China-backed hackers have maintained access to American critical infrastructure for “at least five years” with the long-term goal of launching “devastating” cyberattacks, a coalition of US intelligence agencies warned Wednesday.
Volt Typhoon, a group of state-sponsored hackers based in China, penetrated the networks of aviation, rail, mass transit, highway, marine, pipeline, water and sewer companies — none of which were named — in a preemptive effort to position themselves for devastating cyberattacks, the NSA said in a joint advisory published Wednesday. CISA and the FBI stated.
The agencies said it represents a “strategic shift” from China-backed hackers' traditional cyber espionage or intelligence-gathering operations, instead being prepared to disrupt operational technology in the event of a major conflict or crisis.
The advisory release, co-signed by cybersecurity agencies in the United Kingdom, Australia, Canada and New Zealand, comes a week after a similar warning from FBI Director Christopher Wray. Speaking during a US House of Representatives committee hearing on cyber threats from China, Wray described Typhoon Volt as the “defining threat of our generation” and said the group's goal was to “disrupt our military mobilization capability” in the early stages. China anticipates a dispute over Taiwan, which it claims as its territory.
According to Wednesday's technical advisory, Volt Typhoon exploits vulnerabilities in routers, firewalls and VPNs to gain early access to critical infrastructure across the country. China-backed hackers typically used stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, they maintained access for “at least five years.”
“This access enabled state-backed hackers to conduct potential disruptions, such as altering heating, ventilation and air-conditioning (HVAC) systems in server rooms or disrupting critical power and water controls, leading to critical infrastructure failures,” the advisory warned. In some cases, the Volt Typhoon hackers had the ability to access camera surveillance systems at critical infrastructure — but it's not clear if they did.
Volt Typhoon also used living-off-the-land techniques, whereby attackers used legitimate tools and features already present on the target system, to maintain long-term, undetected persistence. Hackers also conducted “extensive pre-compromise surveillance” to avoid detection. “For example, in some cases, Volt Typhoon actors may have avoided using compromised credentials outside of normal business hours to avoid triggering security alerts on unusual account activity,” the advisory said.
In a call Wednesday, senior officials from US intelligence agencies warned Volt Typhoon was “not the only Chinese state-backed cyber actors conducting these types of operations” but did not name other groups they were tracking.
Last week, the FBI and the US Department of Justice announced that they had disrupted the “KV botnet” run by Volt Typhoon, which compromised hundreds of US-based routers for small businesses and home offices. The FBI said it was able to remove the malware from the hijacked routers and cut their connection to the Chinese government-sponsored hackers.
According to a May 2023 report published by Microsoft, Typhoon Volt has been targeting and breaching US critical infrastructure since at least mid-2021.