The message from President Biden’s national security adviser was startling.
拜登總統的國家安全顧問發出的信息令人震驚。
Chinese hackers had gained the ability to shut down dozens of U.S. ports, power grids and other infrastructure targets at will, Jake Sullivan told telecommunications and technology executives at a secret meeting at the White House in the fall of 2023, according to people familiar with it. The attack could threaten lives, and the government needed the companies’ help to root out the intruders.
據知情人士透露,傑克·沙利文 (Jake Sullivan) 在 2023 年秋季在白宮舉行的一次秘密會議上對電信和技術高管表示,中國黑客已獲得隨意關閉數十個美國港口、電網和其他基礎設施目標的能力。這次襲擊可能會威脅生命,政府需要這些公司的幫助來根除入侵者。
What no one at the briefing knew, including Sullivan: China’s hackers were already working their way deep inside U.S. telecom networks, too.
包括沙利文在內的出席簡報會的人都不知道的是:中國駭客也已經深入美國電信網路。
The two massive hacking operations have upended the West’s understanding of what Beijing wants, while revealing the astonishing skill level and stealth of its keyboard warriors—once seen as the cyber equivalent of noisy, drunken burglars.
這兩起大規模駭客行動顛覆了西方對北京想要什麼的理解,同時也揭露了其鍵盤俠的驚人技術水平和隱密性——這些鍵盤俠一度被視為網路上吵鬧、醉酒的竊賊。
China’s hackers were once thought to be interested chiefly in business secrets and huge sets of private consumer data. But the latest hacks make clear they are now soldiers on the front lines of potential geopolitical conflict between the U.S. and China, in which cyberwarfare tools are expected to be powerful weapons.
中國的駭客曾經被認為主要對商業機密和大量私人消費者資料感興趣。但最新的駭客攻擊表明,他們現在是中美之間潛在地緣政治衝突前線的士兵,網路戰工具預計將成為強大的武器。
U.S. computer networks are a “key battlefield in any future conflict” with China, said Brandon Wales, a former top U.S. cybersecurity official at the Department of Homeland Security, who closely tracked China’s hacking operations against American infrastructure. He said prepositioning and intelligence collection by the hackers “are designed to ensure they prevail by keeping the U.S. from projecting power, and inducing chaos at home.”
美國國土安全部前高級網路安全官員布蘭登威爾斯(Brandon Wales)密切追蹤中國針對美國基礎設施的駭客行動,他表示,美國電腦網路是「未來與中國發生任何衝突的關鍵戰場」。他表示,駭客的預先部署和情報收集“旨在確保他們獲勝,阻止美國投射力量並在國內製造混亂。”
As China increasingly threatens Taiwan, working toward what Western intelligence officials see as a target of being ready to invade by 2027, the U.S. could be pulled into the fray as the island’s most important backer. Other friction between Washington and Beijing has intensified in recent years, with President-elect Donald Trump threatening a sharp trade war and China building a tighter alliance with Russia. Top U.S. officials in both parties have warned that China is the greatest danger to American security.
隨著中國日益威脅台灣,並努力實現西方情報官員認為的2027 年入侵的目標,美國可能會作為台灣最重要的支持者被捲入這場戰爭。近年來,華盛頓和北京之間的其他摩擦也有所加劇,當選總統唐納德·川普威脅要發動激烈的貿易戰,而中國與俄羅斯建立了更緊密的聯盟。美國兩黨高級官員均警告稱,中國是美國安全的最大威脅。
十月,國家安全顧問傑克·沙利文在白宮(上)。俄羅斯總統普丁和中國領導人習近平五月在北京。Kent Nishimura/Getty Images, Sergei BOBYLYOV/AFP/Getty Images
Kent Nishimura/Getty Images,Sergei BOBYLYOV/AFP/Getty Images
In the infrastructure attacks, which began at least as early as 2019 and are still taking place, hackers connected to China’s military embedded themselves in arenas that spies usually ignored, including a water utility in Hawaii, a port in Houston and an oil-and-gas processing facility.
在至少早在2019 年就開始且仍在發生的基礎設施攻擊中,與中國軍方有聯繫的駭客將自己嵌入間諜通常忽視的場所,包括夏威夷的自來水公司、休士頓的一個港口以及一家石油和石油公司。
Investigators, both at the Federal Bureau of Investigation and in the private sector, found the hackers lurked, sometimes for years, periodically testing access. At a regional airport, investigators found the hackers had secured access, and then returned every six months to make sure they could still get in. Hackers spent at least nine months in the network of a water-treatment system, moving into an adjacent server to study the operations of the plant. At a utility in Los Angeles, the hackers searched for material about how the utility would respond in the event of an emergency or crisis. The precise location and other details of the infrastructure victims are closely guarded secrets, and couldn’t be fully determined.
