The U.S. government has warned for years that products from Chinaâs Huawei Technologies Co., the worldâs biggest maker of telecommunications equipment, pose a national security risk for any countries that use them.
Â
As Washington has waged a global campaign to block the company from supplying state-of-the-art 5G wireless networks, Huawei and its supporters have dismissed the claims as lacking evidence.
Â
Now a Bloomberg News investigation has found a key piece of evidence underpinning the U.S. efforts â a previously unreported breach that occurred halfway around the world nearly a decade ago.
Â
In 2012, Australian intelligence officials informed their U.S. counterparts that they had detected a sophisticated intrusion into the country's telecommunications systems. It began, they said, with a software update from Huawei that was loaded with malicious code.
Â
The breach and subsequent intelligence sharing was confirmed by nearly two dozen former national security officials who received briefings about the matter from Australian and U.S. agencies from 2012 to 2019. The incident substantiated suspicions in both countries that China used Huawei equipment as a conduit for espionage, and it has remained a core part of a case theyâve built against the Chinese company, even as the breachâs existence has never been made public, the former officials said.
Â
The episode helps clarify previously opaque security concerns driving a battle over who will build 5G networks, which promise to bring faster internet connectivity to billions of people around the globe. Shenzhen-based Huawei dominates the more than $90 billion global telecommunications equipment market, where it competes against Swedenâs Ericsson AB and Finlandâs Nokia Oyj. But the U.S., Australia, Sweden and the U.K. have all banned Huawei from their 5G networks, and about 60 countries signed on to a U.S. Department of State program where theyâve committed to avoiding Chinese equipment for their telecommunications systems. Such efforts, which have also included U.S. sanctions against the Chinese company, have slowed Huaweiâs growth and heightened tensions with China.
Â
The briefings described to Bloomberg contained varying degrees of detail, and the former officials who received them had different levels of knowledge of â and willingness to discuss â specifics. Seven of them agreed to provide detailed accounts of the evidence uncovered by Australian authorities and included in their briefings.
Â
At the core of the case, those officials said, was a software update from Huawei that was installed on the network of a major Australian telecommunications company. The update appeared legitimate, but it contained malicious code that worked much like a digital wiretap, reprogramming the infected equipment to record all the communications passing through it before sending the data to China, they said.
Â
After a few days, that code deleted itself, the result of a clever self-destruct mechanism embedded in the update, they said. Ultimately, Australia's intelligence agencies determined that Chinaâs spy services were behind the breach, having infiltrated the ranks of Huawei technicians who helped maintain the equipment and pushed the update to the telecomâs systems.Â
Â
Guided by Australia's tip, American intelligence agencies that year confirmed a similar attack from China using Huawei equipment located in the U.S., six of the former officials said, declining to provide further detail.
Â
Mike Rogers, a former Republican congressman from Michigan who was chair of the U.S. House of Representatives intelligence committee from 2011 to 2015, declined to discuss the incidents. But he confirmed that national bans against Huawei have been driven in part by evidence, presented in private to world leaders, that China has manipulated the companyâs products through tampered software updates, also known as patches.
Â
âAll their intelligence services have pored over the same material,â said Rogers, a former FBI agent who is now a national security commentator on CNN. âThis whole body of work has come to the same conclusion: It's all about administrative access, and the administrative patches that come out of Beijing are not to be trusted.â
Â
Many people familiar with Australiaâs intelligence told Bloomberg that they were bound by confidentiality agreements and couldnât discuss it on the record. But MichĂšle Flournoy, former under secretary of defense for policy at the Department of Defense under President Barack Obama, said she wasnât constrained from doing so.
Â
Flournoy, who is co-founder and managing partner of WestExec Advisors LLC, a national security consulting firm closely aligned with the Obama and Biden administrations, confirmed the intrusion and the tampered software update from Huawei.
