Full Report
The NSA did not confirm nor deny the allegations made by China’s Ministry of State Security. China said the origins of the attack date back to March 2022. The post China’s spy agency accuses NSA of yearslong attack on the country’s timekeeping service appeared first on CyberScoop.
Analysis Summary
# Threat Actor: National Security Agency (NSA) - As Accused by China's MSS
## Attribution & Identity
**Accuser:** China’s Ministry of State Security (MSS).
**Accused Actor:** U.S. National Security Agency (NSA).
**Context:** This analysis summarizes the allegations made by the Chinese government against the NSA concerning a cyber campaign targeting China's critical infrastructure. The NSA does not confirm or deny the allegations.
## Activity Summary
The MSS alleges a years-long cyberattack campaign conducted by the NSA against China’s national timekeeping infrastructure.
* **Initial Compromise:** Mobile devices belonging to National Time Service Center employees were compromised starting in **March 2022** via an exploited vulnerability in the text-messaging service of a non-China-based mobile phone vendor.
* **Gaining Access:** Credentials lifted from these compromised mobile devices were used to gain initial access to the National Time Service Center systems in **April 2023**.
* **Active Attack Phase:** The NSA allegedly used 42 tools to conduct a “high-intensity cyberattack against multiple internal National Time Service Center network systems” from **August 2023 to June 2024**.
* **Objective:** To steal sensitive data, infiltrate the service for potential sabotage, and disrupt the service.
* **Counter-Activity:** China claims it "shattered" the U.S. plot by disrupting the attack chain and implementing additional security measures.
## Tactics, Techniques & Procedures
- Exploitation of a vulnerability in the text-messaging service of a non-China-based mobile phone vendor (Initial Access, likely T1190).
- Credential harvesting from compromised mobile devices (Credential Access, likely T1003/T1010).
- Use of Virtual Private Networks (VPNs) to evade detection (Defense Evasion/C2).
- Forging digital certificates to bypass antivirus software (Defense Evasion).
- Deployment of 42 specific cyber tools during the attack phase.
- Attempted infiltration of the service's ground-based timing system.
- *No specific MITRE ATT&CK IDs were provided in the source material.*
## Targeting
**Sectors:**
* National Timekeeping Infrastructure (National Time Service Center).
* Critical infrastructure sectors reliant on accurate time calculations, including communications, finance, power, transportation, and defense.
**Geography:**
* China (specifically the Xi’an-based National Time Service Center facilities).
**Victims:**
* China’s National Time Service Center (NTSC).
## Tools & Infrastructure
- **Malware Families Used:** Not specified, but 42 distinct "tools" were mentioned.
- **Infrastructure:**
- Use of Virtual Private Networks (VPNs) for command and control/evasion.
- Use of forged digital certificates for defense evasion.
- Exploited vulnerability in a "non-China based mobile phone vendor's" text-messaging service.
## Implications
The alleged state-sponsored attack highlights the extreme lengths nation-states (US/China) go to achieve geopolitical advantage by targeting critical national infrastructure, specifically time synchronization services essential for modern communications, finance, and defense systems. Cyberattacks against such infrastructure carry the potential for "incalculable damage and losses," including widespread network failure, power outages, and financial disruption. This incident reinforces the narrative of a persistent, high-stakes cyber conflict between the US and China.
## Mitigations (Based on Alleged Attack Vectors)
- **Focus on Mobile Device Security:** Implement stringent security controls and patching for employee mobile devices, especially those connected to sensitive networks, as they were the initial ingress point.
- **Strong Authentication:** Enhance credential security, particularly ensuring that credentials harvested from mobile endpoints cannot provide access to core network systems.
- **Network Segmentation and Monitoring:** Isolate critical infrastructure (like ground-based timing systems) and rigorously monitor for anomalous internal traffic patterns indicative of VPN use or internal lateral movement.
- **Certificate Management:** Implement strict validation and monitoring protocols for digital certificates used within the environment to detect forged or untrusted certificates used for bypassing security software.