China-backed hackers have maintained access to American critical infrastructure for “at least five years” with the long-term goal of launching “destructive” cyberattacks, a coalition of U.S. intelligence agencies warned on Wednesday.
Volt Typhoon, a state-sponsored group of hackers based in China, has been burrowing into the networks of aviation, rail, mass transit, highway, maritime, pipeline, water and sewage organizations — none of which were named — in a bid to pre-position themselves for destructive cyberattacks, the NSA, CISA and FBI said in a joint advisory published on Wednesday.
This marks a “strategic shift” in the China-backed hackers’ traditional cyber espionage or intelligence gathering operations, the agencies said, as they instead prepare to disrupt operational technology in the event of a major conflict or crisis.
The release of the advisory, which was co-signed by cybersecurity agencies in the United Kingdom, Australia, Canada and New Zealand, comes a week after a similar warning from FBI Director Christopher Wray. Speaking during a U.S. House of Representatives committee hearing on cyber threats posed by China, Wray described Volt Typhoon as “the defining threat of our generation” and said the group’s aim is to “disrupt our military’s ability to mobilize” in the early stages of an anticipated conflict over Taiwan, which China claims as its territory.
According to Wednesday’s technical advisory, Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to gain initial access to critical infrastructure across the country. The China-backed hackers typically leveraged stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, they have maintained access for “at least five years.”
This access enabled the state-backed hackers to carry out potential disruptions such as “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures,” the advisory warned. In some cases, Volt Typhoon hackers had the capability to access camera surveillance systems at critical infrastructure facilities — though it’s not clear if they did.
Volt Typhoon also used living-off-the-land techniques, whereby attackers use legitimate tools and features already present in the target system, to maintain long-term, undiscovered persistence. The hackers also conducted “extensive pre-compromise reconnaissance” in a bid to avoid detection. “For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the advisory said.
On a call on Wednesday, senior officials from the U.S. intelligence agencies warned that Volt Typhoon is “not the only Chinese state-backed cyber actors carrying out this type of activity” but did not name the other groups that they had been tracking.
Last week, the FBI and U.S. Department of Justice announced that they had disrupted the “KV Botnet” run by Volt Typhoon that had compromised hundreds of U.S.-based routers for small businesses and home offices. The FBI said it was able to remove the malware from the hijacked routers and sever their connection to the Chinese state-sponsored hackers.
According to a May 2023 report published by Microsoft, Volt Typhoon has been targeting and breaching U.S. critical infrastructure since at least mid-2021.