Â
She said she learned about the episode after leaving government in early 2012, emphasizing that the information was shared in unclassified forums. âThe Australians from the get-go have been courageous in sharing the information they had, not only with the intelligence channels but more broadly in government channels,â Flournoy said. âAustralia experienced it, but it was also a vicarious wake-up call for Australiaâs allies.âÂ
Â
The Australian Signals Directorate, that countryâs leading cybersecurity agency, declined to answer specific questions about the incident. âWhenever ASD discovers a cyber incident affecting an entity, it engages the relevant entity to provide advice and assistance,â the agency said in a statement. âASDâs assistance is confidential â it is a matter for relevant entities to comment publicly on any cybersecurity incident.âÂ
âAustralia is not alone in the threats we face from state-based actors in cyberspace,â the agency said, noting that the government has âjoined with others in the world to express serious concerns about malicious cyber activities by Chinaâs Ministry of State Security.â
Â
In the U.S., the Federal Bureau of Investigation, the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the National Counterintelligence and Security Center declined to comment.
Â
Bloomberg didnât find evidence that Huaweiâs senior leadership was involved with or aware of the attack. Huawei declined to address specific questions. âIt is hard to comment on speculation and unquoted âsenior sources,ââ John Suffolk, Huaweiâs global cybersecurity officer, said in a statement.
Â
âIt is also hard to comment on generalizations such as âAustralian telecommunications,â âsoftware update,â âequipment,â etc.â
But, he added, âno tangible evidence has ever been produced of any intentional wrongdoing of any kind.â
Â
Suffolk said that Huaweiâs technicians can access networks only when customers authorize it, and that customers control when updates are installed on their systems. He said Huawei considers the possibility of its workers being compromised a âvalid threatâ and takes steps to protect against it, including restricting access to source code and using âtamper-proofing mechanismsâ to guard against abuse.
Â
âWe closely monitor all of our engineers. Where the law allows we undertake additional vetting,â he said. âWe control the software and equipment they use, and mandatory compliance training is required every year.â
Â
Suffolk said that Huawei urges governments, customers and the âsecurity ecosystemâ to review its products and look for vulnerabilities, and âit is this openness and transparency that acts as a great protector.â
Â
Chinaâs Ministry of Foreign Affairs said in a statement that the country âopposes and would crack down on any forms of cyberattack and internet espionage activities in accordance with the law, not to mention refraining from encouraging, supporting or conspiring with hacking attacks.â
Â
âAustraliaâs slander on China carrying out cyberattacks and espionage penetration are purely a move like a thief crying to catch a thief. This kind of arbitrary smear on another county is an extremely irresponsible action that China firmly opposes,â the ministry said. âWe urge Australia not to abuse the name of ânational securityâ and put groundless accusations and unreasonable pressures on Huawei and other Chinese companies.â
Â
Huawei was founded in 1987 by a former officer of Chinaâs Peopleâs Liberation Army, Ren Zhengfei, as a sales agent for business telephone systems, and over the last three decades it has grown to become the world's biggest maker of telecommunications equipment, which includes the routers, switches and cell-tower antennas used to shuttle voice and data traffic over mobile networks. Huawei entered the Australian market in 2004 and built relationships with two of the countryâs three main wireless network operators.
Â
Australiaâs dominant telecom â Melbourne-based Telstra Corp. Ltd. â has long avoided Huawei products, owing to concerns about potential Chinese tampering and the companyâs partnership with Ericsson, according to three former Telstra executives. âTelstra does not have any equipment from Huawei in its network now, nor have we in the past,â the company said in a statement.
Â
But Telstraâs two smaller rivals embraced the technology.
An early and symbolically important partner was Optus, a division of Singapore Telecommunications Ltd., which is Singaporeâs biggest telecom.
Â
Optus picked Huawei for several large-scale infrastructure upgrades, starting in 2005 with a deal for digital subscriber line equipment. Optus later picked Huawei in 2007 to supply part of its nationwide 3G wireless network and in 2012 for part of its 4G network. In addition to being Australiaâs second-biggest mobile carrier, Optus also operates the countryâs largest fleet of satellites, and it works closely with the Australian military.
Huaweiâs other key partner in Australia was Vodafone Hutchison Australia, the countryâs third-biggest mobile carrier. It selected Huawei to overhaul its entire 2G and 3G infrastructure in 2011 and later for parts of its 4G networks as well.
