Morning Intelligence Report


MG Paul Vallely, US Army (Ret)

U.S. Hunts Chinese Malware That Could Disrupt American Military Operations

By David E. Sanger and Julian E. Barnes

July 29, 2023Updated 11:47 a.m. ET

David Sanger has reported on the evolution of cyber conflict for more than 15 years. Julian Barnes covers the U.S. intelligence agencies. They said from Washington and Aspen, Colo.

The Biden administration is hunting for malicious computer code it believes China has hidden deep inside the networks controlling power grids, communications systems, and water supplies that feed military bases in the United States and around the world, according to the American military, intelligence, and national security officials.

The discovery of the malware has raised fears that Chinese hackers, probably working for the People’s Liberation Army, have inserted code designed to disrupt U.S. military operations in the event of a conflict, including if Beijing moves against Taiwan in the coming years.

One congressional official said the malware was essentially “a ticking time bomb” that could give China the power to interrupt or slow American military deployments or resupply operations by cutting off power, water, and communications to U.S. military bases. But its impact could be far broader because that same infrastructure often supplies the houses and businesses of ordinary Americans, according to U.S. officials.

The first public hints of the malware campaign began to emerge in late May when Microsoft said it had detected mysterious computer code in telecommunications systems in Guam, the Pacific island with a vast American air base, and elsewhere in the United States.

Over the past two months, over a dozen U.S. officials and industry experts said the Chinese effort predated the May report by at least a year. The U.S. government’s effort to hunt down the code and eradicate it has been underway for some time. Most spoke on the condition of anonymity to discuss confidential and, in some cases, classified assessments.

They say the Chinese effort appears more widespread — in the United States and at American facilities abroad — than they had initially realized. But officials acknowledge that they do not know the full extent of the code’s presence in networks worldwide.

The discovery of the malware has touched off a series of Situation Room meetings in the White House in recent months, as senior officials from the National Security Council, the Pentagon, the Homeland Security Department, and the nation’s spy agencies attempt to understand the scope of the problem and plot a response.

Biden administration officials have begun to brief members of Congress, some state governors, and utility companies about the findings and confirmed some conclusions about the operation in interviews with The New York Times.

There is a debate inside the administration over whether the operation’s goal is primarily aimed at disrupting the military or civilian life more broadly in the event of a conflict. But officials say the initial searches for the code have focused on areas with a high concentration of American military bases.

“The Biden administration is working relentlessly to defend the United States from any disruptions to our critical infrastructure, including by coordinating interagency efforts to protect water systems, pipelines, rail and aviation systems, among others,” said Adam Hodge, the acting spokesman for the National Security Council.

He added: “The president has also mandated rigorous cybersecurity practices for the first time.” Mr. Hodge referred to a series of executive orders, some motivated by concerns over SolarWinds, commercial software used widely by the U.S. government that was breached by a Russian surveillance operation, and the Colonial Pipeline ransomware attack by a Russian criminal group. That attack resulted in the temporary cutoff of half the gasoline, jet fuel, and diesel supplies that ran up the East Coast.

The U.S. government and Microsoft have attributed the recent malware attack to Chinese state-sponsored actors, but the government has not disclosed why it reached that conclusion. There is debate among different arms of the U.S. government about the intent of the intrusions, but not their source.

The public revelation of the malware operation comes at an especially fraught moment in relations between Washington and Beijing, with clashes that include Chinese threats against Taiwan and American efforts to ban the sale of highly sophisticated semiconductors to the Chinese government.

One of Mr. Biden’s most senior advisers said that discovering the code in American infrastructure “raises the question of exactly what they are preparing for — or whether this is signaling.”

If gaining an advantage in a Taiwan confrontation is at the heart of China’s intent, tabletop exercises conducted by the government, think tanks, and other outside experts suggest time is of the essence. Slowing down American military deployments by a few days or weeks might give China a window in which it would have an easier time taking control of the island by force.

Chinese concern about American intervention was most likely fueled by President Biden’s several statements over the past 18 months that he would defend Taiwan with American troops if necessary.

Another theory is that the code is intended to distract. Chinese officials, U.S. intelligence agencies have assessed, may believe that during an attack on Taiwan or other Chinese action, any interruptions in U.S. infrastructure could so fixate the attention of American citizens that they would think little about an overseas conflict.

Chinese officials did not respond to requests for comment concerning the American discovery of the code. But they have repeatedly denied conducting surveillance or other cyber operations against the United States.

They have never conceded that China was behind the theft of security clearance files of roughly 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. That exfiltration resulted in an agreement between President Obama and President Xi Jinping that culminated in a brief decline in malicious Chinese cyber activity. The agreement has since collapsed.

Now, Chinese cyber operations have taken a turn. The latest intrusions differ from those in the past because disruption, not surveillance, appears to be the objective, U.S. officials say. At the Aspen Security Forum last week, Rob Joyce, the director of cybersecurity at the National Security Agency, said China’s recent hack targeting the American ambassador to Beijing, Nicholas Burns, and the commerce secretary, Gina Raimondo, was traditional espionage. But he said the intrusions in Guam were “really disturbing” because of their disruptive potential.

The Chinese code, the officials say, appears directed at ordinary utilities that serve both civilian populations and nearby military bases. Only America’s nuclear sites have self-contained communication systems, electricity, and water pipelines. (The code has not been found in classified systems. Officials declined to describe the unclassified military networks in which the code has been found.)

While the most sensitive planning is carried out on classified networks, the military routinely uses unclassified but secure networks for basic communications, personnel matters, logistics, and supply issues.

Officials say that if the malware is activated, it is unclear how effective it would be at slowing an American response — and that the Chinese government may not know, either. In interviews, officials said they believe that, in many cases, the communications, computer networks, and power grids could be quickly restored in a matter of days. But intelligence analysts have concluded that China may believe there is utility in any disruptive attack that could slow down the U.S. response.