China-backed hackers have maintained access to critical US infrastructure for “at least five years” with the long-term goal of launching “catastrophic” cyber attacks, a coalition of US intelligence agencies warned on Wednesday.
Volt Typhoon, a state-owned hacker group based in China, has infiltrated the networks of aviation, railway, mass transit, highway, shipping, pipeline, water and sanitation agencies – none of which have been named – in an attempt to pre-position for catastrophic cyberattacks, the NSA, CISA and FBI reported joint advisory published on Wednesday.
This marks a “strategic shift” in the Chinese-backed hackers’ traditional espionage or intelligence-gathering operations, the agencies said, as they prepare to disrupt operational technology in the event of a major conflict or crisis.
The publication of the advisory, which was co-signed by cyber security agencies in the UK, Australia, Canada and New Zealand, comes a week after a similar warning was issued by FBI Director Christopher Wray. Speaking during a US House of Representatives committee hearing on cyber threats from China, Wray described Volt Typhoon as “the defining threat of our generation” and said the team’s goal is “to disrupt the ability of our military to be mobilized” in the early stages of an expected conflict over Taiwan, which China claims as its territory.
According to Wednesday’s technical advisory, Volt Typhoon exploits vulnerabilities in routers, firewalls and VPNs to gain initial access to critical infrastructure across the country. China-backed hackers typically leveraged stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, maintained access for “at least five years.”
That access enabled state-backed hackers to carry out potential disruptions, such as “manipulating heating, ventilation and air conditioning (HVAC) systems in server rooms or disrupting critical power and water controls, leading to significant infrastructure damage,” it warned. counseling. In some cases, the Volt Typhoon hackers were able to access camera surveillance systems at critical infrastructure facilities — though it’s unclear if they did.
Volt Typhoon also used off-the-ground techniques, whereby attackers use legitimate tools and features already present on the target system, to maintain long-term, undiscovered persistence. The hackers also conducted “extensive pre-compromise reconnaissance” in an attempt to avoid detection. “For example, in some cases, Volt Typhoon actors may refrain from using compromised credentials outside of normal business hours to avoid triggering security alerts for abnormal account activity,” the advisory said.
In a phone call Wednesday, senior U.S. intelligence officials warned that Volt Typhoon “is not the only state-sponsored Chinese cyber group conducting this type of activity,” but did not name the other groups they were monitoring.
Last week, the FBI and the US Department of Justice announced that they had disrupted the “KV Botnet” operated by Volt Typhoon, which had compromised hundreds of US-based routers for small businesses and home offices. The FBI said it was able to remove the malware from the compromised routers and sever their connection to the state-sponsored Chinese hackers.
According to a May 2023 report published by Microsoft, Volt Typhoon has been targeting and breaching critical US infrastructure since at least mid-2021.
