Malware Discovered in Guam Raises a Question: Is China Prepping the Battlefield?



Around the time that the Federal Bureau of Investigation was examining the equipment recovered from the wreckage of the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code that has been popping up in telecommunications systems in Guam and elsewhere in the United States.

The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan. It was installed with great stealth, sometimes flowing through routers and other common internet-connected consumer devices, to make the intrusion harder to track.

But unlike the balloon that fascinated Americans as it performed pirouettes over sensitive nuclear sites, the computer code could not be shot down on live television. So instead, Microsoft and the National Security Agency were set on Wednesday to publish details of the code that would make it possible for corporate users, manufacturers and others to detect and remove it.

The code is called a “web shell,” in this case a malicious script that enables remote access to a server. Home routers are particularly vulnerable, especially older models that have not had updated software and protections.

Microsoft called the hacking group “Volt Typhoon” and said that it was part of a state-sponsored Chinese effort aimed at not only critical infrastructure such as communications, electric and gas utilities, but also maritime operations and transportation. The intrusions appeared, for now, to be an espionage campaign. But the Chinese could use the code, which is designed to pierce firewalls, to enable destructive attacks, if they choose.

So far, Microsoft says, there is no evidence that the Chinese group has used the access for any offensive attacks. Unlike Russian groups, the Chinese intelligence and military hackers usually prioritize espionage.

In interviews, administration officials said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere.

The Biden administration has declined to discuss what the F.B.I. found as it examined the equipment recovered from the balloon. But the craft — better described as a huge aerial vehicle — apparently included specialized radars and communications interception devices that the F.B.I. has been examining since the balloon was shot down.

It is unclear whether the government’s silence about its finding from the balloon is motivated by a desire to keep the Chinese government from knowing what the United States has learned or to get past the diplomatic breach that followed the incursion.

On Sunday, speaking at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident had paralyzed the already frosty exchanges between Washington and Beijing.

“And then this silly balloon that was carrying two freight cars’ worth of spying equipment was flying over the United States,” he told reporters, “and it got shot down, and everything changed in terms of talking to one another.”

He predicted that relations would “begin to thaw very shortly.”

>

Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks.

Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — had found the code “while investigating intrusion activity impacting a U.S. port.” As they traced back the intrusion, they found other networks that were hit, “including some in the telecommunications sector in Guam.”

Microsoft planned to publish a blog post on Wednesday with detailed indicators about the code, to allow the operators of critical infrastructure to take preventive steps.

In a coordinated announcement, the N.S.A. is expected to publish a technical report about Chinese intrusions into a wide swath of American critical infrastructure. The U.S. report is not expected to refer directly to the Guam incident reported by Microsoft, but it will describe a broader range of Chinese-origin threats.

The Biden administration has been racing to enforce newly created minimum cybersecurity standards for critical infrastructure. After a Russian ransomware attack on Colonial Pipeline in 2021 that resulted in an interruption of gasoline, diesel and airplane fuel flow on the East Coast, the administration has used the authorities of the Transportation Security Administration — which regulates pipelines — to force private-sector utilities to follow a series of cybersecurity mandates.

A similar process is now underway for water supplies, airports and soon hospitals, all of which hackers have targeted in recent times.

The National Security Agency’s report is part of a relatively new U.S. government move to publish such data quickly in hopes of burning the Chinese operations. In years past, the United States usually withheld such information — sometimes classifying it — and shared it with only a select few companies or organizations. But that almost always assured that the hackers could stay well ahead of the government.

In this case, it was the focus on Guam that particularly seized the attention of officials who are assessing China’s capabilities — and its willingness — to attack or choke off Taiwan. President Xi Jinping has ordered the People’s Liberation Army to be capable of taking the island by 2027. But the C.I.A. director, William J. Burns, has noted to Congress that the order “does not mean he has decided to conduct an invasion.”

In the dozens of U.S. tabletop exercises conducted in recent years to map out what such an attack might look like, one of China’s first anticipated moves would be to cut off American communications and slow the United States’ ability to respond. So the exercises envision attacks on satellite and ground communications, especially around American installations where military assets would be mobilized.

None is bigger than Guam, where Andersen Air Force Base would be the launching point for many of the Air Force missions to help defend the island, and a Navy port is crucial for American submarines.

David E. Sanger is a White House and national security correspondent. In a 38-year reporting career for The Times, he has been on three teams that have won Pulitzer Prizes, most recently in 2017 for international reporting. His newest book is “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.”  @SangerNYT Facebook