The U.S. government has quietly disabled part of a Chinese hacking operation that has worried national security officials for months, according to media reports.
The Justice Department obtained “legal authorization to remotely disable aspects of the Chinese hacking campaign,” Reuters reported on Monday. The takedown operation involved disabling internet-connected devices, such as routers and webcams, that China had infected with malware and turned into launching pads for further attacks.
China has used this cyber campaign, known as Volt Typhoon, to target critical infrastructure facilities like power plants and communications hubs throughout the U.S., worrying officials who see it as part of a plan to sabotage vital infrastructure in the early days of a war between the two superpowers. When Microsoft first revealed Volt Typhoon last May, the company said it had detected attacks on Guam, where the U.S. maintains a naval base that is vital to its operations in the Pacific.
“The widespread nature of the hacks led to a series of meetings between the White House and private technology industry, including several telecommunications and cloud commuting companies, where the U.S. government asked for assistance in tracking the activity,” Reuters reported.
The Justice Department declined to comment on the reported takedown operation.
Cybersecurity officials have warned operators of vital infrastructure that China’s Volt Typhoon campaign represents a serious threat to their businesses and to U.S. national security.
“This is a fight for our U.S. critical infrastructure,” Morgan Adamski, chief of the National Security Agency’s Cybersecurity Collaboration Center, said at a conference in November. “The products, the services that we rely on, everything that matters—that’s why this is important.”
Volt Typhoon has evaded detection and broadened its reach by burrowing into its targets’ computer networks and lurking there, ready to launch additional attacks that cause more damage.
By compromising internet-connected devices that are widespread inside modern networks, such as modems and other networking equipment, Chinese operatives can disguise malicious activity as typical traffic between the hacked devices and other machines on the same network. This strategy makes it harder for IT administrators and cyber defenders to spot and contain the attack. But it also leaves hackers vulnerable to takedown operations in which authorities remotely disable or clean up infected machines, cutting off the intruders’ access to their targets.
The Justice Department’s operation against Volt Typhoon is the latest example of the Biden Administration striking back against sophisticated foreign hacking campaigns. In recent years, the U.S. has used court orders to disable infamous botnets — armies of hacked devices used to power cyberattacks — with names like Qakbot, Emotet, Cyclops Blink and RSOCKS.
The long-term impact of the Volt Typhoon operation remains unclear. Botnet takedowns typically set back hackers’ activities, sometimes for months, but they often reemerge using new infrastructure and sometimes new names.