Â
The identity of the telecom impacted by the breach in Australia wasn't shared widely in the briefings by Australian and U.S. intelligence officials, according to the people who received them. But a former senior U.S. intelligence official and a former Australian telecommunications executive who worked in a national security role said they were told it was Optus.Â
Â
Optus disputed the information. âOptus has a strong track record of providing trusted and secure services, including to major government agencies. These are delivered in close collaboration with government and with strict adherence to its advice on security matters,â the company said in a statement. âOptus takes security very seriously.
Â
Any incidents of breaches or inappropriate vendor behavior would be taken into account in our network investment decisions, but we have no knowledge of the alleged incidents.â
Â
After a 2020 merger, Vodafone Hutchison Australia became TPG Telecom Ltd. The company said it wasnât aware of an attack. âWe can confirm that there was no such malware in our network, and we have never heard of this alleged incident in respect of any Australian networks,â the company said in a statement. âWe comply with all directions and advice from the Australian government in relation to national security.â
Â
Starting around 2010, officials in Australia and the U.S. had grown alarmed by two trends: the rising number of hacking attacks from China and Huaweiâs expanding role in their countriesâ telecommunications systems, according to Michael Wessel, who for more than 20 years has been a commissioner on the congressionally created U.S.-China Economic and Security Review Commission.
Â
The commission examines national security implications of the trade and economic relationships between the two countries and reports its recommendations.
Â
The countries began investigating whether any of those hacks traced back to Huawei equipment, he said. âIf thereâs a locksmith whoâs installing more and more locks on the doors in a community and suddenly thereâs a rash of silent robberies, at some point the locksmith becomes a person of interest,â Wessel said. âHuawei around that time became a significant entity of interest.âÂ
Â
By that point, the NSA had already penetrated Huaweiâs corporate networks in China, looking for evidence of any links between the company and Chinaâs military, according to documents leaked by former NSA contractor Edward Snowden and published in news articles in 2014. Under a program called Shotgiant, the U.S. monitored e-mail accounts belonging to Huawei employees including Ren, the companyâs founder.
Â
NSA also looked for ways to exploit Huawei products in Chinese-built networks in countries considered high-priority intelligence targets, including Afghanistan, Cuba, Iran, Kenya and Pakistan, according to the documents and articles.Â
Â
Huaweiâs Suffolk said in his statement that âno such evidence was ever presented that demonstrated Huawei was anything other than highly professional and that our founder Mr. Ren has many, many boring e-mails.â
Â
Concerned about potential intrusion into its communications systems, Australia began taking a harder line on Huawei and China. In particular, Australia blocked Huawei from participating in massive project to build a nationwide broadband network, a surprise decision that triggered a diplomatic uproar when the news leaked in early 2012. Then-Prime Minister Julia Gillard said the decision involved ânational security mattersâ that she couldnât discuss. Gillard declined to comment for this story.
Â
Around that time, Australia discovered the breach â an extraordinary find given the hackers' efforts to cover their tracks.
Â
The seven former officials who provided detailed accounts of their briefings said that Australiaâs intelligence agencies had detected suspicious traffic flowing from the countryâs telecommunications systems to China, a trail that led to Huawei equipment. Investigators gained access to some of the infected systems, but they arrived too late. Digital forensics on those systems revealed only fragments of the malicious codeâs existence, and investigators reconstructed the attack using a variety of sensitive sources, including human informants and secretly intercepted conversations, the former officials said.Â
Â
The attackers had siphoned all the data flowing through the equipment during the malware's short window of operation, the former officials said. The data gave them access to the contents of private communications and information that could be used to target specific people or devices in future attacks, the former officials said. Bloomberg was unable to learn what, if anything, the attackers did with it.
Â
Also in 2012, around the time Australian officials were briefing U.S. agencies about the breach, the intelligence committee of the House of Representatives published findings that Chinaâs spy services had a âwealth of opportunitiesâ to tamper with products from Huawei and a similar company, ZTE Corp., from their design to their maintenance on customer networks. One of those involves so-called managed services, a common offering where companies provide ongoing support, including remote software updates, for their equipment after itâs installed at customer sites, the report found. âUnfortunately, such contracts may also allow the managed-service contractor to use its authorized access for malicious activity under the guise of legitimate assistance,â the report found.Â
Â
Huawei and ZTE donât need to be a participant in â or even be aware of â any attacks for them to occur through their employee ranks. âChinese intelligence services need only recruit working-level technicians or managers in these companiesâ to carry out compromises of customer networks, the report found.
