Executive Summary

On October 19 and 20, 2025, the Chinese Ministry of State Security (MSS) publicly accused the U.S. National Security Agency (NSA) of conducting a sophisticated, multi-stage cyberattack against the National Time Service Center (NTSC) in Xi’an, China. The NTSC is responsible for generating, maintaining, and distributing the national standard of time, known as Beijing Time, which underpins critical sectors including communications, finance, power, transportation, and defense. According to official MSS statements and corroborating media reports, the attack campaign began on March 25, 2022, and continued through June 2024. The MSS alleges that the NSA exploited vulnerabilities in a foreign-branded mobile phone’s SMS service to compromise NTSC staff devices, stole sensitive credentials, and subsequently deployed a new cyber operations platform utilizing 42 specialized cyber tools. The campaign included attempts at lateral movement into high-precision timing systems, use of virtual private servers (VPS) to obfuscate origins, and advanced anti-forensics techniques. Chinese authorities claim the attack was detected, contained, and remediated, with no reported disruption to Beijing Time or dependent critical infrastructure. Attribution to the NSA is based on official Chinese government statements and analysis of tactics, techniques, and procedures (TTPs), but no technical artifacts (such as malware samples or network indicators) have been made public. The evidence is strongest at the pattern analysis level, with circumstantial support from sectoral targeting and historical context. The incident highlights the ongoing risk to national critical infrastructure from state-level cyber operations and the importance of robust detection, response, and supply chain security.

Technical Information

The incident, as described by the MSS and reported by The Hacker News, Global Times, and ABC News (The Hacker News, 2025-10-20, Global Times, 2025-10-19, ABC News, 2025-10-19), involved a multi-stage attack chain targeting the NTSC. The NTSC is a critical facility under the Chinese Academy of Sciences, responsible for the secure and stable operation of Beijing Time. Disruption to this system could have cascading effects on national and global communications, financial transactions, power grids, transportation, and even space launches.

Initial Access

The attack reportedly began on March 25, 2022, when the NSA exploited a vulnerability in the SMS service of an unnamed foreign-branded mobile phone used by NTSC staff. This allowed the attackers to compromise staff mobile devices and exfiltrate sensitive data. The specific vulnerability and phone brand were not disclosed in public reports. The attack vector aligns with MITRE ATT&CK techniques such as Exploit Public-Facing Application (T1190) and Spearphishing via Service (T1194). The evidence for this stage is based on official statements, with no technical artifacts provided, resulting in a medium confidence level for this claim (The Hacker News, Global Times, ABC News).

Credential Theft and Network Penetration

Following the initial compromise, the attackers allegedly used stolen login credentials to access NTSC computers and probe the internal network infrastructure, beginning April 18, 2023. This phase involved techniques such as Valid Accounts (T1078) and Network Service Scanning (T1046). The use of credential theft and reuse is consistent with known NSA tactics, but again, no technical indicators (such as credential dump files or logs) have been made public. The confidence level for this stage remains medium, based on circumstantial evidence (The Hacker News, Global Times).

Deployment of Cyber Operations Platform and Specialized Tools

Between August 2023 and June 2024, the NSA is alleged to have deployed a new cyber operations platform, activating 42 specialized cyber tools or "cyber weapons." These tools were used to conduct high-intensity attacks against multiple internal NTSC network systems and to attempt lateral movement into the High-Accurate Ground-based Time Service System. The tools reportedly included modules for maintaining long-term access, establishing covert communication channels, and extracting sensitive data. The attackers also attempted to pre-position capabilities for potential sabotage of the timing system. The technical details of these tools, such as names, hashes, or YARA rules, were not disclosed. The tactics align with MITRE ATT&CK techniques for Lateral Movement (T1021), Persistence (T1053), and Data Staged (T1074). The confidence level for this stage is medium, as the description matches known NSA operations but lacks direct technical evidence (The Hacker News, Global Times).

Command and Control, Obfuscation, and Anti-Forensics

The attackers used virtual private servers (VPS) located in the U.S., Europe, and Asia to route malicious traffic and conceal the true origin of the attacks. They employed forged digital certificates to bypass antivirus software and used high-strength encryption algorithms to erase digital traces, making detection and attribution more difficult. These techniques are consistent with MITRE ATT&CK techniques for Command and Control via Proxy (T1090), Encrypted Channel (T1573), and Defense Evasion (T1070, T1027). The use of anti-forensics and obfuscation is a hallmark of NSA/Equation Group operations, as documented in previous leaks and technical analyses (InverseCos, Shadow Brokers). The confidence level for this stage is high for TTP similarity, but low for direct attribution due to the absence of technical artifacts.

Sectoral Impact and Risk

The NTSC provides time synchronization services that are foundational to the operation of national communications, financial systems, power grids, transportation networks, and defense infrastructure. Disruption to these services could result in widespread network communication failures, financial system disruptions, power outages, transportation paralysis, and even space launch failures. The attack’s focus on time synchronization systems is consistent with the NSA’s historical targeting of critical infrastructure globally (Global Times, NSA Cybersecurity Report).

