The first two months of 2024 featured several revelations on the extent of China’s extensive hacking network. A joint cybersecurity advisory alert was recently posted from the CISA (Cybersecurity and Infrastructure Security Agency), the NSA, and the FBI on the extent to which Chinese state-backed hackers have had access to key U.S. infrastructures over the past five years, and planted malware that could trigger widespread disruptions to society. It was co-authored by the U.S. Department of Energy, the EPA, and the Transportation Security Administration, as well as by Canada’s, Australia’s, New Zealand’s and the United Kingdom’s cybersecurity centers.

I’ve reported in the past on China’s massive intellectual property theft and cyberespionage here and here. These activities included obtaining emails and communications from government officials.

The recent high-level alert escalates tensions

China’s state-backed hackers have embedded malware within critical U.S. infrastructure, such as programs used to manage clean drinking water, the power grid, and air traffic, among others. According to CISA director Jen Easterly at a hearing on the House Select Committee on the Chinese Communist Party,

This is truly an Everything Everywhere, All at Once scenario. And it’s one where the Chinese government believes that it will likely crush American will for the U.S. to defend Taiwan in the event of a major conflict there.

FBI Director Christopher Wray said that Chinese state-backed hackers have been lying dormant in critical U.S. infrastructure for five years, pre-positioning malware. In the event that there is a U.S.–China conflict, China can enact a cyberattack that will weaken U.S. operations. Intelligence analysts link this threat to a potential conflict over Taiwan, which the U.S. has promised to defend in the event China attacks the island. Taiwan operates as a de facto nation but is claimed by Beijing as part of the People’s Republic of China.

Wray has described China’s hacking program as larger than that of every nation combined:

In fact, if you took every single one of the F.B.I.’s cyberagents and intelligence analysts and focused them exclusively on the China threat, China’s hackers would still outnumber F.B.I. cyberpersonnel by at least 50 to one.

How the hackers get in

The hacking network responsible for infiltrating U.S. infrastructure has been labeled “Volt Typhoon” although the group is known under other names: Vanguard Panda, Bronze Silhouette, Dev-0391, UNC 3236, Voltize, and Insidious Taurus (The Guardian 02/13/24).

Volt Typhoon used sophisticated “living off the land” techniques to surreptitiously infiltrate networks through routers and other internet connected devices. One of the biggest security weaknesses in U.S. digital networks and infrastructure is out-of-date technology that is no longer supported. Another weakness is human error; workers may fall for phishing techniques that retrieve administrator credentials and user passwords.

In December, the U.S. Justice Department and the FBI obtained a court order to dismantle a sweeping botnet that used out-of-date small office and home office (SOHO) Cisco and Netgear routers to infiltrate key infrastructure systems. The agencies obtained the court order to go into the routers’ systems without the owners’ permission because the level of risk warranted immediate action.

Hackers can install malware into existing files within the operating system rather than uploading a new file, which is easier to find. Dell’s SecureWorks blog describes several ways that Volt Typhoon/Bronze Silhouette quickly entered a system and then deleted any evidence of the hacker’s presence.

Dell SecureWorks believes that this new type of infiltration is in response to the U.S. State Department’s identification of several Chinese hackers:

These tradecraft developments have likely been driven by a series of high-profile U.S. Department of Justice indictments of Chinese nationals allegedly involved in cyberespionage activity, public exposures of this type of activity by security vendors, and the consequential likely increased pressure from PRC leadership to avoid public scrutiny of its cyberespionage activity.

The 2018 Justice Department indictment can be found here.

In 2023, Microsoft reported that Chinese state-backed hackers had positioned themselves to disrupt communications between the U.S. and other Asian countries in the event of a conflict in the South China Sea. This is likely in preparation for a conflict over Taiwan.

An old game played in new ways

U.S. intelligence has tracked China’s cyberespionage activities for over twenty years. The typical activity of state-backed hackers has been intelligence gathering or cybertheft. Dell SecureWorks and Microsoft report that targeting infrastructure is new for China’s state-backed hackers. U.S. officials have said that an attack on U.S. infrastructure would be considered an act of war, similar to bombing bridges, water treatment facilities, or power plants.

Attacks on infrastructure were uncommon prior to 2010. The first instance of using a cyberattack as a weapon for international conflict was the Stuxnet worm, likely developed by the U.S. and Israel to disrupt Iran’s uranium enrichment process. Since then, the Russia–Ukraine war has escalated the use of cyberattacks as a weapon for war.

According to CSIS’s timeline of cyberattacks, since February 2022 when the war began, Russian cyberattacks have primarily targeted Ukrainian infrastructure. Previously, Russia was responsible for taking down Ukraine’s power grid in 2015 and 2016 and crippling several businesses, including banks, using a virus called NotPetya.

Taiwan is watching Ukraine’s response to Russia, particularly how it is thwarting cyberattacks, in anticipation of an escalating threat from the Chinese military.

Paralleling the Soviet Union

The Chinese Communist Party has a long history of paralleling the former Soviet Union. In an earlier article, I reported on commentators who see the fall of the Soviet Union and the Arab Spring as Xi Jinping’s “two great insecurities.” China’s government is modeled after the former Soviet Union, although it is often branded as distinctly Chinese. Today, again, we see Russia treading the Soviet Union’s path, while China takes notes.

China’s cyber activities are not impenetrable. In an upcoming article, we’ll look at a recent leak of files from a hackers-for-hire group contracted by Beijing.