David E. Sanger
<\/p>\n\n\n\n
Around the time that the F.B.I. was examining the equipment recovered from the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.<\/p>\n\n\n\n
The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan. The operation was conducted with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the intrusion harder to track.<\/p>\n\n\n\n
The code is called a \u201cweb shell,\u201d in this case a malicious script that enables remote access to a server. Home routers are particularly vulnerable, especially older models that have not had updated software and protections.<\/p>\n\n\n\n
Unlike the\u00a0balloon that fascinated Americans<\/a>\u00a0as it performed pirouettes over sensitive nuclear sites, the computer code could not be shot down on live television. So instead, Microsoft on Wednesday\u00a0published details of the code<\/a>\u00a0that would make it possible for corporate users, manufacturers and others to\u00a0detect and remove it. In a coordinated release, the National Security Agency \u2014 along with other domestic agencies and counterparts in Australia, Britain, New Zealand and Canada \u2014\u00a0published a 24-page advisory<\/a>\u00a0that referred to Microsoft\u2019s finding and offered broader warnings about a \u201crecently discovered cluster of activity\u201d from China.<\/p>\n\n\n\n Microsoft called the hacking group \u201cVolt Typhoon\u201d and said that it was part of a state-sponsored Chinese effort aimed at not only critical infrastructure such as communications, electric and gas utilities, but also maritime operations and transportation. The intrusions appeared, for now, to be an espionage campaign. But the Chinese could use the code, which is designed to pierce firewalls, to enable destructive attacks, if they choose.<\/p>\n\n\n\n So far, Microsoft says, there is no evidence that the Chinese group has used the access for any offensive attacks. Unlike Russian groups, the Chinese intelligence and military hackers usually prioritize espionage.<\/p>\n\n\n\n In interviews, administration officials said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere.<\/p>\n\n\n\n The Biden administration has declined to discuss what the F.B.I. found as it examined the equipment recovered from the balloon. But the craft \u2014 better described as a huge aerial vehicle \u2014 apparently included specialized radars and communications interception devices that the F.B.I. has been examining since the balloon was shot down.<\/p>\n\n\n\n It is unclear whether the government\u2019s silence about its finding from the balloon is motivated by a desire to keep the Chinese government from knowing what the United States has learned or to get past the diplomatic breach that followed the incursion.<\/p>\n\n\n\n On Sunday, speaking at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident had paralyzed the already frosty exchanges between Washington and Beijing.<\/p>\n\n\n\n \u201cAnd then this silly balloon that was carrying two freight cars\u2019 worth of spying equipment was flying over the United States,\u201d he told reporters, \u201cand it got shot down, and everything changed in terms of talking to one another.\u201d<\/p>\n\n\n\n He predicted that relations would \u201cbegin to thaw very shortly.\u201d<\/p>\n\n\n\n China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of security clearance files of roughly 22 million Americans \u2014 including six million sets of fingerprints \u2014 from the Office of Personnel Management during the Obama administration. That exfiltration of data took the better part of a year, and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyberactivity.<\/p>\n\n\n\n On Wednesday, China sent a warning to its companies to be alert to American hacking. And there has been plenty of that, too: In documents released by Edward Snowden, the former N.S.A. contractor, there was evidence of American efforts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.<\/p>\n\n\n\n Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks.<\/p>\n\n\n\n Tom Burt, the executive who oversees Microsoft\u2019s threat intelligence unit, said in an interview that the company\u2019s analysts \u2014 many of them veterans of the National Security Agency and other intelligence agencies \u2014 had found the code \u201cwhile investigating intrusion activity impacting a U.S. port.\u201d As they traced back the intrusion, they found other networks that were hit, \u201cincluding some in the telecommunications sector in Guam.\u201d<\/p>\n\n\n\n Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said that covert efforts \u201clike the activity exposed today are part of what\u2019s driving our focus on the security of telecom networks and the urgency to use trusted vendors\u201d whose equipment has met established cybersecurity standards.<\/p>\n\n\n\n