The recent news that the Volt Typhoon hacking group has been disrupted was followed almost immediately by a grave warning from FBI director Christopher Wray: Chinese hackers can be expected to continue to infiltrate critical infrastructure, and similar activity is likely proceeding successfully.
Wray said that US agencies have become more aggressive in recent years to keep pace with both Russian and Chinese hackers making regular attempts on critical infrastructure, government and private industry secrets. Wray said that China is also showing interest in the sort of personal information that ransomware gangs usually steal, putting it to work in its foreign influence campaigns.
State-backed Chinese hackers continue to operate in the US
Wray opened the briefing of House lawmakers with further detail about the recent operation against Volt Typhoon, the group of Chinese hackers believed to have been dwelling in critical infrastructure systems for months (if not years). The FBI director indicated that the network of home and small office routers that the group relies on for masking its malicious traffic was broken up, but this good news was tempered with a warning that both this and other groups likely continue to be highly active.
Wray also shared that the FBI directly accessed compromised routers to remove Volt Typhoon’s footholds and patch them against future attacks, a step that US agencies only rarely take in extreme cases. The Chinese hackers had been aggressively targeting older Netgear and Cisco router models with known vulnerabilities that are no longer supported by the manufacturers, making them very difficult (if not impossible) for owners to otherwise secure.
Jen Easterly, Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, supported Wray’s comments and added that the country is making it “too easy” for Chinese hackers to penetrate critical infrastructure via a variety of basic and correctable flaws. Easterly called for software manufacturers to be held responsible for defects, articulating a “security by design” argument without actually using the phrase.
Ever since news of Volt Typhoon surfaced with a Microsoft report on the group in May of 2023, the conventional thinking has been that the Chinese hackers were seeking to quietly lay dormant in critical infrastructure and would only go active should the two countries enter into a military conflict over Taiwan. Wray’s more recent comments made it sound as if the Chinese hackers may make attempts against critical infrastructure with a lower threshold of provocation. China has repeatedly denied US accusations of hacking, and has made counter-accusations of this nature against US intelligence and law enforcement agencies.
Wray also used the briefing to reiterate a point he has made in the past: that the US side of this cyber battle is badly outgunned, by at least “50 to 1” in terms of active Chinese hackers versus available FBI agents, and that the agency opens a new China-related counterintelligence case roughly once every 10 hours. And he warned that China will likely use stolen personal information and AI to wage influence campaigns, particularly during the current election period, and to “silence, coerce and threaten” citizens and residents of the country.
Amit Yoran, CEO and Chairman of Tenable, sees this as a serious warning that an attack on critical infrastructure by Chinese hackers is very possible: “This is a sobering warning about a clear and present danger from the U.S. government’s top cybersecurity leaders. They’re not talking about potential data breaches and PII. We’re being told in the strongest possible terms that strategic adversaries are specifically and deliberately going after the vital services that underpin our daily lives. Action here needs to be a top priority. We didn’t know, we didn’t expect this, we didn’t take action, are all euphemisms for negligence.”
Marty Edwards, Deputy CTO for OT and IoT for Tenable, agrees that this should be read as a direct warning to private critical industry partners to immediately assess and shore up their cybersecurity: “This dire warning should send an immediate signal to operators of both manufacturing and industrial control systems – in both the public and private sectors – that now is the time to actively assess their risk posture and search out vulnerabilities that are waiting to be exposed. It isn’t acceptable that adversaries have a better understanding of a facility’s assets than the defenders. This is completely solvable with current people, process and technology. OT and IoT are everywhere in our modern attack surface, and bad actors understand that compromising a single external-facing asset or a misconfigured identity (as was the case in the recent breach of Microsoft’s internal email systems by Midnight Blizzard) could give them unfettered access so they can lay in wait to launch attacks. Recent attacks against Colonial Pipeline and our water treatment plants are evidence that the ability for malicious actors to cause real-world impacts are just a couple of clicks away.”
US critical infrastructure has been dealing with cyber invaders for years
Microsoft has assessed groups like Volt Typhoon as putting their main emphasis on disrupting Pacific military capability in the midst of an armed clash over Taiwan. But Wray alluded to China also targeting civilian critical infrastructure, calling it “part of (the) plan” for Chinese hackers. Attacks against more distant US civilian targets would likely be meant to drain off public support for the defense of Taiwan, should that scenario emerge.
David Ratner, CEO at HYAS, notes that attacks against critical infrastructure are a potential “loss of life” scenario and need to be treated as such: “Critical infrastructure is unfortunately too vulnerable to a variety of attacks, and we need to focus on cyber resiliency across the board or risk not just the interruption of basic services but potentially loss of human life. Bad actors will continue to find new vectors to try and wreak havoc; the only path forward is proactive intelligence and overall operational resiliency to ensure that each new attack is handled quickly and efficiently, before damage ensues. The time to act is now.”
Mark B. Cooper, President & Founder at PKI Solutions, adds: “The warning from FBI Director Christopher Wray about Chinese hackers targeting US infrastructure emphasizes the sense of urgency needed to improve the security of core systems to critical infrastructure. It’s no longer safe to assume these core systems like Identity and Encryption are resilient; organizations need to manage the security posture of each of their critical systems. These measures are essential in ensuring vulnerabilities are identified and mitigated properly, reducing the risk of exploitation by malicious actors.”
The US has not denied that it runs its own cyber operations against targets in China, but sets itself apart in drawing a line at attempts to cripple critical infrastructure. Gen. Paul Nakasone, commander of the U.S. Cyber Command, called it “irresponsible” for the Chinese hackers to target civilian infrastructure. Wray characterized attacks of this nature as “low blows.”
Committee chairman Mike Gallagher, a Republican representative from Wisconsin, also used the testimony as an opportunity to once again raise the possibility of banning or forcing the sale of TikTok over national security concerns. This had appeared to be a bipartisan position, with the Biden administration proposing just such a sale-or-ban scheme in March of 2023, but the campaign appeared to fall by the wayside after legal analysis concluded it would be too difficult to pull off.