The Biden administration is hunting for malicious computer code it believes China has hidden deep inside the networks controlling power grids, communications systems and water supplies that feed military bases in the United States and around the world, according to American military, intelligence and national security officials.
The discovery of the malware has raised fears that Chinese hackers, probably working for the People’s Liberation Army, have inserted code designed to disrupt U.S. military operations in the event of a conflict, including if Beijing moves against Taiwan in coming years.
The malware, one congressional official said, was essentially “a ticking time bomb” that could give China the power to interrupt or slow American military deployments or resupply operations by cutting off power, water and communications to U.S. military bases. But its impact could be far broader, because that same infrastructure often supplies the houses and businesses of ordinary Americans, according to U.S. officials.
The first public hints of the malware campaign began to emerge in late May, when Microsoft said it had detected mysterious computer code in telecommunications systems in Guam, the Pacific island with a vast American air base, and elsewhere in the United States. But that turned out to be only the narrow slice of the problem that Microsoft could see through its networks.
More than a dozen U.S. officials and industry experts said in interviews over the past two months that the Chinese effort goes far beyond telecommunications systems and predated the May report by at least a year. They said the U.S. government’s effort to hunt down the code, and eradicate it, has been underway for some time. Most spoke on the condition of anonymity to discuss confidential and in some cases classified assessments.
They say the investigations so far show the Chinese effort appears more widespread — in the United States and at American facilities abroad — than they had initially realized. But officials acknowledge that they do not know the full extent of the code’s presence in networks around the world, partly because it is so well hidden.
The discovery of the malware has touched off a series of Situation Room meetings in the White House in recent months, as senior officials from the National Security Council, the Pentagon, the Homeland Security Department and the nation’s spy agencies attempt to understand the scope of the problem and plot a response.
Biden administration officials have begun to brief members of Congress, some state governors and utility companies about the findings, and confirmed some conclusions about the operation in interviews with The New York Times.
There is a debate inside the administration over whether the goal of the operation is primarily aimed at disrupting the military, or at civilian life more broadly in the event of a conflict. But officials say that the initial searches for the code have focused first on areas with a high concentration of American military bases.
In response to questions from The Times, the White House issued a statement Friday night that made no reference to China or the military bases.
“The Biden administration is working relentlessly to defend the United States from any disruptions to our critical infrastructure, including by coordinating interagency efforts to protect water systems, pipelines, rail and aviation systems, among others,” said Adam R. Hodge, the acting spokesman for the National Security Council.
He added: “The president has also mandated rigorous cybersecurity practices for the first time.” Mr. Hodge was referring to a series of executive orders, some motivated by concerns over SolarWinds, commercial software used widely by the U.S. government that was breached by a Russian surveillance operation, and the Colonial Pipeline ransomware attack by a Russian criminal group. That attack resulted in the temporary cutoff of half the gasoline, jet fuel and diesel supplies that run up the East Coast.
The U.S. government and Microsoft have attributed the recent malware attack to Chinese state-sponsored actors, but the government has not disclosed why it reached that conclusion. There is debate among different arms of the U.S. government about the intent of the intrusions, but not about their source.
The public revelation of the malware operation comes at an especially fraught moment in relations between Washington and Beijing, with clashes that include Chinese threats against Taiwan and American efforts to ban the sale of highly sophisticated semiconductors to the Chinese government. Many of the tensions in the relationship have been driven not only by technological competition but by mutual accusations of malicious activity in cyberspace.
The United States has blamed China for a variety of major hacks against U.S. agencies and infrastructure, and accused the foreign power of spying from a bus-size balloon that traversed the United States in February, until it was shot down off South Carolina. For its part, China has accused the United States of hacking into Huawei, its telecommunications giant. Secret documents released a decade ago by Edward Snowden, a former National Security Agency contractor now in exile in Russia, confirmed that American intelligence agencies did just that.
But almost all of those cases involved intelligence gathering. The discovery of the malicious code in American infrastructure, one of Mr. Biden’s most senior advisers said, “raises the question of what, exactly, they are preparing for.”
If gaining advantage in a Taiwan confrontation is at the heart of China’s intent, slowing down American military deployments by a few days or weeks might give China a window in which it would have an easier time taking control of the island by force.
Chinese concern about American intervention was most likely fueled by President Biden’s several statements over the past 18 months that he would defend Taiwan with American troops if necessary.
