Executive Summary

Between 2022 and 2024, the Chinese Ministry of State Security publicly accused the US National Security Agency (NSA) of conducting a series of cyberattacks against China’s National Time Service Center. According to official statements released on October 19-20, 2025, the attacks allegedly began with the exploitation of vulnerabilities in the messaging service of a foreign mobile phone brand used by staff at the center, resulting in the theft of sensitive information. The Ministry further claimed that, over the following two years, the attackers deployed 42 types of “special cyberattack weapons” to compromise multiple internal network systems and attempted to infiltrate a key timing system. The National Time Service Center is responsible for generating and distributing China’s standard time, providing critical timing services to sectors including communications, finance, power, transport, mapping, and defense. The Ministry warned that successful disruption could have impacted network communications, financial systems, and power supply, with severe consequences for the orderly functioning of society. No technical evidence or specific indicators of compromise were provided in the public disclosures, and the US Embassy did not directly address the allegations. All information in this report is based solely on the verified content from AP News, South China Morning Post, and Hindustan Times as of October 19-20, 2025.

Technical Information

The incident, as described by the Chinese Ministry of State Security, involved a multi-stage, long-term cyber operation targeting the National Time Service Center. The attack reportedly began in 2022 with the exploitation of vulnerabilities in the messaging service of a foreign mobile phone brand used by staff at the center. This initial access vector enabled the theft of sensitive information from staff devices. The specific brand and technical details of the exploited vulnerabilities were not disclosed in any of the public statements.

From 2023 to 2024, the attackers allegedly escalated their efforts by deploying 42 types of “special cyberattack weapons” to target multiple internal network systems and attempting to infiltrate a key timing system. The term “special cyberattack weapons” was not defined, and no technical indicators, malware samples, or tool names were provided. The Ministry described the attacks as “long-term, highly covert, and employed state-level cyberespionage tools,” but did not elaborate on the specific tactics, techniques, or procedures (TTPs) used.

Based on the descriptions provided, the following technical analysis can be inferred and mapped to the MITRE ATT&CK framework:

Initial access was likely achieved through exploitation of vulnerabilities in a mobile messaging service, which could correspond to techniques such as T1409 (Exploit Messaging Service Vulnerability), T1406 (Exploit OS Vulnerability), or T1476 (Deliver Malicious App via Authorized App Store) if a malicious application was involved. Credential theft (T1078: Valid Accounts, T1003: OS Credential Dumping) may have been used to facilitate further access.

Lateral movement within the internal network could have involved exploitation of remote services (T1210: Exploitation of Remote Services), network service scanning (T1046: Network Service Scanning), and targeting of system services (T1569: System Services) for persistence or privilege escalation. The attackers’ attempt to compromise a key timing system suggests a potential impact phase, possibly involving T1485 (Data Destruction) or T1499 (Endpoint Denial of Service), although no actual disruption was reported.

No specific malware families, tool names, hashes, command-and-control infrastructure, or exploited CVEs were disclosed in any of the primary sources. The attribution to the NSA is based solely on official statements from the Chinese Ministry of State Security, with no supporting technical evidence. The US Embassy did not address the specific allegations, instead reiterating concerns about Chinese cyber activity.

The National Time Service Center is a critical component of China’s national infrastructure, providing precise timing services to communications, finance, power, transport, mapping, and defense sectors. Disruption of its operations could have cascading effects across these sectors, potentially impacting network synchronization, financial transactions, power grid stability, and national defense readiness.

The lack of technical artifacts, such as malware samples or forensic indicators, limits the ability to perform a high-confidence technical analysis or attribution. The description of “42 special cyberattack weapons” is vague and not corroborated by independent technical evidence. The attack methods described are consistent with state-level cyberespionage but are not unique to any one actor.

