Detailed Analysis of the State-Sponsored APT Attack on China's National Time Service Center (NTSC)

On October 19, the Chinese national security agencies recently disclosed a major cyberattack case, stating they obtained irrefutable evidence that the United States’ National Security Agency (NSA) launched a cyberattack and infiltrated China's National Time Service Center (NTSC). The cyberattack was long-planned, progressive, and systematic. Starting in 2022, the U.S. exploited a vulnerability in the SMS service of a foreign-branded mobile phone to secretly attack and control the cell phones of several NTSC staff members, stealing sensitive data. From August 2023 to June 2024, the U.S. deployed 42 specialized cyberattack weapons, launching a high-intensity, large-scale attack against the NTSC. They further sought opportunities to infiltrate the high-precision ground-based timing system, with the ultimate goals of theft, infiltration, and sabotage. Chinese agencies thwarted this U.S. cyberattack plan, making every effort to protect the security of "Beijing Time."

1. The Strategic Target and Geoeconomic Risk

The National Time Service Center (NTSC), located in Xi'an, Shaanxi Province, is responsible for generating, maintaining, and disseminating "Beijing Time"^10101010. It provides high-precision timing services to communications, finance, power, transportation, mapping, defense, and other national sectors, and offers fundamental data support for calculating International Standard Time.

• The Criticality of Timing: The NTSC manages a world-leading autonomous time measurement system and a high-precision ground-based timing system, an important national scientific and technological infrastructure. Cyberattacks against these facilities would compromise the safe and stable operation of "Beijing Time:"

  
  

  • A difference of 1 millisecond could cause time sequence chaos in substations, leading to large-scale power outages.

    
    

  • A difference of 1 microsecond could lead to changes amounting to hundreds of billions in international stock market transactions.

    
    

  • A difference of 1 nanosecond would result in a 30-centimeter positioning error for the Beidou navigation system. Additionally, radio carriers would be unable to synchronize, making cell phone calls and internet access impossibl.

    
    

  • A difference of 1 picosecond could cause several kilometers of deviation in the positioning of lunar soil sampling vehicles and the Chang'e spacecraft.

    
    

• Incalculable Damage: Attacks could even cause chaos in international time, leading to incalculable damages and losses

2. Technical Details of the State-Sponsored Attack (APT)

The NSA attack was meticulously planned and carried out in a tiered, systematic manner.

• Phase 1 — Credential Acquisition (March 2022 - April 2023):

  • Beginning March 25, 2022, the NSA utilized a vulnerability in the SMS service of a foreign-branded mobile phone to secretly control and attack the mobile terminals of multiple NTSC staff, stealing sensitive stored information.

  • Starting April 18, 2023, the NSA repeatedly used the stolen login credentials to infiltrate NTSC computers, probing the network system's setup.

    
    

• Phase 2 — High-Intensity Attack and Sabotage (August 2023 - June 2024):

  • The NSA deployed a new cyber combat platform and activated 42 specialized cyberattack weapons.

    
    

  • They implemented high-intensity attacks on multiple internal network systems, attempting to laterally penetrate the high-precision ground-based timing system to pre-position capabilities for paralysis and destruction.

    
    

  • The 42 cyber weapons were mainly categorized as:

    • Outpost Control (e.g., "eHome_0cx"): For long-term covert persistence.

      
      

    • Tunnel Construction (e.g., "Back_eleven"): Used for remote control and encrypted data transfer.

      
      

    • Data Theft (e.g., "New_Dsz_Implant"): A modular framework with high code homogeneity to the NSA's "DanderSpritz" tool, enabling various data theft functions.

      
      

• Evasion and Advanced Encryption Tactics:

  • NSA activities often occurred late at night to early morning, Beijing time.

    
    

  • They used virtual private servers in the US, Europe, and Asia as "jump pads" to conceal the attack source

    
    

  • Methods included forging digital certificates to bypass antivirus software and using high-strength encryption algorithms to thoroughly erase attack traces.

    
    

  • The NSA employed a multi-layered, nested encryption scheme, with cooperation between weapons achieving up to 4 nested encryption layers.

    
    

3. Liminal Warfare Scenario and China's Response

This attack falls within the scope of Liminal Warfare—a conflict style focused on "threshold manipulation". It is a conflict fought subliminally, beneath the threshold of detectability, consistent with the Unrestricted Warfare doctrine.

• The "Hacker Empire" Accusation: China's security agencies state that the U.S. has forcefully promoted cyber hegemony, continually violating international cyberspace rules. U.S. intelligence agencies, particularly the NSA, have arbitrarily conducted cyberattacks against China, Southeast Asia, Europe, and South America, invading critical infrastructure, stealing intelligence, and infringing on cyber sovereignty. The U.S. is accused of launching attacks from technical positions in the Philippines, Japan, and Taiwan to conceal itself and frame others^35353535. China asserts that the U.S. is the true "Hacker Empire" and the greatest source of instability in cyberspace.

  
  

• Countermeasures and Resilience: Chinese national security agencies fixed the U.S. cyberattack evidence, guiding the NTSC to conduct investigation and disposal, sever the attack links, and upgrade preventive measures to eliminate hidden dangers. This successful counter-espionage operation demonstrates Beijing's increasing capability in defensive electronic warfare and national security protection.

  
  

• Security Warning: Critical infrastructure operators must fulfill their primary responsibility for counter-espionage security, regularly educate personnel, and implement technical measures to prevent external cyberattacks, intrusions, and espionage.