The People’s Republic of China is accelerating the development of its military capabilities — including cyber operations — because it believes it will need to deter and confront the United States, US officials said yesterday.
And indeed, China-linked cyberattackers have increasingly focused on critical infrastructure systems in particular as part of a campaign by Beijing to be ready for a broader conflict, according to experts — a distinct change in strategy by China, the experts said. For instance, the highly active threat group Volt Typhoon (aka Bronze Silhouette and Vanguard Panda) has conducted attacks against the US government and defense contractors since at least 2021, but since last May it has been recognized as a threat to critical infrastructure and military bases. In fact, it’s seen as such a clear threat that it was recently disrupted by the US government and private sector companies, officials said this week.
“Over the last two years, we have become increasingly concerned about a strategic shift in PRC malicious cyber activity against US critical infrastructure,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the US Department of Homeland Security, stated in written testimony on Jan. 31 to the US House of Representative’s Select Committee on the Strategic Competition between the United States and the Chinese Communist Party.
She added, “We are deeply concerned that PRC actors — particularly a group referred to in industry reporting as Volt Typhoon — are seeking to compromise US critical infrastructure to pre-position for disruptive or destructive cyberattacks against that infrastructure in the event of a conflict, to prevent the United States from projecting power into Asia or to cause societal chaos inside the United States.”
China Is the “Defining Cyber Threat of This Era”
Cyberattacks from China-linked groups have been a standard attribute of the last two decades. For the most part, however, the attacks have either been cybercriminal efforts looking for a payday or espionage operations targeted at stealing government secrets and corporate intellectual property. The notorious Chinese cyber-espionage group APT1, for example, represents a team run by the People’s Liberation Army, details of which were first published by Mandiant in 2013.
And while Chinese hackers are still stealing data, conducting cybercrimes, and targeting dissidents, industry sources are confirming the shift toward disruption-readiness flagged by the US government.
“I think given the volume, it does seem like a change in strategy,” says Chris Wysopal, CTO for software security firm Veracode. “The main theme has always been ‘they’re stealing our intellectual property,’ but those days are over — it’s so much more.”
As far as goals, Chinese advanced persistent threats (APTs) are making preparations to “cripple vital assets and systems” in the event that China invades Taiwan, or to react to ongoing economic and trade tensions in the South China Sea, said FBI Director Christopher Wray in written testimony to the House Select Committee on the CCP, citing US intelligence community assessments.
“The PRC represents the defining threat of this era,” he said. “There is no country that presents a broader, more comprehensive threat to our ideas, our innovation, our economic security, and, ultimately, our national security. … The PRC uses every means at its disposal to impact our economic security — blending cyber capabilities, human intelligence, corporate transactions, and other means of attacking and exploiting US companies to advance its own economic growth, national power, and military capability.”
Wray also used the testimony to argue for the FBI’s budget and for foreign surveillance powers. Any reduction to the FBI’s budget would hurt the agency’s ability to monitor and foil preparatory attacks by Chinese actors, he said.
“Even if the FBI focused all of its cyber-agents and intelligence analysts on the PRC threat, PRC-backed cyber-threat actors would still outnumber FBI cyber-personnel at least 50 to one,” Wray said. “They are attempting multiple cyber-operations each day in domestic Internet space, where only the FBI has the authorities to monitor and disrupt.”
Industrial Cyberattacks Getting Harder to Detect
A key tactical component of the latest Chinese cyberattacks on critical infrastructure has been the compromise of small-office, home-office (SOHO) routers — the assailants, including Volt Typhoon, are then using those compromises to cover the source of later attacks. The focus on small business routers underscored once again that unmanaged technologies have become a national security liability. Of the 34 router vulnerabilities currently in CISA’s Known Exploited Vulnerabilities (KEV) catalog, nine appear to have no patches available from the manufacturers, Veracode’s Wysopal noted.
“So that’s a pretty telling figure — that more than 25% of routers that are being actively attacked don’t even have patches,” he says. “That’s the state of the edge in the small office and home, but I guess the same is happening in the corporate world with all those different edge devices and VPN devices.”
In addition, rather than using malware, the attackers are often using systems administration tools to hide their attacks within legitimate activity, a tactic known as “living off the land.” Camouflaging their cyber-offensive actions as legitimate activity has made the attacks much harder to detect, according to officials’ testimony.
Overall, US technology firms and their customers — both businesses and individuals — need to take stock of how their use of technology, and failure to maintain that technology, may be contributing to the threat to critical infrastructure, says Lisa Plaggemier, executive director at the National Cybersecurity Alliance, a nonprofit cybersecurity education and outreach organization.
The fact that attackers are taking over small-business routers “should be disturbing if I’m a small business or an individual,” she says. “It should be a wake-up call that there are things [for which] you have responsibilities, and you need to be informed about how to use technology.”