Attribution and Evidence Quality

Attribution to the NSA is based on official Chinese government statements, sectoral targeting, and analysis of TTPs that closely match known NSA/Equation Group operations. No technical artifacts (malware samples, network indicators, or forensic images) have been made public. The evidence is strongest at the pattern analysis level, with circumstantial support from sectoral targeting and historical context. The confidence level for direct attribution is medium; it would be high if technical artifacts were released.

Affected Versions & Timeline

The attack targeted the National Time Service Center in Xi’an, China, which operates under the Chinese Academy of Sciences. The NTSC’s systems affected include staff mobile devices (via SMS service vulnerabilities), internal network systems, and the High-Accurate Ground-based Time Service System. The specific versions of hardware, software, or mobile devices exploited were not disclosed in public reporting.

The timeline of the attack is as follows:

• March 25, 2022: Initial compromise via SMS service vulnerability on foreign-branded mobile phones used by NTSC staff.

• April 18, 2023: Use of stolen credentials to access NTSC computers and probe network infrastructure.

• August 2023 – June 2024: Deployment of a new cyber operations platform and activation of 42 specialized cyber tools, with high-intensity attacks on internal NTSC systems and attempts at lateral movement into the High-Accurate Ground-based Time Service System.

• June 2024: Chinese authorities report that the attack was detected, contained, and remediated, with no reported disruption to Beijing Time or dependent infrastructure.

Threat Activity

The threat activity attributed to the NSA in this incident is characterized by advanced, multi-stage operations targeting critical infrastructure. The attack chain included initial access via exploitation of a mobile SMS service vulnerability, credential theft and reuse, deployment of a cyber operations platform with 42 specialized tools, lateral movement, and advanced anti-forensics. The attackers used VPS infrastructure to obfuscate their origins, forged digital certificates to bypass security controls, and strong encryption to erase traces of their activity.

The MSS and the National Computer Network Emergency Response Technical Team (CNCERT) conducted a comprehensive investigation, including analysis, assessment, and source tracing. They concluded that the attackers demonstrated advanced capabilities in tactical concepts, operational techniques, encrypted communications, and stealth, but also noted signs of stagnation and technical bottlenecks in system upgrades following repeated public exposure of NSA tools (Global Times).

The attack was reportedly conducted during late night to early morning hours Beijing Time, a common tactic to reduce the likelihood of detection. The campaign was ultimately detected and neutralized by Chinese authorities, who implemented additional security measures and provided guidance to the NTSC for remediation.

Mitigation & Workarounds

Based on the tactics, techniques, and procedures described in the incident, the following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations operating critical infrastructure should immediately review and harden access controls for all systems, especially those supporting time synchronization, communications, and other foundational services. Multi-factor authentication should be enforced for all privileged accounts, and credential hygiene should be regularly audited.

High: All mobile devices used by staff with access to critical systems should be updated to the latest firmware and security patches. Vulnerabilities in SMS and messaging services should be identified and remediated. Endpoint detection and response (EDR) solutions should be deployed to monitor for signs of compromise, including unusual SMS activity and credential theft.

High: Network segmentation should be implemented to limit lateral movement between internal systems, especially between user devices and high-value assets such as timing systems. Strict firewall rules and network monitoring should be enforced to detect and block unauthorized access attempts.

Medium: Digital certificate management should be reviewed to detect and prevent the use of forged or unauthorized certificates. Security teams should monitor for anomalous certificate usage and implement certificate pinning where feasible.

Medium: Anti-forensics and obfuscation techniques should be countered by enabling comprehensive logging, centralized log aggregation, and regular log review. Strong encryption should be used for sensitive data at rest and in transit, but organizations should also monitor for suspicious encryption activity that could indicate attacker anti-forensics.

Medium: Regular security awareness training should be provided to staff, with a focus on phishing, credential theft, and mobile device security.

Low: Organizations should maintain up-to-date threat intelligence on state-level actors and incorporate indicators of compromise (IOCs) from similar incidents into their detection and response processes, even when technical artifacts are not publicly available.

References

The Hacker News, 2025-10-20: https://thehackernews.com/2025/10/mss-claims-nsa-used-42-cyber-tools-in.html

Global Times, 2025-10-19: https://www.globaltimes.cn/page/202510/1345993.shtml

ABC News, 2025-10-19: https://abcnews.go.com/International/wireStory/china-accuses-us-cyberattack-national-time-center-126656791

InverseCos, 2025-02: https://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html

GBHackers: https://gbhackers.com/nsa-allegedly-hacked-northwestern-polytechnical-university/

NSA Cybersecurity Report: https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf

Lumifi Cyber: https://www.lumificyber.com/blog/critical-nsa-tools-leaked-now-being-weaponized-and-used/

Shadow Brokers (Wikipedia): https://en.wikipedia.org/wiki/The_Shadow_Brokers

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their supply chain and vendor ecosystem. Our platform enables continuous risk assessment, automated evidence collection, and actionable reporting to support incident response and compliance efforts. For questions about this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.