U.S. authorities said on January 31 that they had dismantled a network of hackers known as Volt Typhoon, which was targeting key American public sector infrastructure like water treatment plants and transportation systems at the behest of China.
FBI Director Christopher Wray explained the operation in testimony before a congressional committee on U.S.-China competition, and the Justice Department offered more details in a statement.
In May 2023, the United States and its allies had accused Volt Typhoon, described as a “state-sponsored hacking group” backed by China, of infiltrating critical U.S. infrastructure networks — claims rejected by Beijing.
“Just this morning, we announced an operation where we and our partners identified hundreds of routers that had been taken over by the PRC state-sponsored hacking group known as Volt Typhoon,” Mr. Wray told lawmakers.
“The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation and water sectors.”
Mr. Wray accused the hackers of readying to “wreak havoc and cause real-world harm to American citizens and communities.”
“If and when China decides the time has come to strike, they’re not focused just on political or military targets,” he added. “Low blows against civilians are part of China’s plan.”
Assistant Attorney General Matthew Olsen, who works in the Justice Department’s national security division, said access to U.S. infrastructure sought by Volt Typhoon was something China “would be able to leverage during a future crisis.”
The U.S. operation to disrupt the hackers was authorized by a federal court in Texas, the Justice Department said in its statement.
By taking control of hundreds of routers, which were vulnerable as they were no longer supported by their maker’s security patches or software updates, the hackers sought to disguise the origin of future China-based hacking activities, it said.
The operation succeeded in wiping the malware from the routers, without impacting their legitimate functions or collecting any information, it added, while saying there was no guarantee the routers could not be reinfected.