聯邦調查局和私營部門的調查人員發現,駭客有時潛伏多年,定期測試訪問權限。在一個地區機場,調查人員發現駭客已經獲得了訪問權限,然後每六個月返回一次,以確保他們仍然可以進入。的伺服器以進行攻擊。在洛杉磯的一家公用事業公司,駭客搜尋了有關該公用事業公司在緊急情況或危機時如何應對的資料。基礎設施受害者的準確位置和其他詳細資料受到嚴格保密,無法完全確定。
American security officials said they believe the infrastructure intrusions—carried out by a group dubbed Volt Typhoon—are at least in part aimed at disrupting Pacific military supply lines and otherwise impeding America’s ability to respond to a future conflict with China, including over a potential invasion of Taiwan.
美國安全官員表示,他們認為由一個名為「伏特颱風」的組織實施的基礎設施入侵至少部分是為了擾亂太平洋軍事補給線,並以其他方式阻礙美國應對未來與中國的衝突的能力,包括潛在的入侵台灣的。
In the separate telecom attacks, which started in mid-2023 or earlier and were first reported by The Wall Street Journal in September, a hacking group—this one known as Salt Typhoon—linked to Chinese intelligence burrowed into U.S. wireless networks as well as systems used for court-appointed surveillance.
在 2023 年中期或更早開始並由《華爾街日報》9 月首次報道的單獨電信攻擊中,一個與中國情報部門有聯繫的黑客組織(名為 Salt Typhoon)潛入了美國無線網路和系統用於法庭指定的監視。
They were able to access data from over a million users, and snapped up audio from senior government officials, including some calls with Trump by accessing the phone lines of people whose phones he used. They also targeted people involved in Vice President Kamala Harris’s presidential campaign.
他們能夠訪問超過一百萬用戶的數據,並搶佔政府高級官員的音頻,包括透過訪問川普使用手機的人的電話線路來獲取與川普的一些通話。他們也針對參與副總統卡馬拉·哈里斯總統競選活動的人員。
They were also able to swipe from Verizon and AT&T a list of individuals the U.S. government was surveilling in recent months under court order, which included suspected Chinese agents.
他們還能夠從Verizon和AT&T取得美國政府近幾個月根據法院命令監視的個人名單,其中包括可疑的中國特工。
十月在台北中正紀念堂舉行的儀式。照片:tyrone siu/Reuters
The intruders used known software flaws that had been publicly warned about but hadn’t been patched. Investigators said they were still probing the full scope of the attack.
入侵者使用了已知的軟體缺陷,這些缺陷已被公開警告但尚未修補。調查人員表示,他們仍在調查攻擊的全部範圍。
Lawmakers and officials given classified briefings in recent weeks told the Journal they were shocked at the depth of the intrusions and at how hard the hacks may be to resolve, and some telecom company leaders said they were blindsided by the attack’s scope and severity.
最近幾週接受機密簡報的立法者和官員告訴《華爾街日報》,他們對入侵的深度以及解決駭客攻擊的難度感到震驚,一些電信公司領導人表示,他們對攻擊的範圍和嚴重性感到措手不及。
“They were very careful about their techniques,” said Anne Neuberger, President Biden’s deputy national security adviser for cybersecurity. In some cases hackers erased cybersecurity logs, and in others the victim companies didn’t keep adequate logs, meaning there were details “we will never know regarding the scope and scale of this,” she said.
「他們對自己的技術非常謹慎,」拜登總統負責網路安全的副國家安全顧問安妮紐伯格 (Anne Neuberger) 說。她說,在某些情況下,駭客刪除了網路安全日誌,而在其他情況下,受害公司沒有保留足夠的日誌,這意味著「我們永遠不會知道其範圍和規模」。
Liu Pengyu, the spokesman for the Chinese embassy in Washington, accused the U.S. of peddling disinformation about threats from Chinese hackers to advance its geopolitical ambitions. Chinese leader Xi Jinping told President Biden during their meeting in Peru in November that there was no evidence to support the allegations, he said.
中國駐華盛頓大使館發言人劉鵬宇指責美國散佈有關中國駭客威脅的虛假訊息,以推進其地緣政治野心。他說,中國領導人習近平去年 11 月在秘魯與拜登總統會面時告訴拜登,沒有證據支持這些指控。
“Some in the U.S. seem to be enthusiastic about creating various types of ‘typhoons,’” the spokesman said, referring to the names assigned to the hacking groups. “The U.S. needs to stop its own cyberattacks against other countries and refrain from using cybersecurity to smear and slander China.”
“美國的一些人似乎熱衷於製造各種類型的‘颱風’,”發言人說,他指的是黑客組織的名稱。 “美國需要停止針對其他國家的網路攻擊,不要利用網路安全抹黑和污衊中國。”
Verizon said a small number of high-profile customers in government and politics were specifically targeted by the threat actor and that those people had been notified. “After considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” said Vandana Venkatesh, chief legal officer at Verizon.
