China-linked hackers have been operating inside certain U.S. systems for at least five years and are preparing to carry out destabilizing cyberattacks on critical infrastructure, a new advisory warns. The Cybersecurity and Infrastructure Security Agency issued the advisory, in conjunction with other Western intelligence partners, including Australia and Canada, following a recent FBI operation that disrupted the China-linked Volt Typhoon hacking campaign. The campaign was using botnet infrastructure to infiltrate compromised routers and other hardware.
During a briefing on the advisory, CISA Executive Assistant Director Eric Goldstein stated that the evidence strongly suggests that the hackers are pre-positioning to launch future disruptive or destructive cyber attacks that could impact national security, economic security, and public health and safety. The hackers have been using “living off the land techniques” to hide inside systems and bypass detection. The report notes that they have breached American facilities in Guam, as well as other key infrastructure in facilities both inside and outside the U.S. The FBI operation targeted home internet routers in southern Texas and other locations, as detailed in official court documents.
Chinese embassy spokesperson Liu Pengyu has previously denied the hacking attempts and turned the accusations against the U.S., urging the American intelligence community to stop “irresponsible criticism” against Beijing.
U.S. operatives were able to detect the hacking attempts through the use of Section 702 of the Foreign Intelligence Surveillance Act, a contested surveillance tool. Cynthia Kaiser, the deputy assistant director for the FBI’s cybersecurity division, explained that Section 702 allows the FBI and NSA to gather electronic data without a traditional warrant when the target is a foreigner overseas and the collection is for foreign intelligence purposes. However, those intercepted exchanges sometimes include conversations with Americans, raising privacy concerns about warrantless collection of American communications.
Kaiser did not confirm if the spying power was used in the recently announced Volt Typhoon operation but emphasized that the authority has been critical to cyberspace operations. She explained that Section 702 has been involved in sweeping U.S. persons when they are querying individuals impacted by hacking attempts so they can notify victims.
FBI Director Christopher Wray expressed concern over China’s hacking attempts, stating that the Volt Typhoon malware enabled China to hide as they targeted American communications, energy, transportation, and water sectors. He highlighted the potential real-world threat to physical safety and stated that the FBI will not tolerate such actions.
The advisory comes as a stark reminder of the persistent and evolving cyber threats facing the United States and its allies. With the cooperation of Western intelligence partners, efforts to identify, disrupt, and prevent future cyber attacks will be crucial in safeguarding critical infrastructure and national security. After the recent revelations, it is clear that addressing cyber threats of this nature will require ongoing vigilance, collaboration, and the innovative application of cyber defense strategies to protect against foreign adversaries seeking to exploit vulnerabilities in U.S. systems.