China’s claim that the US National Security Agency (NSA) was behind a cyber attack against the country’s timekeeping centre could be true, says an expert.
“From a technical perspective, China’s allegation about an NSA hack on its national timekeeping center is plausible and aligns with known US cyber capabilities,” Jeff Bardin, chief intelligence officer at US-based Treadstone 71, told CSO on Monday.
But, he added, “without public evidence it’s hard to confirm conclusively.”
He was commenting on a post last week on WeChat from China’s Ministry of National Security saying, “national security authorities uncovered a major cyber attack case in the United States and obtained irrefutable evidence that the National Security Agency launched a cyber attack and invaded China’s National Time Service Center.
The public affairs section of China’s Washington, D.C. embassy confirmed to CSO that the post “is from China’s security authorities.” The allegation is also repeated on the Chinese embassy’s X feed.
The timekeeping center “provides high-precision timing services to the nation’s communications, finance, power, transportation, surveying and mapping, defense, and other sectors, and provides crucial data support for the calculation of international standard time,” the post says.
A cyber attack “would impact the secure and stable operation of ‘Beijing Time,’” says the post, referring to the country’s single time zone.
An attack, the post says, would lead “to serious consequences such as network communication failures, financial system disruptions, power outages, transportation disruptions, and space launch failures. It could even cause chaos in international time, resulting in incalculable damage and losses.”
Allegedly took advantage of SMS vulnerability
The WeChat post alleges that, starting on March 25, 2022, “the NSA exploited a vulnerability in the SMS service of an overseas mobile phone brand to covertly attack and gain control of the mobile phones of multiple NSC staff members, stealing sensitive data stored within them.”
Asked for comment, an NSA spokesperson sent this reply by email: “NSA does not confirm nor deny allegations in the media regarding its operations. Our core focus is countering foreign malign activities persistently targeting American interests, and we will continue to defend against adversaries wishing to threaten us.”
The Chinese post says the country “shattered the US cyber attack plot of stealing secrets and infiltration and sabotage, and made every effort to protect the security of ‘Beijing Time.’”
Possible ‘serious escalation’
If the recent Chinese claim against the NSA is true, said Bardin, it suggests a strategic intent by the US not just to spy, but to position the country to potentially disrupt a core piece of Chinese infrastructure — the timing system underpinning communications, finance, energy, and defense.
That, he said, “would mark a serious escalation.”
“It’s also striking,” he added, “that Beijing went public with this claim, since China typically avoids admitting breaches of its own critical systems. China’s public accusation signals a bid to sway international opinion, painting the US as a global ‘hacker empire’ and rallying other nations behind calls to rein in state-sponsored cyber intrusions. Beijing is expected to bolster its cyber defenses and could even hint at tit-for-tat moves against US timekeeping networks to deter further incursions.”
Economically, he added, “the incident continues China’s push for tech self-reliance – tightening supply chains and fast-tracking homegrown alternatives (such as sovereign timing systems) – as it seeks to reduce exposure to US tech influence amid already high trade and technology tensions.”
The Chinese allegation also fits with the pattern of behavior from Beijing “leaning forward with public attribution of what they consider malicious cyber activity … and oftentimes that attribution is not necessarily accurate,” said Matthew Ferren, international affairs fellow in national security at the US Council on Foreign Relations. In fact, he couldn’t say whether there was an attack or an intrusion.
“This tells me nothing about what may or may not have happened in the real world, but it does fit within the pattern of behavior of the Chinese to shape narratives around the United States being an irresponsible actor in the cyber domain,” he said.
Advice for CISOs
Time services are an interesting and often overlooked target, said Johannes Ullrich, dean of research at the SANS Institute, because many authentication protocols rely on accurate time services. To prevent replay of old attestations, these systems require synchronized times. If the times are not synchronized, messages from authentication servers will be discarded.
The simplest result of a compromised time service is a denial of service attack. Or, he added, it can lead to bypassing some authentication or access control checks, or the ability to replay old authentication messages to gain access to systems.
“CISOs should not neglect these time services,” he said in an email. “It is too easy to leave them in a default configuration which often uses undefined open cloud based time server pools. Instead, internal time servers should be defined to serve as an internal standard, and these internal time standards need to be synchronized with carefully selected sources like GPS or time servers run by a trusted entity.”
Treadstone 71’s Bardin said that CSOs in any country who want to protect themselves from a sophisticated nation-state attacker should treat time infrastructure linked to their servers as a national-level dependency.
Segment and isolate all systems relying on NTP (network time protocol) or GPS sources, verify clock integrity against multiple independent references and deploy cryptographic attestation for time signals, he advised.
He also recommends disabling SMS-based login authentication for privileged access, enforcing out-of-band multi-factor authentication, and continuous monitoring for anomalies in timing drift or certificate use.
He added that red team drills simulating loss of trusted time, which will validate IT operational resilience, is also worthwhile.
To assist defenders, the US Cybersecurity and Infrastructure Security Agency (CISA) offers this advice to organizations to help protect themselves from nation-state attacks.
No Responses