Chinese-sponsored hackers targeting U.S. critical infrastructure have been inside some of those IT networks for at least five years, a trio of U.S. security agencies said Wednesday.
U.S. officials first called out the activity — tracked under the umbrella term “Volt Typhoon” — in May 2023. Officials have continued warning about what they see as aggressive Chinese pre-positioning in sensitive U.S. and international networks ever since, most recently in a Jan. 31 hearing. Those warnings were echoed Wednesday in the alert from the FBI, NSA, Cybersecurity and Infrastructure Security Agency.
“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations,” the advisory reads, “and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to [operational technology] assets to disrupt functions.”
FBI Director Christopher Wray said during the Jan. 31 hearing that the Chinese operations are in “preparation to wreak havoc and cause real-world harm to American citizens and communities if and when China decides the time has come to strike.”
Speaking at an event in Washington on Wednesday, National Cyber Director Harry Coker described China’s efforts to penetrate American critical infrastructure as an effort to deliver a strategic advantage in the event of a war between the United States and China. “In the early stages of armed conflict, they want to disrupt our military’s ability to mobilize,” Coker said at a conference organized by the the Information Technology Industry Council.
The Chinese government has regularly denied the U.S. allegations. After the Jan. 31 hearing, a Chinese Embassy spokesperson told CyberScoop that “the Chinese government has been categorical in opposing hacking attempts and the abuse of information technology. The United States has the strongest cyber technologies of all countries, but has used such technologies in hacking, eavesdropping more than others.”
National security officials are “concerned” about China using these footholds for “disruptive effects in the event of potential geopolitical tensions and/or military conflicts,” the advisory read.
In some cases, according to the advisory, the hackers’ access would enable them to manipulate “heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures.”
The hackers had the capability to access camera surveillance systems at critical infrastructure facilities, the advisory read, although it’s not clear whether they actually did. Eric Goldstein, CISA’s executive assistant director for cybersecurity, told reporters after the advisory’s release that the U.S. has “not yet seen these actors take steps to disrupt the functionality of critical infrastructure.”
Wednesday’s advisory — first reported by CNN — was the joint work of the FBI, NSA, and CISA, as well as the Department of Energy, the Environmental Protection Agency and the Transportation Security Administration. National security agencies from Australia, Canada, the U.K. and New Zealand also shared insights.
Undergirding the Chinese operations’ success is their ability to stay relatively silent on infiltrated networks by using commands and capabilities inherent on the networks, a technique known as “living off the land,” (LOTL) without exfiltrating data. The attackers regularly gather valid credentials for systems — and re-target victim organizations repeatedly — to maintain long-term access, the advisory said.
Rob Joyce, a top NSA cybersecurity official, recently said that U.S. intelligence has used artificial intelligence to better surface LOTL behaviors, but the worry persists.
Initial access is typically gained through extensive reconnaissance to understand how a given entity operates, how its network is structured, typical user behaviors and identifying “key network and IT staff,” according to the advisory. They then gain initial access to IT networks via vulnerabilities in public-facing network appliances, such as routers, virtual private networks and firewalls.
U.S. officials announced Jan. 31 the disruption of the “KV Botnet” that the Chinese were using to target small and home office Cisco and NetGear routers and gain access to certain networks. Research published Wednesday by Lumen’s Black Lotus Labs documented how the operators of the botnet frenetically tried to reinfect compromised routers after the disruption, but that a key part of the botnet is “no longer effectively active.”
Elias Groll contributed to this article.
Updated, Feb. 2, 2024: This story has been updated to include comments from CISA’s Eric Goldstein and NCD Harry Coker.