Three NSA agents wanted by Harbin Police over cyberattacks

Police in Harbin, Heilongjiang province, said on Tuesday that they are pursuing three operatives affiliated with the United States National Security Agency over their alleged involvement in advanced cyberattacks, most likely assisted by artificial intelligence, targeting China's critical infrastructure as well as the Asian Winter Games held in the city in February.

Investigations by Chinese technical teams found that the attacks were carried out by the NSA's Office of Tailored Access Operations. Police added three alleged NSA agents — Katheryn A. Wilson, Robert J. Snelling and Stephen W. Johnson — to a wanted list in connection with the attacks.

There are strong indications that AI played a role in the attacks, which was unprecedented and posed significant challenges to national security defense systems, said Zhou Hongyi, founder of cybersecurity company 360 Security Technology, which took part in the investigations.

"This time, the scope of the attack was extremely wide, involving not only multiple registration information systems for the games but also extensive attacks on various infrastructure in Heilongjiang," Zhou said. "Based on analysis of the attack code, it's evident that AI technology was used in planning tool solutions, exploring vulnerabilities and monitoring traffic in the attacks."

Zhou said some code was clearly generated by AI and was capable of automatically and rapidly creating dynamic code during the attack process. By leveraging large AI models along with intelligent agents, the attackers were able to replicate large numbers of digital hackers to probe multiple targets, automatically design operational plans, generate tools and launch indiscriminate attacks — all with speeds far beyond human capabilities.

To obscure the origins of the attacks and protect its cyberweapons, the NSA allegedly used affiliated front organizations to buy IP addresses from various countries and anonymously rented servers in regions including Europe and Asia, according to police.

Investigators said the pre-games attacks focused on critical systems including registration, arrival and departure management, and competition entry platforms — all essential for the games' operations and containing large volumes of sensitive personal data.

The NSA's cyberattacks peaked on Feb 3, the day the first ice hockey match took place, with targets shifting to the event's key operational systems and official information platforms. The goal, authorities said, was to disrupt the smooth running of the games.

Technical teams also found that during the games, the NSA transmitted encrypted data packets to specific devices running Microsoft Windows operating systems within the province. These packets are believed to have been attempts to activate or trigger pre-installed backdoors.

Meanwhile, police said the NSA also launched cyberattacks targeting critical infrastructure sectors in Heilongjiang, including energy, transportation, water resources, telecommunications and defense research institutions.

Further investigations found that the three NSA operatives had previously carried out cyberattacks against China's critical information infrastructure and had been involved in operations targeting companies such as Huawei.

Police also alleged that the University of California and Virginia Tech were implicated in the coordinated cyber campaign.

After the attacks, technical experts from the National Computer Virus Emergency Response Center and 360 Security Technology launched a swift investigation, the company said in a statement on Tuesday.

The company said the games were subjected to a staggering 270,000 cyberattacks. NSA operations typically involve network penetration of application systems, critical infrastructure and key departments, utilizing hundreds of known and unknown techniques, the statement said.

"The targets and intentions of the attacks are clear," the company said.