Verizon 表示,少數政府和政界知名客戶是威脅行為者的具體目標,而這些人已收到通知。 Verizon 首席法律官 Vandana Venkatesh 表示:“經過大量工作解決這一事件後,我們可以報告 Verizon 已遏制與這一特定事件相關的活動。”
An AT&T spokeswoman said the company detected “no activity by nation-state actors in our networks at this time,” adding that the Chinese government targeted a “small number of individuals of foreign intelligence interest” and that affected customers were notified in cooperation with law enforcement.
AT&T 發言人表示,該公司“目前在我們的網絡中沒有發現任何民族國家行為者的活動”,並補充說,中國政府針對的是“少數涉及外國情報利益的個人”,並已依法通知受影響的客戶執法。
‘Shocking how exposed we are’
“我們的暴露程度令人震驚”
Some national security officials involved in the investigation said they believe the telecom hack is so severe, and the networks so compromised, that the U.S. may never be able to say with certainty that the Chinese hackers have been fully rooted out.
一些參與調查的國家安全官員表示,他們認為電信駭客攻擊如此嚴重,網路受到如此嚴重的破壞,美國可能永遠無法肯定地說中國駭客已被徹底剷除。
Several senior lawmakers and U.S. officials have switched from making traditional cellphone calls and texts to using encrypted apps such as Signal, for fear that China may be listening in. Federal law-enforcement officials have told state and local law enforcement to do the same. (Federal agents already use their own encrypted systems for classified work.)
由於擔心中國可能竊聽,一些高級立法者和美國官員已從傳統的手機通話和簡訊轉為使用 Signal 等加密應用程式。 (聯邦特工已經使用自己的加密系統進行機密工作。)
紐約的一家 AT&T 商店。駭客攻擊了該公司的網路。照片:Gabby Jones/彭博新聞
In late December, in response to the Salt Typhoon campaign, federal cybersecurity officials published new guidance recommending the public use end-to-end encryption for communications, and said text-based multifactor authentication for account logins should be avoided in favor of app-based methods.
12 月下旬,為應對「鹽颱風」活動,聯邦網路安全官員發布了新指南,建議公眾使用端到端加密進行通信,並表示應避免基於文字的帳戶登錄多因素身份驗證,而應使用基於應用程序的身份驗證。
U.S. officials have warned for more than a decade about fast-evolving threats in cyberspace, from ransomware hackers locking computers and demanding payments to state-directed thefts of valuable corporate secrets. They also raised concerns about the use of Chinese equipment, including from telecom giants Huawei and ZTE, arguing they could open a back door to unfettered spying. In December, the Journal reported that U.S. authorities are investigating whether the popular home-internet routers made by China’s TP-Link, which have been linked to cyberattacks, pose a national-security risk.
十多年來,美國官員一直對網路空間中快速演變的威脅發出警告,從勒索軟體駭客鎖定電腦並要求付款到國家指導的盜竊寶貴企業機密的行為。他們也對使用中國設備(包括來自電信巨頭華為和中興通訊)的設備表示擔憂,認為這些設備可能會為不受限制的間諜活動打開後門。去年 12 月, 《華爾街日報》報道稱,美國當局正在調查中國 TP-Link 生產的流行家庭網路路由器是否構成國家安全風險,這些路由器與網路攻擊有關。
But Beijing didn’t need to leverage Chinese equipment to accomplish most of its goals in the massive infrastructure and telecom attacks, according to U.S. officials and others familiar with the investigation. In both hacks, China exploited a range of aging telecom equipment that U.S. companies have trusted for decades.
但據美國官員和其他熟悉調查情況的人士稱,北京不需要利用中國設備來實現其大規模基礎設施和電信攻擊的大部分目標。在這兩次駭客攻擊中,中國利用了美國公司數十年來信任的一系列老化電信設備。
In the telecom attacks, the hackers exploited unpatched network devices from security vendor Fortinet and compromised large network routers from Cisco Systems. In at least one case, they took control of a high-level network management account that wasn’t protected by multifactor authentication, a basic safeguard.
在電信攻擊中,駭客利用了安全供應商Fortinet未打補丁的網路設備,並破壞了Cisco Systems的大型網路路由器。至少在一個案例中,他們控制了一個不受多因素身份驗證(一種基本保護措施)保護的高級網路管理帳戶。
That granted them access to more than 100,000 routers from which they could further their attack—a serious lapse that may have allowed the hackers to copy traffic back to China and delete their own digital tracks.
這使他們能夠訪問超過 100,000 個路由器,從而可以進一步實施攻擊——這是一個嚴重的失誤,可能使駭客能夠將流量複製回中國並刪除他們自己的數位軌跡。
The router hijacking took place within AT&T’s networks, a person familiar with the matter said.
一位知情人士稱,路由器劫持發生在 AT&T 網路內。
AT&T declined to comment on the router attack. Cisco and Fortinet declined to comment.
