China-backed hackers have maintained access to US critical infrastructure for “at least five years” with the long-term aim of launching “destructive” cyberattacks, a coalition of US intelligence agencies warned on Wednesday.
Volt Typhoon, a state-sponsored hacker group based in China, infiltrated the networks of aviation, rail, mass transit, highway, maritime, pipeline, water and other organizations. sewers – none of which were named – in an effort to preposition themselves for destructive cyberattacks, the NSA, CISA and FBI said in a joint opinion published Wednesday.
It marks a “strategic shift” in traditional cyberespionage or intelligence-gathering operations of Chinese-backed hackers, the agencies said, as they instead prepare to disrupt operational technology in the event of conflict or crisis major.
The release of the advisory, co-signed by the cybersecurity agencies of the United Kingdom, Australia, Canada and New Zealand, comes a week after a similar warning from FBI Director Christopher Wray. Speaking at a U.S. House of Representatives committee hearing on cyber threats posed by China, Wray described Typhoon Volt as “the defining threat of our generation” and said the group's goal is to “disrupt the mobilization capacity of our military” in the early stages of a crisis. anticipated conflict over Taiwan, which China claims as its territory.
According to Wednesday's technical advisory, Volt Typhoon exploited vulnerabilities in routers, firewalls and VPNs to gain first access to critical infrastructure across the country. China-backed hackers typically exploited stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases retained access for “at least five years” .
This access allowed state-backed hackers to carry out potential disruptions such as “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical controls of the energy and water, leading to significant infrastructure failures,” the advisory warns. In some cases, Volt Typhoon hackers had the ability to access critical infrastructure camera surveillance systems – although it is unclear whether they did so.
Volt Typhoon also used survivability techniques, in which attackers use legitimate tools and features already present in the target system, to maintain undiscovered long-term persistence. Hackers also perform “thorough reconnaissance before compromise” in an attempt to avoid detection. “For example, in some cases, Volt Typhoon actors may have refrained from using compromised credentials outside of normal business hours to avoid triggering security alerts on abnormal account activity,” the notice states.
In a phone call Wednesday, senior officials from U.S. intelligence agencies warned that Volt Typhoon was “not the only Chinese state-backed cyber actor conducting this type of activity,” but did not not named the other groups they followed.
Last week, the FBI and the US Department of Justice announced that they had taken down the “KV Botnet” run by Volt Typhoon, which had compromised hundreds of US-based routers for small businesses and home offices. The FBI said it successfully removed malware from hacked routers and severed their connection to Chinese state-sponsored hackers.
According to a May 2023 report published by Microsoft, Volt Typhoon has been targeting and breaching US critical infrastructure since at least mid-2021.