Affected Versions & Timeline

The incident timeline, as corroborated across all three primary sources, is as follows: In 2022, attackers allegedly exploited vulnerabilities in the messaging service of a foreign mobile phone brand used by staff at the National Time Service Center, resulting in the theft of sensitive information from staff devices. Between 2023 and 2024, the attackers reportedly deployed 42 types of “special cyberattack weapons” to target multiple internal network systems and attempted to infiltrate a key timing system. The public disclosure of these events was made by the Chinese Ministry of State Security via a WeChat post on October 19-20, 2025.

No specific software versions, device models, or network systems were identified as affected in the public disclosures. The only confirmed affected entity is the National Time Service Center, which is affiliated with the Chinese Academy of Sciences and based in Xian, Shaanxi province.

Threat Activity

The threat activity described in the public statements is characterized as long-term, highly covert, and employing state-level cyberespionage tools. The initial access vector involved exploitation of vulnerabilities in a mobile messaging service, leading to the compromise of staff devices and theft of sensitive information. The attackers then allegedly used a diverse set of cyberattack tools to target internal network systems and attempted to compromise a key timing system.

The Ministry of State Security attributed the activity to the US National Security Agency (NSA), citing the use of “state-level cyberespionage tools” and “special cyberattack weapons.” However, no technical evidence was provided to support this attribution. The attacks were described as having the potential to disrupt network communications, financial systems, and power supply, with severe implications for the orderly functioning of society.

The targeting of the National Time Service Center indicates a focus on critical national infrastructure, with the potential for cascading impacts across multiple sectors. The use of advanced, covert methods is consistent with the tactics of advanced persistent threat (APT) actors, but the lack of technical details precludes definitive attribution or assessment of the specific tools and techniques used.

The US Embassy did not address the specific allegations, instead focusing on counter-accusations regarding Chinese cyber activity. No independent technical verification of the alleged attacks has been made available in the public domain as of the date of this report.

Mitigation & Workarounds

Given the absence of technical indicators, malware samples, or specific exploited vulnerabilities in the public disclosures, mitigation recommendations must be based on general best practices for defending against advanced, state-level cyber threats targeting critical infrastructure. The following measures are prioritized by severity:

Critical: Organizations operating critical infrastructure, especially those providing timing, synchronization, or other foundational services, should conduct comprehensive security assessments of all externally facing and internal systems. This includes reviewing access controls, patching known vulnerabilities in mobile devices and messaging services, and monitoring for signs of unauthorized access or lateral movement.

High: Staff should be trained to recognize and report suspicious activity on mobile devices, including unusual messaging service behavior or unauthorized application installations. Multi-factor authentication should be enforced for all remote and privileged access to internal systems.

Medium: Network segmentation should be implemented to limit the potential impact of lateral movement within internal networks. Regular vulnerability scanning and penetration testing should be conducted to identify and remediate weaknesses in both mobile and internal network environments.

Low: Organizations should maintain up-to-date incident response plans and conduct regular tabletop exercises to ensure readiness for potential cyber incidents affecting critical infrastructure.

The Chinese Ministry of State Security stated that it had provided guidance to the National Time Service Center to eliminate the risks, but did not specify the measures taken. In the absence of technical details, organizations are advised to follow established frameworks such as the NIST Cybersecurity Framework and MITRE ATT&CK for threat modeling and defense.

References

AP News, Oct 20, 2025: https://apnews.com/article/china-us-cyberattacks-allegations-time-b3408ed2352c113904350f80e505ab9f

South China Morning Post, Oct 19, 2025: https://www.scmp.com/news/china/politics/article/3329558/china-accuses-us-carrying-out-cyberattacks-national-time-centre

Hindustan Times, Oct 20, 2025: https://www.hindustantimes.com/world-news/china-claims-us-hacked-national-time-center-using-42-cyber-weapons-101760956285260.html

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and critical infrastructure partners. Our platform enables continuous risk assessment, supports incident response planning, and facilitates compliance with industry-standard cybersecurity frameworks. For questions regarding this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.