U.S. to Order Removal of Compromised Network Software After Chinese Backdoor Discovery

Backdoor Found in Federal Network Tool

The National Security Agency and the Cybersecurity and Infrastructure Security Agency have concluded that a Chinese state-sponsored group planted a remote-access backdoor inside a network monitoring tool used by at least 14 federal civilian agencies, according to three U.S. officials familiar with the finding. The discovery, codenamed Silk Tide by analysts at Fort Meade, is expected to trigger an emergency directive as early as January 21 requiring agencies to disconnect the affected software from federal networks, the officials said.

The compromised product is a network performance and diagnostics suite sold to civilian agencies under a General Services Administration schedule contract worth roughly $287 million in active federal spending, two of the officials said. A third official, a senior cybersecurity official speaking on condition of anonymity, said the backdoor allows attackers to exfiltrate network topology data and, in some configurations, issue commands to adjacent systems. The official said the flaw is not a routine vulnerability but rather a deliberately embedded access mechanism added during a software update pushed to customers between March and August 2025.

NSA analysts first identified anomalous beacon traffic leaving a civilian agency network in mid-December 2025, according to a former Senate Intelligence Committee staffer briefed on the matter. The traffic, which appeared to route through infrastructure tied to a Chinese internet service provider, matched signatures associated with a group tracked internally as Silk Tide, the staffer said. Investigators traced the outbound connections to an encrypted update channel in the network tool, which had been certified for use on federal systems under the Federal Risk and Authorization Management Program in 2023.

Emergency Directive Expected January 21

CISA is preparing to issue Emergency Directive 26-01 ordering agencies to remove the affected software from production networks by 11:59 p.m. Eastern on January 23, two officials familiar with the draft said. The directive, which carries binding force under Homeland Security Presidential Directive 7, will also require agencies to rotate credentials for any administrator accounts that had access to the tool and to submit attestation forms to CISA by January 24, the officials said.

The directive has been under review at the White House since January 16, according to a Justice Department official with knowledge of the interagency process. A Principals Committee meeting is scheduled for 10 a.m. on January 20 in the White House Situation Room to finalize the public rollout, the official said. The attorney general, homeland security secretary, and director of national intelligence are expected to attend, along with the deputy national security advisor for cyber and emerging technology, the official said.

A separate joint cybersecurity advisory from the NSA, FBI, and CISA is being drafted for release on January 22, according to a senior official involved in the coordination. The advisory will include indicators of compromise, hashes for the malicious update files, and recommended mitigations for private-sector customers, the official said. The affected vendor, which is headquartered in Northern California and reported $2.3 billion in annual revenue for fiscal year 2025, has not yet issued a public statement, the official added.

Agencies Begin Disconnecting Affected Systems

Several agencies began disconnecting the software from their networks on January 17 after receiving classified briefings from CISA, according to two congressional aides briefed on the response. The Departments of Agriculture, Labor, and Housing and Urban Development are among the civilian agencies that installed the compromised version, the aides said. The Pentagon and the intelligence community use separate, classified network monitoring systems and are not affected by the civilian directive, a defense official said.

The Office of Management and Budget is working with the affected agencies to identify replacement tools and to accelerate procurement under emergency acquisition authorities, according to a senior administration official. The official said OMB expects the transition to cost between $45 million and $60 million in unplanned fiscal 2026 spending, though the final figure will depend on how many smaller agencies used the product under enterprise licensing agreements.

CISA has scheduled a classified briefing for members of the House and Senate homeland security committees on the evening of January 20, according to a congressional aide familiar with the schedule. The chairs and ranking members of the Senate Intelligence Committee are expected to participate, the aide said. The briefing will cover the scope of the compromise, the timeline for the emergency directive, and preliminary findings about whether any agency data was stolen before the backdoor was discovered.

Stakes and What to Watch

The disclosure would mark the second major Chinese cyber compromise of U.S. government infrastructure to surface in less than 18 months, following the Salt Typhoon telecom intrusions disclosed in 2024. It also raises new questions about the Federal Risk and Authorization Management Program, which certified the affected software for use across civilian networks despite the embedded update mechanism.

Officials are watching for three developments in the next 72 hours: whether the vendor publicly acknowledges the compromise before the government announcement, whether CISA expands the directive to cover state and local governments that use the same product, and whether any agency reports data theft after completing forensic reviews. A senior official said the FBI has opened a counterintelligence investigation focused on the vendor's overseas engineering operations, including a development center in Shenzhen that contributed code to the compromised update branch.

Intelligence analysts are also tracking whether Silk Tide operators attempt to activate additional persistence mechanisms once they realize the backdoor has been detected, according to a former intelligence officer. The group has historically used dormant access for months before moving to data theft, the former officer said, which means the full scope of the compromise may not be known until CISA completes its review of agency logs in early February.