Photo: VCG

 

China has condemned recent malicious cyber activities by the US government and expressed its concern to the US side through multiple channels, Foreign Ministry spokesperson Lin Jian said on Tuesday, after public security authorities in Heilongjiang Province issued a wanted notice for three US National Security Agency (NSA) agents for their involvement of cyberattacks during the 9th Asian Winter Games.

These cyberattacks have caused serious harm to China's critical information infrastructure, national defense, finance, society, production, and the security of citizens' personal information, with highly egregious conduct., said Lin. 

"We urge the US to adopt a responsible attitude on cybersecurity, to cease its cyberattacks against China, and to stop its unwarranted smear campaigns and attacks against China." China will continue to take all necessary measures to protect its own cybersecurity, he said.

The public security bureau in Harbin, Northeast China's Heilongjiang Province on Tuesday issued a wanted notice with a bounty for three agents from the US National Security Agency (NSA) for their involvement in cyberattacks targeting the 9th Asian Winter Games held in Harbin in February.

Katheryn A Wilson, Robert J. Snelling and Stephen W. Johnson - all from the NSA's Office of Tailored Access Operation - were involved in cyberattacks against the information systems during the Asian Winter Games, according to a police statement. Investigations revealed that the three participated in cyberattacks targeting China's critical network infrastructures and enterprises, including Huawei.  

To combat cyber intrusion and espionage crimes committed by foreign entities against China in accordance with laws, and to safeguard national cybersecurity and the safety of people's lives and property, wanted notices with rewards have been issued for the three criminal suspects, according to the statement. 

In early April, China's National Computer Virus Emergency Response Center and National Engineering Laboratory for Computer Virus Prevention Technology released a report, disclosing that some external forces attempted to disrupt and interfere with the event through cyberattacks during the 9th Asian Winter Games. These attacks targeted critical network infrastructure to create chaos and steal sensitive information. According to monitoring data, 63.24 percent of the traced attacks originated from the US.

The Harbin public security bureau attached great importance to the cyberattacks and invited experts from China's National Computer Virus Emergency Response Center and National Engineering Laboratory for Computer Virus Prevention Technology to carry out a cyberattack traceability investigations. The technical team found that three agents from the NSA and two US universities had involved in the cyberattacks.

Experts from China's National Computer Virus Emergency Response Center told the Global Times that the technical team conducted a layered trace based on the data obtained and ultimately identified the mastermind behind the attacks as originating from the US. The organization responsible for carrying out the cyberattack is the NSA's Office of Tailored Access Operation （codename S32）from the Signals Intelligence Directorate (codenamed S) of the NSA.

Aside from the above three agents, the technical team also found that the University of California and Virginia Tech, both with ties to the NSA, also participated in the attacks. The team traced and analyzed the IP addresses that took part in the cyberattacks during the Asian Winter Games in Harbin and found that IP addresses of 169.228.*.*、45.3.*.*, attributed to these two universities. 

According to publicly available information, the University of California has been designated as Centers of Academic Excellence in cyber defense education by the NSA and the Department of Homeland Security since 2015. 

Virginia Tech, one of the six senior military colleges in the US, received funding from the NSA in 2021 to strengthen its cyber offense and defense capabilities. The university is certified by the NSA as both a cybersecurity defense research center and a cybersecurity operations research center, and has long participated in NSA-funded federal scholarship programs. Additionally, the university has undertaken the construction of cyber operation training range for the Virginia state government.

Du Zhenhua, a senior engineer from China's National Computer Virus Emergency Response Center, told the Global Times that this was a meticulously organized cyberattack operation. Investigations reveal that their attack campaign consisted of two phases. 

During the pre-event phase, they primarily targeted critical information systems such as registration systems, arrival/departure management systems and competition enrollment systems. These systems, used for pre-event operations, stored vast amounts of sensitive identity information related to event personnel, with the attackers aiming to steal personal privacy data of participating athletes through cyber intrusions, said Du. 

During the event phase, the focus shifted to critical systems like the event information distribution system (including API interfaces) and arrival/departure management systems. As these systems were vital for ensuring smooth event operations, the attackers sought to sabotage them and disrupt the normal functioning of the competition, said the expert. 

The NSA also organized cyberattacks targeting critical industries such as energy, transportation, water resources, communications, as well as national defense research institutes and universities. These attacks aimed to disrupt crucial information infrastructure, cause social disorder and steal confidential intelligence in key fields.       

The NSA conducts cyber infiltration attacks focused on specific application systems, critical information infrastructure and key government entities. These operations utilize hundreds of advanced attack techniques, including both known and novel methods. Tactics range from exploiting zero-day vulnerabilities, blind attacks leveraging undisclosed flaws, and file read vulnerabilities to short-duration, high-frequency targeted reconnaissance, probing of backup files and sensitive directory paths, and password brute-force attacks. The sophistication and preemptive nature of these strategies highlight their technical complexity.

The targets and objectives of these cyberattack operations are explicitly deliberate, aimed at infiltrating high-value systems for intelligence collection and operational disruption. Such systematic efforts underscore the NSA's strategic intent to compromise critical networks, posing significant risks to national security and global cybersecurity frameworks.

The technical team also found the during the 9th Asian Winter Games, the NSA also transmitted unknown encrypted bytes to multiple devices within Heilongjiang Province running Microsoft Windows, suspected of activating pre-embedded backdoors in the operating system. These actions are believed to exploit dormant vulnerabilities intentionally left in Windows, potentially enabling remote control or data extraction from targeted systems.

To mask the attack's origin and safeguard its cyber weapons, the NSA's Office of Tailored Access Operation has procured IP addresses from various countries through affiliated front organizations. Additionally, they have secretly leased servers across Europe, Asia and other regions. This infrastructure allows the NSA to obscure its involvement while conducting sophisticated cyber operations, ensuring plausible deniability and prolonging the lifecycle of its offensive tools.

Li Bosong, a vice director of the Antiy security committee, which is one of the security guarantee teams for the ninth Asian Winter Games, told the Global Times that the US has long conducted cyberattacks against critical information systems and infrastructure of China, a practice rooted in its hegemonic nature to enforce dominance and stifle the development of other countries. 

"For instance, during the competition phase alone, our team monitored and intercepted multiple overseas cyberattacks, most of which were orchestrated by US-backed entities," Li said. 

These cyber operations exhibited extreme covertness and strong targeting. Beyond disrupting the event, they sought to persistently embed themselves within China's critical information infrastructure to continuously harvest sensitive information, intelligence, data, and technological achievements, said Li.

If the cyberattack operation had succeeded, it would have severely disrupted the event's organization and posed significant threats to sovereignty, security and developmental interests, said Li.

"However, this incident demonstrates our capability to establish an effective defense system capable of withstanding large-scale, high-frequency cyberattacks. Moreover, through analyzing massive incidents, we have uncovered highly covert threat indicators, reflecting strengthened national and public security capabilities. By adopting systematic thinking, worst-case scenario planning, and a 'holistic warfare' organizational model, we have proactively countered adversarial threats," said Li.