Volt Typhoon, a group of Chinese hackers, has resided in critical industry networks for 5+ years.

There are Chinese hackers in the wainscoting of US critical infrastructure.US President Joe Biden (R) and China’s President Xi Jinping (L) meet on the sidelines of the G20 Summit in Nusa Dua on the Indonesian resort island of Bali on November 14, 2022. (Photo by SAUL LOEB / AFP)

Unveiling Volt Typhoon: the Chinese hackers within US critical infrastructure for five years

  • Per US-led advisory, Volt Typhoon, a group of Chinese hackers, has been operating within critical industry networks for 5+ years.
  • The advisory shows compromised environments span the continental US and Guam, involving allied agencies from Australia, Canada, the UK, and New Zealand.
  • FBI Director Wray warns Congress that Chinese hackers are poised to strike US infrastructure and cause harm to citizens.

In the shadowy field of cyber-espionage, one name has emerged as a persistent thorn in the side of US critical infrastructure: Volt Typhoon. For at least five years, this enigmatic group of Chinese hackers has covertly infiltrated critical IT networks across America, sending shockwaves through the nation’s security apparatus. Believed to be backed by the Chinese government, it operates with stealth and precision, targeting a wide array of sectors vital to the nation’s infrastructure. 

No sector is immune from its prying eyes, from communications and energy to transportation systems and water facilities. Who exactly are the members of Volt Typhoon, and what have they been doing in the heart of US critical infrastructure for half a decade? Let’s delve into the clandestine world of cyber-warfare and geopolitical maneuvering.

What has the Volt Typhoon been doing?

In a joint advisory published on Wednesday, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI revealed that the state-sponsored group of hackers from China had infiltrated networks spanning aviation, rail, mass transit, highway, maritime, pipeline, water, and sewage sectors. 

This alarming development signals a strategic shift from their usual cyber-espionage tactics to a focus on pre-positioning for potential destructive cyberattacks in times of conflict or crisis. The advisory, jointly signed by cybersecurity agencies from the UK, Australia, Canada, and New Zealand, follows a similar caution issued by FBI Director Christopher Wray just a week earlier.

Wednesday’s technical advisory revealed that Volt Typhoon has exploited vulnerabilities in routers, firewalls, and VPNs to infiltrate critical infrastructure nationwide. The Chinese hackers have adeptly utilized stolen administrator credentials to persist in these systems, some for “at least five years.” The advisory cautioned that this persistent access has empowered them to potentially disrupt vital systems, including HVAC systems and energy controls, leading to catastrophic infrastructure failures. Additionally, Volt Typhoon may have accessed surveillance systems at critical facilities, although this remains unconfirmed.

Employing living-off-the-land techniques, the hackers discreetly operated using legitimate tools already in the target system, ensuring long-term persistence while evading detection. The hackers also conducted “extensive pre-compromise reconnaissance” to avoid detection. “For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the advisory said.

What is the US doing about these Chinese hackers?

FBI Director Christopher Wray testifies before the House (Select) Strategic Competition Between the United States and the Chinese Communist Party Committee on Capitol Hill on January 31, 2024 in Washington, DC.

FBI Director Christopher Wray testifies before the House (Select) Strategic Competition Between the United States and the Chinese Communist Party Committee on Capitol Hill on January 31, 2024 in Washington, DC. Kevin Dietsch/Getty Images/AFP (Photo by Kevin Dietsch/GETTY IMAGES NORTH AMERICA/Getty Images via AFP).

The revelation of the Volt Typhoon’s infiltration has sent shockwaves through Washington, prompting urgent calls to bolster cybersecurity defenses and reevaluating diplomatic relations with Beijing. Yet, despite heightened awareness and countermeasures, the group’s persistence underscores the formidable challenge posed by state-sponsored cyberthreats.

Wray had emphasized to the House Select Committee the urgent need to address a pervasive cyberthreat from the Chinese Communist Party affecting every American. But that isn’t something new for Washington. In recent years, the US has escalated efforts to thwart criminal and state-sponsored cyber-activities. 

This time, Wray cautioned that Beijing-backed hackers are targeting business secrets to bolster the Chinese economy and obtain personal data for foreign influence endeavors. “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” Wray added.

Wray described to the US House of Representatives committee the ways in which Volt Typhoon was “the defining threat of our generation” and said the group aims to “disrupt our military’s ability to mobilize” in the early stages of an anticipated conflict over Taiwan, which China claims as its territory.

Jen Easterly, Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, echoed that viewpoint. “This is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes – all to ensure that they can incite societal panic and chaos and deter our ability [to marshal a sufficient response],” she said, according to The Guardian.

As the US grapples with the implications of Volt Typhoon’s activities, questions linger about the broader impact on international cybersecurity and the delicate balance of power in the digital age. Will the revelation of Volt Typhoon’s exploits serve as a wake-up call for greater collaboration and vigilance in the fight against cyberthreats, or will it escalate tensions in an already fraught geopolitical landscape?

One thing is clear: the saga of Volt Typhoon offers a sobering reminder of the ever-evolving nature of cyberwarfare and the need for constant vigilance in safeguarding critical infrastructure against emerging threats. As the battle for control of cyberspace intensifies, the stakes have never been higher, and the need for decisive action has never been more urgent.