Chinese-sponsored hackers targeting U.S. critical infrastructure have been inside some of those IT networks for at least five years, a trio of U.S. security agencies said Wednesday.
U.S. officials first called out the activity — tracked under the umbrella term “Volt Typhoon” — in May 2023. Officials have continued warning about what they see as aggressive Chinese pre-positioning in sensitive U.S. and international networks ever since, most recently in a Jan. 31 hearing. Those warnings were echoed Wednesday in the alert from the FBI, NSA, Cybersecurity and Infrastructure Security Agency.
“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations,” the advisory reads, “and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to [operational technology] assets to disrupt functions.”
FBI Director Christopher Wray said during the Jan. 31 hearing that the Chinese operations are in “preparation to wreak havoc and cause real-world harm to American citizens and communities if and when China decides the time has come to strike.”
The Chinese government has regularly denied the U.S. allegations. After the Jan. 31 hearing, a Chinese Embassy spokesperson told CyberScoop that “the Chinese government has been categorical in opposing hacking attempts and the abuse of information technology. The United States has the strongest cyber technologies of all countries, but has used such technologies in hacking, eavesdropping more than others.”
National security officials are “concerned” about China using these footholds for “disruptive effects in the event of potential geopolitical tensions and/or military conflicts,” the advisory read.
In some cases, according to the advisory, the hackers’ access would enable them to manipulate “heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures.”
The hackers had the capability to access camera surveillance systems at critical infrastructure facilities, the advisory read, although it’s not clear whether they actually did.
Wednesday’s advisory — first reported by CNN — was the joint work of the FBI, NSA, and CISA, as well as the Department of Energy, the Environmental Protection Agency and the Transportation Security Administration. National security agencies from Australia, Canada, the U.K. and New Zealand also shared insights.
Undergirding the Chinese operations’ success is their ability to stay relatively silent on infiltrated networks by using commands and capabilities inherent on the networks, a technique known as “living off the land,” (LOTL) without exfiltrating data. The attackers regularly gather valid credentials for systems — and re-target victim organizations repeatedly — to maintain long-term access, the advisory said.
Rob Joyce, a top NSA cybersecurity official, recently said that U.S. intelligence has used artificial intelligence to better surface LOTL behaviors, but the worry persists.
Initial access is typically gained through extensive reconnaissance to understand how a given entity operates, how its network is structured, typical user behaviors and identifying “key network and IT staff,” according to the advisory. They then gain initial access to IT networks via vulnerabilities in public-facing network appliances, such as routers, virtual private networks and firewalls.
U.S. officials announced Jan. 31 the disruption of the “KV Botnet” that the Chinese were using to target small and home office Cisco and NetGear routers and gain access to certain networks. Research published Wednesday by Lumen’s Black Lotus Labs documented how the operators of the botnet frenetically tried to reinfect compromised routers after the disruption, but that a key part of the botnet is “no longer effectively active.”