As the Federal Bureau of Investigation investigated equipment recovered from the wreckage of a Chinese spy balloon that was shot down off the coast of South Carolina in February, US intelligence agencies and Microsoft were the more worrying intruders. I found what I was worried about: some mysterious computer code. It’s showing up in telecommunications systems on Guam and elsewhere in the United States.
Microsoft said the code was installed by a Chinese government hacking group, putting Guam on alert as the Pacific port and sprawling U.S. air force base will be central to the U.S. military response to Taiwan’s invasion and blockade. strengthened. It was installed very stealthily, sometimes flowing through routers and other common internet-connected consumer devices to make the intrusion difficult to track.
But unlike balloons that mesmerized Americans with pirouettes over nuclear hazards, they couldn’t shoot down computer code on live television. Instead, Microsoft and the National Security Agency on Wednesday planned to release details of the code that would allow enterprise users, manufacturers and others to detect and remove the code.
This code is called a “web shell” and in this case is a malicious script that allows remote access to the server. Home routers are particularly vulnerable, especially older models that have not had their software and protections updated.
Microsoft called the group of hackers “Bolt Typhoon” and said it was part of a state-backed Chinese effort targeting not only critical infrastructure such as telecommunications, electricity and gas, but also maritime and transportation. At this point, the intrusion appears to be an espionage operation. However, if the Chinese were willing, they could use the code, which is designed to penetrate firewalls, to enable destructive attacks.
According to Microsoft, so far there is no evidence that the Chinese group used access in the attack. Unlike Russian groups, Chinese intelligence and military hackers usually prioritize espionage.
Government officials said in interviews that they believe the cipher is part of a larger Chinese intelligence-gathering operation that extends into cyberspace, outer space, and the lower atmosphere, as the Americans discovered in the balloon incident. Stated.
The Biden administration has refused to comment on what the FBI found when examining equipment recovered from the balloon. However, it appears that this aircraft (which would be more appropriate to call it a giant aircraft) contained a special radar and communications interception device that the FBI has been investigating since the balloon was shot down.
It is unclear whether the government’s silence about the balloon findings is motivated by a desire not to let Beijing know what the United States has learned, or by a desire to overcome diplomatic missteps after the invasion. is.
At a press conference in Hiroshima, Japan on Sunday, President Biden noted how the ballooning incident had paralyzed the already frosty exchanges between the United States and China.
“And then this ridiculous balloon with two freight cars worth of spy equipment was flying over the United States, and it was shot down, and that changed everything in terms of talking to each other,” he told reporters. told to
He predicted that the relationship would “start to unravel soon.”
China has never hacked into U.S. networks, even with the biggest example being the theft of sensitive information files (including six million pairs of fingerprints) of about 22 million Americans from the Office of Personnel Administration during the Obama administration. never admitted. This data exfiltration took him the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that temporarily reduced malicious Chinese cyber activity.
China on Wednesday sent new warnings to its companies to be wary of U.S. hacking. And there was a lot of that too. Documents released by former NSA contractor Edward Snowden had evidence of US efforts to hack Chinese telecoms giant Huawei and military and leadership targets.
Guam’s systems are particularly important to China, as communications networks are a prime target for hackers, and military communications often piggyback on commercial networks.
In an interview, Tom Bart, executive director of Microsoft’s threat intelligence division, said the company’s analysts, many of whom are veterans of the National Security Agency and other intelligence agencies, described “the intrusion activity that has impacted U.S. ports. said he discovered the code while investigating the Tracing the intrusion revealed that other networks “including those of Guam’s telecommunications sector” were also attacked.
Microsoft had planned to publish a blog post on Wednesday with detailed metrics on the code to help critical infrastructure operators take precautionary measures.
In a coordinated announcement, the NSA is expected to release a technical report on China’s incursions into widespread US critical infrastructure. The US report is unlikely to directly refer to the Guam incident reported by Microsoft, but will describe a broader threat originating in China.
The Biden administration is rushing to enforce new minimum cybersecurity standards for critical infrastructure. After the Russian ransomware attack on the Colonial Pipeline in 2021 cut off the flow of gasoline, diesel, and aircraft fuel on the East Coast, the government tapped into the TSA’s authority to regulate the pipeline. to force their infiltration into private utilities. Comply with a set of cybersecurity obligations.
Similar processes are currently underway at water supplies, airports, and soon hospitals, all of which have recently been targeted by hackers.
The National Security Agency report is part of a relatively new US government move to release such data swiftly in hopes of burning down China’s operations. In past years, the United States typically kept such information private, sometimes classified, and shared it only with a select few companies and organizations. But it almost always ensured that hackers could stay well ahead of the government.
In this case, it was the focus on Guam that particularly caught the attention of officials assessing China’s ability and willingness to attack or block Taiwan. Xi has ordered the People’s Liberation Army to occupy the island by 2027. But CIA Director William J. Burns told Congress that the order “does not mean that we have decided to invade.”
In the dozens of tabletop exercises the United States has conducted in recent years to plan what such an attack might look like, one of the first moves China anticipates is cutting off U.S. communications and threatening the U.S. response. It will slow down your ability. For this reason, the exercises are expected to attack satellite and terrestrial communications, particularly around US facilities where military assets are mobilized.
No island is bigger than Guam. On Guam, Andersen Air Force Base serves as the launching point for many of the Air Force’s missions in support of the island’s defense, and the naval port is essential for American submarines.
