk about what the FBI found when examining equipment recovered from the balloon. But the aircraft – better described as a giant aircraft – apparently had special radar and communications listening devices, which the FBI has been investigating since the balloon was launched.
It’s unclear whether the government’s silence on the balloon findings is motivated by a desire to prevent the Chinese government from learning what the United States learned, or whether the diplomatic rift that followed the incursion has been overcome shall be.
On Sunday, at a news conference in Hiroshima, Japan, President Biden referenced how the balloon incident had crippled the already chilly exchanges between Washington and Beijing.
“And then this silly balloon, which had two boxcars worth of spy equipment on board, flew over the United States,” he told reporters, “and it got shot down, and everything changed in terms of how we talked to each other.”
He predicted that relationships “would start to thaw very soon.”
China has never admitted to hacking into American networks, not even in the biggest example of all: the theft of some 22 million Americans’ security clearance files – including six million sets of fingerprints – from the Office of Personnel Management during the Obama administration. This data exfiltration lasted nearly a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief dip in malicious Chinese cyber activity.
On Wednesday, China sent a warning to its companies to beware of American hacks. And there was plenty of that, too: documents released by Edward Snowden, the former NSA contractor, indicated American efforts to hack into the systems of Huawei, the Chinese telecoms giant, as well as military and government targets.
Telecom networks are important targets for hackers, and the Guam system is particularly important for China because military communications are often based on commercial networks.
Tom Burt, the executive who heads Microsoft’s threat intelligence department, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — used the code “when investigating intrusion activity in a US port” would have found. When they traced the intrusion, they found other networks affected, “including some in the telecommunications sector in Guam.”
Microsoft published a blog post on Wednesday with detailed notes on the code to enable critical infrastructure operators to take preventive measures.
In a coordinated announcement, the NSA released a technical report on Chinese intrusions into US critical infrastructure. The US report described a wide range of Chinese threats.
The Biden administration is struggling to enforce newly created minimum cybersecurity standards for critical infrastructure. After a 2021 Russian ransomware attack on the Colonial Pipeline that disrupted the flow of gasoline, diesel and jet fuel on the East Coast, the government used authorities at the Transportation Security Administration – which regulates pipelines – to target private utilities force to follow a set of cybersecurity mandates.
A similar process is currently underway for water utilities, airports, and soon hospitals, all of which have recently been targeted by hackers.
The National Security Agency report is part of a relatively recent push by the US government to release such data quickly in hopes of derailing Chinese operations. In recent years, the United States has typically withheld — sometimes kept secret — such information, only sharing it with a few companies or organizations. But that almost always ensured the hackers could get way ahead of the government.
In this case, it was the focus on Guam that drew the most attention from officials assessing China’s ability — and willingness — to attack or stall Taiwan. Mr. Xi has ordered that the People’s Liberation Army should be able to take the island by 2027. But CIA Director William J. Burns has advised Congress that the order “does not mean that he has decided to conduct an invasion.”
With the dozens of U.S. tabletop drills conducted in recent years to plan what such an attack might look like, one of the first expected moves by China would be to cut American communications and slow the United States’ ability to respond. The exercises therefore envisage attacks on satellite and ground communications, especially near American facilities where military assets are mobilized.
None is larger than Guam, where Andersen Air Force Base would be the launching point for many air force missions defending the island and a naval port for American submarines is vital.