AT&T 拒絕就路由器攻擊發表評論。思科和 Fortinet 拒絕置評。
In December, Neuberger said the number of U.S. telecom victims had grown to nine, and that there could be more.
去年 12 月,紐伯格表示,美國電信受害者人數已增至九人,而且可能還會更多。
In addition to deep intrusions into AT&T and Verizon, hackers pierced other networks belonging to Lumen Technologies and T-Mobile. The Chinese hackers also reached into Charter Communications, Consolidated Communications and Windstream, according to people familiar with the matter.
除了深度入侵 AT&T 和 Verizon 之外,駭客還侵入了Lumen Technologies和T-Mobile的其他網路。知情人士透露,中國駭客還侵入了Charter Communications 、Consolidated Communications 和 Windstream。
Lumen said it no longer sees evidence of the attackers in its network and that no customer data was accessed. T-Mobile said it stopped recent attempts to infiltrate its systems from advancing and protected sensitive customer information from being accessed.
Lumen 表示,它不再在其網路中看到攻擊者的證據,也沒有客戶資料被存取。 T-Mobile 表示,它阻止了最近滲透其係統的嘗試,並保護敏感的客戶資訊免遭存取。
Some U.S. officials, including Neuberger, have said the hack underscores the need for baseline cybersecurity requirements for the telecom industry. The Biden administration created such mandates through executive actions for pipelines, railways and the aviation industry.
包括紐伯格在內的一些美國官員表示,這次駭客攻擊凸顯了電信業對基本網路安全要求的必要性。拜登政府透過針對管道、鐵路和航空業的行政行動制定了此類任務。
“Cyberspace is a fiercely contested battlefield,” said Sullivan, the national security adviser. “We…have made considerable progress, but serious vulnerabilities remain in sectors where we don’t have mandatory cybersecurity requirements.”
「網路空間是一個競爭激烈的戰場,」國家安全顧問沙利文說。 “我們……已經取得了相當大的進展,但在我們沒有強制性網路安全要求的領域仍然存在嚴重漏洞。”
Sen. Dan Sullivan (R., Alaska), during a congressional hearing in December, said “It’s shocking how exposed we are, and still are.” He described a recent classified briefing on the telecom hacks as “breathtaking.”
參議員丹·沙利文(阿拉斯加州共和黨)在 12 月的一次國會聽證會上表示,“我們現在和現在都暴露得如此嚴重,令人震驚。”他將最近關於電信駭客攻擊的機密簡報描述為「令人驚嘆」。
The infrastructure hacks also alarmed officials. In April, during a five-hour session with his Chinese counterpart in Beijing, U.S. Secretary of State Antony Blinken said China’s attacks on physical infrastructure were concerning, dangerous and escalatory, people familiar with the encounter said.
基礎設施駭客攻擊也引起了官員們的警惕。知情人士稱,今年四月,美國國務卿安東尼·布林肯在北京與中國外長舉行了長達五個小時的會議,他表示中國對有形基礎設施的攻擊令人擔憂、危險且不斷升級。
Flanked by aides at a long table with pots of tea and water, China’s Foreign Minister Wang Yi shrugged and called the allegations a phantom concocted by the U.S. to increase support for military spending.
中國外交部長王毅在長桌旁的助手們面前擺放著茶壺和水,他聳聳肩,稱這些指控是美國為增加對軍費開支的支持而炮製的幻影。
國務卿安東尼·布林肯(上)和中國外交部長王毅四月在北京舉行會議。 MARK SCHIEFELBEIN/AFP/Getty Images
馬克希費爾貝因/法新社/蓋蒂圖片社
In another meeting later that week, other U.S. officials presented evidence linking the intrusions to China-based IP addresses. The Chinese officials said they would look at it and get back to the Americans, but never substantively did, U.S. officials familiar with the interactions said.
在本週稍後的另一次會議上,其他美國官員提供了證據,證明這些入侵與中國的 IP 位址有關。熟悉相關互動的美國官員表示,中國官員表示,他們會研究此事,然後回饋給美國人,但從未採取實質行動。
This account of the two devastating cyberattacks is based on interviews with around 50 national security, law enforcement and private-sector officials. Many of the details have never been reported.
對這兩次毀滅性網路攻擊的描述是基於對約 50 名國家安全、執法和私營部門官員的採訪。許多細節從未被報道。
Port attack 連接埠攻擊
The first shot that revealed the new cyberwar came midmorning on Aug. 19, 2021, when Chinese hackers gained a foothold in the digital underpinnings of one of America’s largest ports in just 31 seconds.
揭示新網路戰爭的第一槍發生在 2021 年 8 月 19 日上午,當時中國駭客僅用了 31 秒就在美國最大港口之一的數字基礎上站穩了腳跟。
At the Port of Houston, an intruder acting like an engineer from one of the port’s software vendors entered a server designed to let employees reset their passwords from home. The hackers managed to download an encrypted set of passwords from all the port’s staff before the port recognized the threat and cut off the password server from its network.
