Table of Contents
Chinese authorities claim US intelligence targeted Microsoft Windows systems and critical infrastructure in a coordinated campaign.
China has accused the US of conducting more than 170,000 cyberattacks against the Asian Winter Games held in Harbin this February. Officials have named three alleged NSA operatives they claim spearheaded the digital assault.
The Harbin Public Security Bureau identified Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson as NSA personnel responsible for the attacks, according to a report from China’s state news agency Xinhua.
“Investigations by Chinese technical teams revealed that the cyberattacks were carried out by the Office of Tailored Access Operations of the NSA,” the report added. “To conceal the origins of its attacks and secure its cyber weapons, the office used multiple affiliated front organizations to purchase IP addresses from various countries and anonymously rented servers located in regions including Europe and Asia.”
The accusations follow a report from China’s National Computer Virus Emergency Response Center (NCVERC) documenting what it called systematic US cyber operations against Chinese targets.
According to NCVERC, “the United States frequently used cloud hosts located in the Netherlands, Germany and other European countries as a hop or puppet host” to stage attacks, establishing what investigators claim is a pattern of behavior.
Attacks on critical infrastructure
Chinese authorities claimed the initial wave of attacks focused on registration systems, arrival and departure management, and competition entry platforms containing sensitive personal data of game participants.
The cyber assault reportedly intensified on February 3rd with the first ice hockey match, with attackers shifting focus to information platforms essential to event operations.
“These systems were vital for ensuring the smooth running of the Games, and the NSA attempted to disrupt them to undermine their normal operations,” the Xinhua report stated.
The accusations extend beyond sports systems to include alleged attacks on regional critical infrastructure, including energy, transportation, water systems, telecommunications, and defense research facilities throughout Heilongjiang Province.
Chinese technical teams reported detecting “unknown encrypted data packets” transmitted to specific devices running Microsoft Windows operating systems within the province. These packets were allegedly attempts to “activate or trigger pre-implanted backdoors in the Windows systems,” according to Xinhua.
A deliberate and coordinated campaign
The NCVERC report revealed that between January 26 and February 14, 2025, the Games’ information systems were struck by 270,167 attacks from abroad, with activity peaking on February 8, the day after the event’s formal opening. Of these, 170,864 attacks (63.24%) originated from US-based IP addresses.
The cyber onslaught primarily targeted the event’s Information Service System, Arrival and Departure Management System, and Charging Card System. Attacks included arbitrary file read vulnerabilities, SQL injection, and spoofed HTTP headers, as well as mass port scans and vulnerability exploitation, the report stated.
Chinese authorities alleged in the NCVERC report that the perpetrators used cloud-based hosts from providers like Digital Ocean to obscure their origins, and the report claims that servers in Europe and Asia were leveraged to launch the attacks under the cloak of anonymity.
Academic connection
The Xinhua report specifically mentioned Chinese telecommunications giant Huawei as a target, stating that investigations revealed “the three NSA operatives had repeatedly launched cyberattacks against China’s critical information infrastructure and participated in cyber operations targeting companies such as Huawei.”
In an unusual twist, Chinese authorities also implicated US universities in the alleged campaign.
“Technical teams also uncovered evidence implicating the University of California and Virginia Tech in the coordinated cyber campaign against the Asian Winter Games,” according to Xinhua.
NCVERC’s report claimed their attribution analysis linked the attacks to the US government based on TTPs (tactics, techniques, and procedures), timeline, timezone, language patterns, and other behavioral characteristics.
“During the hosting of large-scale international sports events in China, foreign hostile forces spare no effort to destroy and interfere with the normal operation of the sports events through cyberattacks, and even try to create chaos and steal sensitive information,” the report added.
Officials added they would submit “details and artifacts of these attacks” to public security authorities for further investigation.
Ongoing cyber tensions
The accusations represent the latest development in the long-running digital conflict between China and the United States, where both nations routinely accuse each other of cyber espionage.
US intelligence agencies consistently attribute major breaches to Chinese state-backed hackers, like APT40 and Volt Typhoon, responsible for campaigns against Western government, telecom, and tech sectors. The NSA, the University of California and Virginia Tech have not responded to queries on these accusations.
