The F.B.I. and Microsoft detected a mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States, which Microsoft said was installed by a Chinese government hacking group. The code is called a “web shell,” a malicious script that enables remote access to a server. Microsoft published details of the code that would make it possible for corporate users, manufacturers and others to detect and remove it. The National Security Agency published a 24-page advisory that referred to Microsoft’s finding and offered broader warnings about a “recently discovered cluster of activity” from China. Microsoft called the hacking group “Volt Typhoon” and said that it was part of a state-sponsored Chinese effort aimed at critical infrastructure such as communications, electric and gas utilities, maritime operations and transportation.
Administration officials said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere. The Biden administration has declined to discuss what the F.B.I. found as it examined the equipment recovered from the balloon. It is unclear if the government’s silence is motivated by a desire to keep the Chinese government from knowing what the United States has learned or to get past the diplomatic breach that followed the incursion. President Biden referred to how the balloon incident had paralyzed the already frosty exchanges between Washington and Beijing, and predicted that relations would “begin to thaw very shortly.” China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of security clearance files of roughly 22 million Americans during the Obama administration. On Wednesday, China sent a warning to its companies to be alert to American hacking, and there has been evidence of American efforts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.
Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks. Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said that the company’s analysts had found the code “while investigating intrusion activity impacting a U.S. port.” Microsoft published a blog post with detailed indicators about the code, to allow operators of critical infrastructure to take preventive steps. The N.S.A. published a technical report about Chinese intrusions into American critical infrastructure, which described a broad range of Chinese-origin threats. The Biden administration has been racing to enforce new minimum cybersecurity standards for critical infrastructure, and after a Russian ransomware attack on Colonial Pipeline in 2021, the administration has used the authorities of the Transportation Security Administration to force private-sector utilities to follow a series of cybersecurity mandates. The National Security Agency's report is part of a new U.S. government move to publish such data quickly in hopes of burning the Chinese operations.
In this case, it was the focus on Guam that particularly seized the attention of officials who are assessing China's capabilities and willingness to attack or choke off Taiwan. Mr. Xi has ordered the People's Liberation Army to be capable of taking the island by 2027, but the C.I.A. director has noted that the order "does not mean he has decided to conduct an invasion." In the dozens of U.S. tabletop exercises conducted in recent years to map out what such an attack might look like, one of China's first anticipated moves would be to cut off American communications and slow the United States' ability to respond. Andersen Air Force Base would be the launching point for many of the Air Force missions to help defend the island, and a Navy port is crucial for American submarines.