在休士頓港,一名入侵者像港口軟體供應商的工程師一樣進入了一台伺服器,該伺服器旨在讓員工在家中重置密碼。在港口意識到威脅並切斷密碼伺服器與網路的連接之前,駭客設法從港口所有工作人員下載了一組加密密碼。
A mysterious file launches a global hunt
一個神秘文件引發全球追捕
How Chinese hackers broke into the Port of Houston in just 31 seconds.
中國駭客如何在短短31秒內闖入休士頓港。
An attacker, acting like an engineer from one of the port’s software
攻擊者,表現得像端口軟體的工程師
vendors, enters a server that lets employees reset their passwords.
供應商,輸入允許員工重設密碼的伺服器。
The user uploads a file that looks like a normal IT file that would track server usage and generate reports. The file, named reportwriter.js, even had
用戶上傳一個看起來像普通 IT 文件的文件,該文件將追蹤伺服器使用情況並產生報告。該檔案名稱為reportwriter.js,甚至有
comments explaining each piece of the code to anyone looking at it.
向任何查看程式碼的人解釋每段程式碼的註解。
reportwriter.js 報告作者.js
The attacker leaves with a back door in place, to get back in even more easily.
攻擊者離開時會留有後門,以便更容易返回。
At approximately this time, a cybersecurity vendor notices the activity and flags it to the port's cybersecurity chief, who
大約在這個時候,網路安全供應商注意到了這項活動,並將其標記給港口的網路安全主管,後者
examines it and decides it's a false alarm. He heads to lunch at Whataburger.
檢查後發現這是一場誤報。他前往 Whataburger 吃午餐。
log in credentials 登入憑證
Two additional suspicious IP
另外兩個可疑IP
addresses access the server, then use its connection to the server holding all employee username and password data to download a complete list of log in credentials.
地址存取伺服器,然後使用其與保存所有員工使用者名稱和密碼資料的伺服器的連接來下載登入憑證的完整清單。
The attackers start using their access to explore the network further, while the cybersecurity vendor issues another warning that attackers are back.
攻擊者開始利用他們的存取權限進一步探索網絡,而網路安全供應商又發出了攻擊者捲土重來的警告。
The port's cybersecurity staff removes the compromised server from its network, ending the attack.
該港口的網路安全人員將受感染的伺服器從其網路中刪除,從而結束了攻擊。
Afterward, the port’s cybersecurity chief, Chris Wolski, called the Coast Guard, which has authority over U.S. ports, to notify it of the attack: “It looks like we have a problem.”
隨後,該港口的網路安全負責人克里斯·沃爾斯基(Chris Wolski)致電負責管理美國港口的海岸警衛隊,通報此次襲擊事件:“看來我們遇到了問題。”
The Houston port neutralized the threat, but unfettered access to the port’s passwords could have given hackers the ability to move around in internal networks and find places to hide until they wanted to act. They could have eventually been in position to disrupt or halt operations, according to investigators.
休士頓港口消除了威脅,但不受限制地訪問該港口的密碼可能使駭客能夠在內部網路中移動並找到隱藏的地方,直到他們想要採取行動。調查人員稱,他們最終可能會擾亂或停止運作。
The attack on the port—which at that time had only recently upgraded from basic antivirus software and from just one IT employee working part time on cybersecurity—was a crucial early tip to U.S. officials that China was going after targets that didn’t house corporate or government secrets, and was using novel ways to get in.
對港口的攻擊——當時剛從基本的防毒軟體升級,並且只有一名兼職從事網路安全的 IT 員工——向美國官員提供了一個重要的早期提示,即中國正在攻擊不屬於企業的目標。或政府機密,並正在使用新穎的方式進入。
The FBI found the intrusion relied on a previously unknown flaw in the password software.
聯邦調查局發現這次入侵是由於密碼軟體中存在一個先前未知的缺陷。
A group of Microsoft analysts determined that the same hacking group had used the flaw in the software, which came from another company, to also target consulting services and IT companies. The analysts also spotted the hackers targeting networks in Guam, the U.S. territory in the Pacific that is home to a key American naval base, where the intruders had breached a communications provider.
微軟的一組分析師確定,同一個駭客組織也利用了來自另一家公司的軟體中的缺陷來攻擊諮詢服務和 IT 公司。分析人士還發現,駭客的目標是關島的網路。
The Redmond, Wash., team prowls for security threats, using billions of signals that come from security features built into Microsoft products, including Office 365, the Windows operating system or Azure cloud.
華盛頓州雷德蒙德的團隊利用 Microsoft 產品(包括 Office 365、Windows 作業系統或 Azure 雲端)內建安全功能的數十億訊號來尋找安全威脅。
The intruders started showing up in other surprising places, from the Hawaii water utility and a West Coast port, to sectors including manufacturing, education and construction, according to U.S. officials and researchers at cyber-threat firms.
