The U.S.-China Cyber Competition Continues to Escalate

China's Ministry of State Security (MSS) has publicly accused the U.S. National Security Agency (NSA) of conducting a prolonged, multi-year cyberattack campaign against its National Time Service Center (NTSC), the facility responsible for generating and maintaining "Beijing Time."

The explosive allegations, first detailed in a social media post by the MSS and reported by state media, claim the campaign began as early as March 2022 and continued into 2024. The objective, according to Chinese authorities, was to steal sensitive data and pre-position for potential sabotage of China's critical infrastructure.

The NTSC, based in Xi'an, is a vital national institution. It provides precise time synchronization for the country's communications, financial systems, power grid, transportation, and national defense. Chinese officials warned that any disruption could lead to "severe consequences," including network failures and financial system disruptions.

The U.S. Embassy in Beijing has not issued an immediate comment on the accusations.

According to the MSS statement and reports from China's National Computer Network Emergency Response Technical Team (CNCERT), the operation was a sophisticated, multi-stage intrusion that blended mobile device exploitation with network infiltration.

Phase 1: Initial Compromise (2022)

The initial vector for the attack allegedly involved exploiting a vulnerability in the messaging service of an unnamed "foreign mobile phone brand."

• Attackers used this vulnerability to gain access to the mobile devices of several NTSC staff members.
• From this foothold, they allegedly stole sensitive data and login credentials stored on the phones, providing a gateway into the center's internal network.

Phase 2: Lateral Movement and Escalation (2023-2024)

Using the stolen credentials, the attackers allegedly escalated their privileges and moved laterally within the NTSC's network.

• Chinese authorities claim the NSA deployed 42 different types of "specialized cyberattack weapons" or tools to conduct high-intensity attacks against internal systems. The 42 cyber weapons were mainly categorized as:
  • Outpost Control (e.g., "eHome_0cx"): For long-term covert persistence.
  • Tunnel Construction (e.g., "Back_eleven"): Used for remote control and encrypted data transfer.
  • Data Theft (e.g., "New_Dsz_Implant"): A modular framework with high code homogeneity to the NSA's "DanderSpritz" tool, enabling various data theft functions.
• The primary goal during this phase was to infiltrate the "High-Accurate Ground-based Time Service System," a core component of China's timing infrastructure.
• The MSS claims that this move shows an intent to "disable and sabotage" the system, not just conduct espionage.

Stealth and Evasion Tactics

The CNCERT investigation, as cited in reports, provided a technical breakdown of the attackers' methods to avoid detection:

• Infrastructure Obfuscation: The attack infrastructure reportedly used a global network of "springboard" virtual servers located in the U.S., Europe, and Asia to conceal its true origin.
• Masquerading: Malicious code was allegedly disguised as legitimate Windows system modules to evade security software.
• Bypassing Defenses: The attackers reportedly used forged digital certificates to bypass antivirus detection.
• Anti-Forensics: Strong encryption was allegedly employed to erase digital traces and hinder investigation.
• Timing: Most attacks were reportedly launched during late-night or early-morning hours (Beijing Time) to reduce the chance of real-time detection.

CNCERT's analysis, as reported by Chinese media, described the NSA's capabilities as advanced but also noted "signs of stagnation" and a "lack of genuine innovation" in the tools, suggesting they may have been repurposed from previous operations.

This incident marks a significant escalation in the ongoing "tit-for-tat" cyber espionage accusations between Washington and Beijing. While the U.S. has frequently accused China of targeting its own critical infrastructure, this detailed public accusation by China's top intelligence agency brings the cyber conflict over critical national infrastructure into sharp focus.