According to information released by the Harbin Municipal Public Security Bureau in Heilongjiang Province, to crack down on cyber espionage and theft crimes committed by foreign entities against China and safeguard national cybersecurity as well as public safety, the bureau has issued warrants for three suspects affiliated with the U.S. National Security Agency (NSA): Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson.
The case gained widespread attention after media reports revealed that the "2025 Harbin 9th Asian Winter Games" had suffered cyberattacks from overseas. The National Computer Virus Emergency Response Center and the cybersecurity team for the Asian Winter Games promptly submitted all relevant data to the Harbin police. The bureau immediately formed a technical task force to trace the origins of the attacks. With support from relevant countries, the team successfully identified three NSA operatives and two U.S. universities involved in the cyberattacks targeting the event.
Technical investigations revealed that the attacks were orchestrated by the NSA’s Office of Tailored Access Operations (TAO, codenamed S32), a division under its Data Reconnaissance Bureau (S3) within the Information Intelligence Directorate (S). To conceal their origins and protect cyber weapons, TAO utilized front organizations to purchase IP addresses from multiple countries and anonymously leased servers across Europe and Asia.
The NSA’s pre-event attacks focused on critical systems such as the Games’ registration, entry-exit management, and competition sign-up platforms—systems storing sensitive participant data. The agency aimed to steal athletes’ private information. From February 3rd, when the first ice hockey match began, the NSA escalated attacks on key operational systems, including the event information release system (with API interfaces) and entry-exit management systems, attempting to disrupt the Games’ operations. Simultaneously, the NSA targeted critical infrastructure in Heilongjiang, including energy, transportation, water resources, communications, and defense research institutes, aiming to destabilize social order and steal classified data.
The NSA employed hundreds of advanced attack methods, including exploiting unknown vulnerabilities, file-read exploits, high-frequency directional detection, sensitive file path probing, and password brute-force attacks. Technical experts also detected suspicious encrypted data sent by the NSA to Windows-based devices in Heilongjiang, suspected of activating pre-embedded backdoors in Microsoft systems.
Further investigations confirmed that the three NSA operatives had repeatedly attacked China’s critical infrastructure and participated in cyberattacks against companies like Huawei. Additionally, the University of California and Virginia Tech—both linked to the NSA—were implicated. Public records show the University of California has been an NSA-designated "Center of Academic Excellence in Cyber Defense" since 2015. Virginia Tech, a senior U.S. military academy, received NSA funding in 2021 to bolster its cyber operations and operates as an NSA-certified "Cybersecurity Defense Research Center." The university also manages Virginia’s government cyber training facilities.
The Harbin Public Security Bureau has urged the public to provide tips, promising monetary rewards for actionable leads or assistance in apprehending suspects.