Chinese Malware Hits Systems on Guam. Is Taiwan the Real Target?

As the Federal Bureau of Investigation was examining equipment recovered from the wreckage of a Chinese spy balloon that was downed off the coast of South Carolina in February, US intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code. . it has been showing up in telecommunications systems in Guam and in other parts of the United States.

The code, which Microsoft says was installed by a group of Chinese government hackers, set off alarm bells because Guam, with its Pacific ports and vast US airbase, would be a centerpiece of any US military response to an invasion or Taiwan blockade. It installed itself with great secrecy, sometimes flowing through routers and other common consumer devices connected to the Internet, making the intrusion more difficult to trace.

But unlike the balloon that fascinated Americans as it pirouetted over sensitive nuclear sites, computer code couldn’t be shot down on live television. So instead, Microsoft and the National Security Agency on Wednesday released details of the code that would allow corporate users, manufacturers and others to detect and remove it.

The code is called a “web shell”, in this case a malicious script that allows remote access to a server. Home routers are particularly vulnerable, especially older models that have not had up-to-date protections and software.

Microsoft called the hacking group “Volt Typhoon” and said it was part of a state-sponsored Chinese effort aimed not only at critical infrastructure like communications, electric and gas utilities, but also at maritime operations and the transport. The intrusions appeared, for now, to be a spying campaign. But the Chinese could use the code, which is designed to pierce firewalls, to allow destructive attacks, if they wish.

So far, Microsoft says, there is no evidence that the Chinese group has used the access for offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers often prioritize espionage.

In interviews, administration officials said they believed the code was part of a vast Chinese intelligence-gathering effort spanning cyberspace, outer space and, as the Americans discovered with the balloon incident, the lower atmosphere.

The Biden administration has refused to discuss what the FBI found while examining equipment recovered from the balloon. But the craft, best described as a huge air vehicle, apparently included specialized radar and communications interception devices that the FBI has been examining since the balloon was shot down.

It is not clear if the government’s silence on its discovery of the balloon is motivated by a desire to prevent the Chinese government from learning what the United States has discovered or to bridge the diplomatic rift that followed the raid.

On Sunday, speaking at a press conference in Hiroshima, Japan, President Biden addressed how the balloon incident brought already icy exchanges between Washington and Beijing to a standstill.

“And then this dumb balloon carrying two freight car equivalents of spy equipment was flying over the United States,” he told reporters, “and it got shot down, and everything changed in terms of communication between them.”

He predicted that relations “would start to thaw very soon.”

China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of the security clearance files of an estimated 22 million Americans, including six million sets of fingerprints, from the Office of Personnel Management. during the Obama administration. That data breach took the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyberactivity.

On Wednesday, China sent another warning to its companies to be on the lookout for US hacking. And there has been a lot of that, too: In documents released by Edward Snowden, the former NSA contractor, there was evidence of US efforts to hack Huawei, the Chinese telecommunications giant, and leadership and military targets.

Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often take advantage of commercial networks.

Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that company analysts, many of them veterans of the National Security Agency and other intelligence agencies, had found the code “while investigating intrusion activity affecting a US port.” While tracking the intrusion, they found other networks that were attacked, “including some in the telecommunications sector on Guam.”

Microsoft planned to publish a blog post on Wednesday with detailed pointers on the code, to allow operators of critical infrastructure to take preventative measures.

In a coordinated announcement, the NSA is expected to release a technical report on Chinese intrusions into a wide swath of critical US infrastructure. The US report is not expected to refer directly to the Guam incident reported by Microsoft, but will describe a broader range of threats from China.

The Biden administration has been racing to enforce newly created minimum cybersecurity standards for critical infrastructure. After a Russian ransomware attack on the Colonial Pipeline in 2021 that resulted in a disruption to the flow of gasoline, diesel, and jet fuel on the East Coast, the administration used authorities from the Transportation Security Administration, which regulates the pipelines. , to force private sector utility companies. follow a series of cybersecurity mandates.

A similar process is now taking place for water supplies, airports and soon hospitals, all of which have been attacked by hackers of late.

The National Security Agency report is part of a relatively new move by the US government to release such data quickly in hopes of burning out Chinese operations. In previous years, the United States generally withheld such information, sometimes classified it, and shared it with only a few select companies or organizations. But that almost always ensured that hackers could stay well ahead of the government.

In this case, it was the focus on Guam that particularly caught the attention of officials who are assessing China’s capabilities, and willingness, to attack or strangle Taiwan. Mr. Xi has ordered that the People’s Liberation Army be able to take the island by 2027. But CIA director William J. Burns has told Congress that the order “does not mean that he has decided to carry out a invasion”.

In the dozens of American simulation exercises conducted in recent years to map out what such an attack might look like, one of China’s first anticipated moves would be to cut off American communications and slow down America’s ability to respond. So, the exercises provide for attacks on terrestrial and satellite communications, especially around US installations where military assets would be mobilized.

None is bigger than Guam, where Andersen Air Force Base would be the starting point for many of the Air Force’s missions to help defend the island, and a Navy port is crucial for US submarines.