Another theory is that the code is intended to distract. Chinese officials, U.S. intelligence agencies have assessed, may believe that during an attack on Taiwan or other Chinese action, any interruptions in U.S. infrastructure could so fixate the attention of American citizens that they would think little about an overseas conflict.
Chinese officials did not respond to requests for comment concerning the American discovery of the code. But they have repeatedly denied conducting surveillance or other cyberoperations against the United States.
They have never conceded that China was behind the theft of security clearance files of roughly 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. That exfiltration resulted in an agreement between President Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyberactivity. The agreement has since collapsed.
Now, Chinese cyberoperations seem to have taken a turn. The latest intrusions are different from those in the past because disruption, not surveillance, appears to be the objective, U.S. officials say.
At the Aspen Security Forum earlier this month, Rob Joyce, the director of cybersecurity at the National Security Agency, said China’s recent hack targeting the American ambassador to Beijing, Nicholas Burns, and the commerce secretary, Gina Raimondo, was traditional espionage. The spy balloon shot down earlier this year also captured public attention, but generated less concern inside the intelligence community. Intelligence officials and others in the Biden administration viewed those operations as the kind of spy-versus-spy games that Washington and Beijing have run against each other for decades.
In contrast, Mr. Joyce said the intrusions in Guam were “really disturbing” because of their disruptive potential.
The Chinese code, the officials say, appears directed at ordinary utilities that serve both civilian populations and nearby military bases. Only America’s nuclear sites have self-contained communication systems, electricity and water pipelines. (The code has not been found in classified systems. Officials declined to describe the unclassified military networks in which the code has been found.)
While the most sensitive planning is carried out on classified networks, the military routinely uses unclassified, but secure, networks for basic communications, personnel matters, logistics and supply issues.
Officials say that if the malware is activated, it is not clear how effective it would be at slowing an American response — and that the Chinese government may not know, either. In interviews, officials said they believe that in many cases the communications, computer networks and power grids could be quickly restored in a matter of days.
But intelligence analysts have concluded that China may believe there is utility in any disruptive attack that could slow down the U.S. response.
The initial Microsoft discovery in Guam — home to major U.S. Air Force and Marine bases — was attributed by the company to a Chinese state-sponsored hacking group that the company named Volt Typhoon.
A warning from the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, the National Security Agency and others issued the same day also said the malware was from the state-sponsored Chinese hacking group and was “living off the land.” The phrase means that it was avoiding detection by blending in with normal computer activity, conducted by authorized users. But the warning did not outline other details of the threat.
Some officials briefly considered whether to leave the malware in place, quietly monitor the code they had found and prepare plans to try to neutralize it if it was even activated. Monitoring the intrusions would allow them to learn more about it, and possibly lull the Chinese hackers into a false sense that their penetration had not been exposed.
But senior White House officials quickly rejected that option and said that given the potential threat, the prudent path was to excise the offending malware as quickly as it could be found.
Still, there are risks.
American cybersecurity experts are able to remove some of the malware, but some officials said there are concerns that the Chinese could use similar techniques to quickly regain access.
Removing the Volt Typhoon malware also runs the risk of tipping off China’s increasingly talented hacking forces about what intrusions the United States is able to find, and what it is missing. If that happens, China could improve its techniques and be able to reinfect military systems with even harder-to-find software.
The recent Chinese penetrations have been enormously difficult to detect. The sophistication of the attacks limits how much the implanted software is communicating with Beijing, making it difficult to discover. Many hacks are discovered when experts track information being extracted out of a network, or unauthorized accesses are made. But this malware can lay dormant for long periods of time.
Speaking earlier this month at an intelligence summit, George Barnes, the deputy director of the National Security Agency, said the Volt Typhoon attacks demonstrated how much more sophisticated China had become at penetrating government and private sector networks.
Mr. Barnes said that rather than exploit flaws in software to gain access, China had found ways to steal or mimic the credentials of system administrators, the people who run computer networks. Once those are in hand, the Chinese hackers essentially have the freedom to go anywhere in a network and implant their own code.
“China is steadfast and determined to penetrate our governments, our companies, our critical infrastructure,” Mr. Barnes said.
“In the earlier days, China’s cyberoperations activities were very noisy and very rudimentary,” he continued. “They have continued to bring resources, sophistication and mass to their game. So the sophistication continues to increase.”