A coalition of U.S. intelligence agencies warned Wednesday that China-backed hackers have had access to American vital infrastructure for “at least five years” to conduct “destructive” assaults.
In a joint advisory published Wednesday, the NSA, CISA, and FBI said Volt Typhoon, a Chinese state-sponsored group of hackers, has been burrowing into the networks of aviation, rail, mass transit, highway, maritime, pipeline, water, and sewage organizations, none of which were named, to prepare for destructive cyberattacks.
The agencies claimed this is a “strategic shift” from China-backed hackers’ usual cyber espionage or information collection to impair operational systems in a big war or crisis.
The UK, Australian, Canadian, and New Zealand cybersecurity authorities co-signed the advice a week after FBI Director Christopher Wray issued a similar warning. At a U.S. House of Representatives committee hearing on Chinese cyber threats, Wray called Volt Typhoon “the defining threat of our generation” and said the group wants to “disrupt our military’s ability to mobilize” in the early stages of a conflict over Taiwan, which China claims.
According to Wednesday’s technical alert, Volt Typhoon has exploited router, firewall, and VPN vulnerabilities to obtain early access to critical infrastructure nationwide. The alert said that China-backed hackers may have used stolen administrator credentials to access these systems for “at least five years.”
The advice warned that state-backed hackers might “manipulate heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupt critical energy and water controls, leading to significant infrastructure failures” with this access. Though unclear, Volt Typhoon hackers may have accessed key infrastructure video surveillance systems.
Volt Typhoon employed living-off-the-land tactics to sustain long-term, unknown persistence by using genuine target system tools and functionalities. To prevent discovery, the hackers did “extensive pre-compromise reconnaissance.” In certain cases, Volt Typhoon attackers may have avoided utilizing compromised credentials outside of business hours to minimize security alarms on aberrant account activity, the report added.
On Wednesday, top U.S. intelligence officials cautioned that Volt Typhoon is “not the only Chinese state-backed cyber actors carrying out this type of activity” but did not identify the other organizations they were following.
Last week, the FBI and DOJ shut down Volt Typhoon’s “KV Botnet,” which had infected hundreds of U.S. routers for small companies and home offices. The FBI says it removed malware from stolen routers and cut off its link to Chinese state-sponsored hackers.
Microsoft said in May 2023 that Volt Typhoon had targeted and breached U.S. vital infrastructure since mid-2021.