據美國官員和網路威脅公司的研究人員稱,入侵者開始出現在其他令人驚訝的地方,從夏威夷自來水公司和西海岸港口,到製造、教育和建築等行業。
九月的休士頓港。照片:布蘭登貝爾/蓋蒂圖片社
Microsoft analysts realized they were seeing novel behavior from China, with a host of Chinese hackers inside critical infrastructure, which appeared to have little espionage or commercial value, at the same time.
微軟分析師意識到,他們看到了來自中國的新穎行為,關鍵基礎設施內有大量中國駭客,但同時這些基礎設施似乎沒有什麼間諜活動或商業價值。
Tom Burt, until recently Microsoft’s vice president for customer trust and safety, said in an interview the company’s threat researchers identified commonalities in the tradecraft and victim targeting that helped link the attacks to a common hacking group. “And that all builds up to, oh, OK, we know this is a new actor group in China,” he said.
直到最近,微軟負責客戶信任和安全的副總裁湯姆·伯特(Tom Burt)在接受采訪時表示,該公司的威脅研究人員發現了間諜技術和受害者目標的共性,這有助於將攻擊與一個常見的黑客組織聯繫起來。 「這一切都是為了,哦,好吧,我們知道這是中國的一個新演員團體,」他說。
With the information from Microsoft and other intelligence streams, federal agents fanned out across the U.S. to investigate, and throughout 2022 and ’23 heard a similar story at visits to more than a dozen sites. The victims had mediocre cybersecurity, and some had no idea they had even been breached. The hackers generally weren’t installing malware or stealing data such as trade or government secrets or private information—they were just trying to get in and learn the system.
根據來自 Microsoft 和其他情報流的信息,聯邦特工在美國各地展開調查,並在 2022 年和 23 年訪問了十多個站點時聽到了類似的故事。受害者的網路安全狀況很差,有些人甚至不知道自己已被破壞。駭客通常不會安裝惡意軟體或竊取商業或政府機密或私人資訊等數據,他們只是試圖進入並了解系統。
Using old routers 使用舊路由器
In previous cases, FBI agents could often trace hackers once they found the servers in the U.S. they were renting for their attacks.
在先前的案例中,聯邦調查局特工一旦發現駭客在美國租用用於攻擊的伺服器,通常就能追蹤到他們。
This time, the hackers were getting in via a type of router used by small and home offices, which disguised the intrusions as legitimate U.S. traffic.
這次,駭客透過小型辦公室和家庭辦公室使用的一種路由器進行入侵,該路由器將入侵偽裝成合法的美國流量。
2023 年巴塞隆納電信活動中的思科展示。
The routers, largely built by Cisco and Netgear, were vulnerable to attack because they were so old they were no longer receiving routine security updates from their manufacturers. Once in the hackers’ control, the routers functioned as steppingstones to other victims, without raising alarms because the incursions looked like routine traffic. Netgear declined to comment.
這些路由器主要由思科和Netgear製造,容易受到攻擊,因為它們太舊了,不再從製造商接收例行安全更新。一旦受到駭客的控制,路由器就會充當其他受害者的踏腳石,而不會發出警報,因為入侵看起來像是常規流量。 Netgear 拒絕置評。
Separately, analysts at the National Security Agency had observed that Beijing was starting to lay the cyber groundwork for a potential Taiwan invasion, including in the U.S., according to current and former U.S. officials familiar with the analysis. The information helped bring the new infrastructure hacking activity into focus, showing investigators a bigger picture.
另外,據熟悉分析的現任和前任美國官員稱,國家安全局的分析人士觀察到,北京正在開始為潛在的台灣入侵(包括美國)奠定網路基礎。這些資訊幫助人們專注於新的基礎設施駭客活動,向調查人員展示了更大的圖景。
American officials shared with allies data on the infrastructure intrusions, Western security officials said.
西方安全官員表示,美國官員與盟友分享了有關基礎設施入侵的數據。
The focus on Guam and West Coast targets suggested to many senior national-security officials across several Biden administration agencies that the hackers were focused on Taiwan, and doing everything they could to slow a U.S. response in a potential Chinese invasion, buying Beijing precious days to complete a takeover even before U.S. support could arrive.
對關島和西海岸目標的關注向拜登政府多個機構的許多高級國家安全官員表明,駭客的重點是台灣,並竭盡全力減緩美國對中國潛在入侵的反應,為北京贏得了寶貴的時間。美國的支持到來之前就完成了接管。
Other targets gave analysts pause. One was a small air-traffic control facility on the West Coast, others were water-treatment plants. Those choices suggested the hackers were looking for ways to inflict pain on American civilians, including by scrambling plane routes or shutting off local water-treatment facilities, according to officials familiar with the discussions.
