U.S. security agencies have cautioned operators of critical infrastructure to promptly apply patches for critical vulnerabilities that are frequently exploited by Chinese government hackers. This warning comes as a Chinese hacking group known as Volt Typhoon has managed to maintain access and footholds in some victim information technology environments for at least five years, all while eluding detection.
The Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory with the FBI and the National Security Agency, as well as international partners from the United Kingdom, Canada, Australia and New Zealand, detailing the persistent access that Volt Typhoon has gained to IT networks. According to Eric Goldstein, CISA’s executive assistant director, evidence “strongly suggests” that the Chinese hacking group is positioning itself on U.S. critical infrastructure networks to launch potentially destructive cyberattacks that would be detrimental to national security, economic security, and public health.
The report revealed that Chinese hackers have exfiltrated diagrams and documentation related to operational technology, including SCADA systems, relays, and switchgear, which are crucial for understanding and potentially impacting critical infrastructure systems. Additionally, Volt Typhoon actors have had the capability to access camera surveillance systems at critical infrastructure facilities.
The U.S. government and the Five Eyes intelligence-sharing alliance first publicly disclosed the existence of Volt Typhoon in May after detecting activity in Guam and the United States. The Chinese state hacking group has been active since mid-2021, and the report notes that their “strong operational security” has allowed them to penetrate networks without detection for years.
This revelation comes amid growing concerns about Chinese territorial ambitions for Taiwan and the South China Sea, with Chinese President Xi Jinping ordering the military to be capable of invading Taiwan by 2027. Cybersecurity experts have observed increased sophistication in Chinese state hackers, possibly due to a Beijing law that requires mandatory disclosure of vulnerability reports to the government.
The advisory emphasized that Volt Typhoon typically attacks victim environments through known or zero-day vulnerabilities and conducts extensive reconnaissance operations to learn about the organization’s staff, security practices, and overall network structure. Their goal is often to gain admin credentials and eventually achieve full domain compromise, enabling them to carry out meticulous post-exploitation intelligence collection operations and disrupt victim networks while evading detection.
FBI Director Christopher Wray testified that Chinese hackers were preparing “to wreak havoc and cause real-world harm to American citizens and communities” if Beijing launches an invasion against Taiwan. The FBI director told the House Select Committee on the Chinese Communist Party that U.S. officials had dismantled Volt Typhoon’s malware from “hundreds” of victims’ personal routers in homes and small businesses across the country.
The Chinese hackers have exploited vulnerabilities in popular commercial networking appliances from organizations such as Fortinet, Citrix, and Cisco, and have targeted and collected information on operational technology systems, which are the highly sensitive systems that run the physical processes at the heart of critical infrastructure.
In conclusion, the advisory warns that China’s targeting of critical infrastructure sectors in the U.S. reflects similar actions that foreign adversaries have taken against Ukraine throughout Russia’s deadly invasion. The revelation of Volt Typhoon’s forays into OT systems justifies concerns about their serious threat, highlighting the need for critical infrastructure operators to take immediate steps to secure their networks against potential exploitation by threat actors like Volt Typhoon.