Â
At the time, Huawei said the report âemploys many rumors and speculations to prove nonexistent accusations,â while a ZTE spokesman said that after a year-long investigation, âthe committee rests its conclusions on a finding that ZTE may not be âfree of state influence.ââ That standard âwould apply to any company operating in China,â the spokesman said.Â
Â
In the years since then, various reports have linked Huawei or its employees to spying and surveillance. In 2019, for example, the Wall Street Journal reported that Huawei technicians, in at least two instances, helped African governments spy on political opponents, intercepting their encrypted communications and using cellphone data to track their locations. Last year, Australiaâs Financial Review found that Huawei built a facility to store the entire data archive for the Papua New Guinea government, but it contained glaring security gaps that exposed sensitive files to being stolen. And on Dec. 14, the Washington Post published documents from Huawei showing that the company has played a broader role in tracking Chinaâs populace than it has acknowledged.Â
Â
Huawei denied each of the reports, and the company has consistently pushed back against allegations that its products pose a security risk.
Â
âHuawei has not had any major cybersecurity incidents while working with more than 500 telecom providers, including most of the top 50 telecom operators, for nearly 20 years in 170 countries to connect more than 3 billion people,â the company says on its website. âNo other vendor can claim this level of cybersecurity success.â
Â
Keith Krach, the former under secretary for economic growth, energy and the environment at the U.S. Department of State under President Donald Trump, declined to discuss specific incidents. But he confirmed that the U.S. and its allies have had evidence for years that China has manipulated Huawei equipment through software updates.
Â
âHuawei has thrown a lot of head fakes by saying it would never put a back door in the hardware â a back door means nothing because there's a front door that's open every day through software,â he said. âHuaweiâs software updates can push whatever code they want into those machines, whenever they want, without anyone knowing.âÂ
Â
That characterization is a âfantasy,â said Huaweiâs Suffolk. âThere is not a general software update mechanism, patches are not pushed at will and Huawei has no control or say when an operator decides to upgrade or patch their network,â he said.
Â
In Australia, after nearly a decade of hostility with the government, Huawei has abandoned many of its operations.
Â
Last year, the company revealed a $100 million financial cut to its Australian investment and more than 1,000 local job losses, according to the Financial Review.  A key factor behind that 5G ban, the Sydney Morning Herald reported, was an intelligence assessment that the vulnerabilities associated with Huawei products were so severe that more than 300 separate risks would need to be mitigated in order to use it securely.
Â
In Huaweiâs statement to Bloomberg, the company said that former Australian Prime Minister Malcolm Turnbull publicly stated that  âno evidence had been provided to demonstrate that Huawei had undertaken anything untoward in Australia.â In his memoir, which was published in 2020, Turnbull wrote that his administration's 5G ban against Huawei was a âhedge against a future threat, not the identification of a smoking gun, but a loaded one.âÂ
Â
Turnbull, in a statement to Bloomberg, rejected Huawei's characterization. âThat is not what I have said â I made no comment as to whether evidence of untoward conduct by Huawei had been presented or observed,â he said. âSo I was, if you like, deliberately making no comment on that point at all.â Turnbull declined to comment about the 2012 incident or any other intelligence matters related to Huawei.
Â
Australia continues to deal with the fallout from challenging China on a range of issues, including Huawei.
Â
China has imposed damaging one-sided tariffs on Australian commodities, and Chinese hackers have targeted Australian institutions with relentless attacks since the country called last year for an independent probe into the origins of Covid-19.
Â
Australia also announced a pact in September with the U.S. to build nuclear-powered submarines, a challenge to Chinaâs growing military presence that has further heightened tensions in the region.
Â
Flournoy, the former Defense Department official under Obama, said China continues to punish Australia in part because of it longstanding position on Huawei, which was informed in part by the breach the country discovered nearly a decade ago.Â
Â
âThey didnât do the typical thing of trying to hide the vulnerability; they talked about what happened with their closest allies and took a public stand,â Flournoy said. âThey are still taking a hit for it.âÂ