其他目標讓分析師猶豫不決。其中一個是西海岸的一個小型空中交通管制設施,其他是水處理廠。據知情官員透露,這些選擇表明駭客正在尋找給美國平民造成痛苦的方法,包括擾亂飛機航線或關閉當地的水處理設施。
At the NSA, deputy director George Barnes wondered in late 2022 and early 2023 if Beijing’s plan was for the hackers to be found out, intimidating the U.S. into staying out of a potential conflict in Taiwan, he said in an interview.
美國國家安全局副局長喬治·巴恩斯(George Barnes) 在接受採訪時表示,他在2022 年底和2023 年初曾想知道,北京的計劃是否是為了讓黑客被發現,從而恐嚇美國不要介入台灣的潛在衝突。
After Taiwan itself, the U.S. “would be target zero” for disruptive cyberattacks in the event of a conflict over the island, said Barnes, who left the NSA in late 2023 after decades at the spy agency.
巴恩斯表示,繼台灣之後,如果台灣發生衝突,美國將成為破壞性網路攻擊的「零目標」。
時任美國國家安全局副局長喬治‧巴恩斯 (George Barnes) 於 2023 年在參議院作證。
By the end of 2023, the FBI had amassed enough information to identify hundreds of the small office routers commandeered by the hackers. Prosecutors asked a judge for authorization to go into the routers remotely and issue a command to neutralize the malware—essentially going into the homes of unsuspecting American victims, who had bought the routers years ago and had no idea their Wi-Fi network was secretly being used as a launchpad for an attack.
到 2023 年底,FBI 已收集到足夠的資訊來識別數百個駭客侵占的小型辦公室路由器。檢察官請求法官授權遠端進入路由器並發出命令來消除惡意軟體——實際上是進入毫無戒心的美國受害者的家中,他們幾年前購買了路由器,並不知道他們的Wi-Fi 網路正在被秘密攻擊。
In January 2024, a judge approved the request, and the FBI carried out the operation, defanging one of the hackers’ important tools.
2024 年 1 月,法官批准了這項請求,聯邦調查局 (FBI) 執行了這項行動,摧毀了駭客的一個重要工具。
Telecom attack 電信攻擊
At least several months earlier, a separate group of hackers linked to China had begun a different domestic attack—this time, an all-out assault on U.S. communications systems.
至少幾個月前,一個與中國有聯繫的駭客組織已經開始了另一次國內攻擊——這次是對美國通訊系統的全面攻擊。
In the summer of 2024, some of the same companies whose executives had visited the White House in the fall of 2023 were told by U.S. officials that a group linked to China’s intelligence operations in the Ministry of State Security had crept into their networks.
2024 年夏天,美國官員告訴一些高層曾在 2023 年秋天訪問白宮的公司,一個與中國國家安全部情報部門有聯繫的組織已潛入他們的網路。
The intruders exploited pathways that telecom companies use to hand data off to each other through links that often lack multifactor authentication. Such extra layers of protection, akin to what many consumers use to log in to bank accounts, don’t always exist between telecom providers in part because the barriers can slow down phone call and web traffic.
入侵者利用電信公司透過通常缺乏多因素身份驗證的連結相互傳遞資料的途徑。這種額外的保護層(類似於許多消費者用來登入銀行帳戶的保護層)並不總是存在於電信供應商之間,部分原因是這些障礙會減慢電話呼叫和網路流量的速度。
The hackers were also able to compromise cellphone lines used by scores of senior U.S. national security and policy officials, and at least some phone audio from Trump, incoming Vice President JD Vance and people affiliated with both the Trump and Harris presidential campaigns.
駭客還能夠破壞數十名美國高級國家安全和政策官員使用的手機線路,以及至少一些來自川普、即將上任的副總統萬斯以及與川普和哈里斯總統競選活動有關的人員的一些電話音訊。
Separately, the hackers sought to access wiretap surveillance systems at Verizon and AT&T in an apparent effort to learn how much the FBI and others understood about Beijing’s spies operating in the U.S. and internationally, investigators said.
調查人員表示,駭客還試圖存取 Verizon 和 AT&T 的竊聽監控系統,顯然是為了了解聯邦調查局和其他機構對北京在美國和國際上活動的間諜活動的了解程度。
They remain unsure whether Salt Typhoon actors were able to funnel real-time content, such as calls or texts from people under law-enforcement surveillance, from the wiretap breaches back to China.
他們仍然不確定「鹽颱風」的參與者是否能夠將即時內容(例如受到執法監視的人的電話或簡訊)從竊聽漏洞傳回中國。
十二月的白宮。照片:湯姆布倫納/蓋蒂圖片社
The hackers maintained access to the surveillance systems for a long time without detection. At one company, they were inside for about six months, in the other, for about 18 months, according to investigators. Hackers were still inside the wiretap systems of both companies as of October, weeks after the Journal first publicly exposed the intrusions. U.S. officials believe the hackers are now out of the wiretap systems.
