The ongoing, persistent offensive cyber operations sponsored by the Chinese government that have mainly focused on economic espionage in years past are now targeting United States critical infrastructure, in a campaign that top U.S. officials call a “low blow against civilians”.
On Wednesday, the Department of Justice announced that it had disrupted a Chinese-sponsored attack campaign that involved the compromise of hundreds of SOHO routers in the United States by a group known as Volt Typhoon. The group then used its access to those routers to facilitate access to critical infrastructure networks in various sectors, such as water and power. The operation by the DoJ included disconnecting the infected routers from the C2 servers controlled by the attackers and removing the malicious code.
“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical infrastructure utilizing a botnet,” said Attorney General Merrick Garland. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”
U.S. officials said this campaign was designed to give Chinese attackers persistent access to U.S. critical infrastructure, essentially a way to pre-position themselves.
“There is too little focus on the fact that PRC hackers are targeting our critical infrastructure. The risk that poses to every American requires our attention now,” FBI Director Christopher Wray said in testimony before a Congressional committee Wednesday.
“Low blows against civilians are part of China's plan. Today and literally every day they’re actively attacking our economic security.”
Attack teams directly affiliated with or sponsored by the Chinese Communist Party are perhaps the most active and pernicious threat actors on the scene at the moment. These groups have a long history of effective economic espionage campaigns going back to the early 2000s and are well known for their technical capabilities. And China’s teams are not only effective, they are legion. Wray said that Chinese offensive operators outnumber FBI cybersecurity personnel by a factor of 50 to one.
Attacks on U.S. companies for economic espionage purposes have been routine for more than two decades now, and are something that’s understood by corporate defenders and government agencies. But the idea of state-sponsored actors setting themselves up inside CI networks in order to have a foothold for potential future operations against civilian infrastructure is a different thing altogether.
“We have seen a deeply concerning evolution of Chinese targeting of U.S. critical infrastructure. We have seen them burrowing deep into critical infrastructure to enable destructive attacks. This is a world where a crisis across the world could well endanger the lives of Americans here,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said during Wednesday’s hearing before the House Select Committee on the Chinese Communist Party.
“The threat is not theoretical. CISA teams have found and eradicated Chinese intrusions in multiple sectors. Aviation, water, energy.”
The FBI’s Wray said the threat from the Chinese attackers is existential.
“The Chinese Communist Party’s multi-pronged assault on our national and economic security makes it the defining threat to our American safety,” Wray said.
“There’s too little focus on the fact that PRC hackers are targeting our critical infrastructure. The risk that poses to every American requires our attention. Now. Low blows against civilians are part of China's plan. Today and literally every day they’re actively attacking our economic security.”
“The truth is Chinese cyber actors have taken advantage of very basic flaws in our technology. We’ve made it easy for them."
Gen. Paul Nakasone, the director of the National Security Agency and U.S. Cyber Command, which houses is the country’s premier offensive cyber group, described the situation even more plainly.
“Responsible cyber actors in democracies like our own don’t target civilian infrastructure. There’s no reason for them to be in our water, in our power,” Nakasone said.
Asked about the U.S. capability to respond to these intrusions in kind, Nakasone minced no words.
“We do have the capability, and we’re very, very good. The best,” he said.
The threat from advanced attack teams sponsored by the Chinese government is not a new one, but the targeting is changing, and that’s what has U.S. cybersecurity leaders worried, as do the vulnerabilities in widely deployed software that Chinese actors are exploiting to gain access to U.S. networks. CISA’s Easterly pointed to the decades-long problem of insecure coding practices as a root cause of these intrusions.
“The truth is Chinese cyber actors have taken advantage of very basic flaws in our technology. We’ve made it easy for them. Decades of software developers not being held liable for defects, leaving our nation vulnerable to cyber invasion. Technology manufacturers must ensure that China and other actors can’t exploit weaknesses in our technology to saunter through our cyber doors,” Easterly said.
“Businesses need to prepare for and expect an attack. Every technology manufacturer must build, test, and deploy technology that’s secure by design. We have to drive toward a future where actors can’t take advantage of cyber defects so easily.”
That future is not something that the federal government can conjure on its own, and Easterly and Nakasone both pointed to the work that CISA and other government agencies do with the private sector as a vital part of the nation’s defenses.
“It’s impossible to prevent all bad things, all disruptions. Industry plays a critical role because they often have the best information on what’s happening in critical infrastructure,” Easterly said.
Nakasone concurred.
“Our strength is in our partnerships,” he said.