China Claims NSA Sabotaged National Time Center with 42 Cyber Weapons
In recent years, cyberspace has become a theater of covert conflict, where the actions of one state can directly affect the scientific and technological institutions of another. A large-scale, long-running cyber operation was recently uncovered targeting one of China’s key scientific establishments — the National Time and Frequency Center. According to a technical analysis conducted by the China National Computer Emergency Response Team (CNCERT), the attack has been attributed to the U.S. National Security Agency (NSA).
Beginning in March 2022, the NSA allegedly initiated targeted surveillance of the center’s employees by exploiting vulnerabilities in smartphones produced by a popular foreign brand. Initially, the attackers exfiltrated personal data — contacts, messages, geolocation records, and photographs. By September of that year, they had obtained the network administrator’s credentials and, using these, infiltrated the corporate infrastructure.
By April 2023, the operation had entered an active reconnaissance phase. Attackers regularly connected to compromised devices, studied the architecture of the internal network, and prepared the groundwork for a deeper incursion.
By August 2023, the campaign escalated further, as custom malware was deployed on the target systems. In total, 42 components were used, grouped into three functional categories: persistence, encrypted communications, and data theft.
Researchers paid particular attention to the modular framework New_Dsz_Implant, which bears a striking resemblance to the NSA’s previously known DanderSpritz platform. The operators, however, had enhanced its stealth capabilities — employing legitimate digital certificates, masquerading as Windows system processes, and implementing multi-layered encryption, including a four-tier nested scheme for network traffic.
The attackers demonstrated exceptional sophistication in maintaining stealth. The malware modules launched via DLL hijacking, erased traces of their activity from memory, and dynamically adapted to environmental changes — from system reboots to software updates.
Command-and-control servers were hosted outside the United States, with communications routed through anonymized nodes. Despite the technical proficiency displayed, analysts noted a decline in innovation within NSA tactics: many of the employed methods appeared to be retooled variants of legacy techniques, suggesting growing challenges in circumventing modern defense mechanisms.
The critical turning point occurred between May and June 2024, when the attackers attempted to transition from reconnaissance to direct interference with high-precision ground infrastructure responsible for timekeeping and navigation systems. Although a full-scale breach was ultimately prevented, the mere targeting of such assets underscores the strategic intent behind the operation.
This incident vividly illustrates that even the most advanced scientific institutions remain vulnerable to sophisticated, meticulously planned cyber operations. Protecting critical infrastructure today demands not only technical resilience but also unceasing vigilance at the national level.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