駭客長時間保持對監控系統的存取而不被發現。據調查人員稱,他們在一家公司待了大約 6 個月,在另一家公司待了大約 18 個月。截至 10 月份,即《華爾街日報》首次公開披露入侵事件幾週後,駭客仍在兩家公司的竊聽系統內。美國官員相信駭客現在已脫離竊聽系統。
After the Journal’s first reports, the hackers changed their behavior, further complicating efforts to locate and evict them, according to investigators.
調查人員稱,在《華爾街日報》首次報導後,駭客改變了行為,使定位和驅逐他們的工作變得更加複雜。
This fall, a group of Verizon leaders and cybersecurity experts hunkered down in closed sessions in Texas to spot intruders, study their behavior and determine how to oust them. The carrier has since reviewed each router in its network to check for vulnerabilities.
今年秋天,一群 Verizon 領導人和網路安全專家在德克薩斯州召開閉門會議,以發現入侵者、研究他們的行為並確定如何驅逐他們。此後,該運營商對其網路中的每個路由器進行了檢查,以檢查是否存在漏洞。
Investigators learned that the hackers at times lurked, simply observing network traffic, and in other cases swiped it, exfiltrating their haul through elaborate paths around the globe before funneling it to China. They were expert at creating footholds from which they could observe network traffic. They would, for example, behave the way network engineers might and then cover up their tracks.
調查人員了解到,駭客有時會潛伏,只是觀察網路流量,有時會竊取網路流量,透過精心設計的路徑在全球範圍內洩露,然後再將其輸送到中國。他們擅長創造觀察網路流量的立足點。例如,他們會像網路工程師一樣行事,然後掩蓋他們的蹤跡。
The hackers’ focus was in part regional: Phone records of individuals who work in and around Washington, D.C., were a priority. They accessed call event-date records—including date and time stamps, source and destination IP addresses, phone numbers and unique phone identifiers—from over a million users.
駭客的重點部分是區域性的:在華盛頓特區及其周邊地區工作的個人的電話記錄是重點。他們存取了超過 100 萬用戶的通話事件日期記錄,包括日期和時間戳記、來源和目標 IP 位址、電話號碼和唯一電話識別碼。
“We saw a massive set of data acquired,” an FBI official familiar with the investigation said.
「我們看到了大量的數據被獲取,」一位熟悉調查情況的聯邦調查局官員表示。
The relationship between the private sector and federal officials investigating the hack has at times grown tense, with each side saying the other is falling short in their responsibilities. Some lawmakers have grown impatient with the time it has taken to expel the hackers.
私部門和調查駭客事件的聯邦官員之間的關係有時變得緊張,雙方都說對方沒有履行自己的責任。一些立法者對驅逐駭客所需的時間感到不耐煩。
Shortly before Thanksgiving, Sullivan, the national security adviser, again convened top executives from telecommunications firms—many of the same ones he called together roughly a year earlier to get help on the infrastructure hacks. This time, the telecoms were themselves the victims, and Sullivan pushed for progress.
感恩節前不久,國家安全顧問沙利文再次召集了電信公司的高層——其中許多人是他大約一年前召集的,以尋求有關基礎設施駭客攻擊的幫助。這一次,電信公司本身就是受害者,沙利文推動了進步。
Investigators are still determining the full scope and intent of the data haul. They said the data could help hackers establish who different people in the government talk to and better understand their social and professional circles. That intelligence could help facilitate future intrusions or attacks on those individuals.
調查人員仍在確定資料傳輸的全部範圍和意圖。他們表示,這些數據可以幫助駭客確定政府中不同人員的交談對象,並更了解他們的社交和專業圈。這些情報可能有助於促進未來對這些人的入侵或攻擊。
Robert McMillan and Sadie Gurman contributed to this article.
羅伯特·麥克米倫 (Robert McMillan) 和薩迪·古爾曼 (Sadie Gurman) 對本文做出了貢獻。
Write to Dustin Volz at dustin.volz@wsj.com, Aruna Viswanatha at aruna.viswanatha@wsj.com, Sarah Krouse at sarah.krouse@wsj.com and Drew FitzGerald at andrew.fitzgerald@wsj.com
寫信給達斯汀·沃爾茲 ( dustin.volz@wsj.com) 、阿魯納·維斯瓦納塔 ( aruna.viswanatha@wsj.com) 、莎拉·克魯斯 ( sarah.krouse@ wsj.com)和德魯‧費茲傑拉 ( andrew.fitzgerald@wsj.com )
Copyright ©2025 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the January 6, 2025, print edition as 'China’s New Hacking Prowess Poses Geopolitical Threats'.
出現在 2025 年 1 月 6 日的印刷版中,標題為「中國的新駭客能力構成地緣政治威脅」。
