US is still chasing down pieces of Chinese hacking operation, NSA official says

FORT MEADE, MARYLAND — The U.S. government has yet to learn the full extent of a massive Chinese espionage campaign that targeted American critical infrastructure, according to a senior National Security Agency official.

Federal agencies are “not done with efforts to uncover or eradicate” the threats created by the Chinese hacking group known as Volt Typhoon, said Rob Joyce, the outgoing director of the NSA’s Cybersecurity Directorate, during a roundtable with reporters on Friday.

Investigators are “still finding victims and making sure to clear out intrusions” tied to the sweeping operation, which Western nations first disclosed nearly a year ago, he said.

Joyce also acknowledged for the first time that the government used artificial intelligence to discover some of the breaches made during the campaign, noting that Volt Typhoon activity was difficult to initially identify because the group steals or generates “legitimate credentials” and doesn’t bring additional malware into a system.

Conversely, Joyce said he has seen “no examples of them using AI to date.” Instead, the prolific, state-sponsored outfit relies on bulk vulnerability scans to sniff out and exploit known weaknesses.

Joyce declined to comment on just how much of the operation the federal government has unearthed to date.

The new insights come a few weeks after some of the country’s top cybersecurity leaders issued stark warnings about the ability of Volt Typhoon and other Chinese hackers to compromise U.S. networks should a conflict with Beijing arise.

"Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of decades of software developers not being held liable for defective technology," Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) told the House Select Committee on China.

"That has led to incentives where features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion,” she said during the January 31 hearing.

That same day, the Justice Department announced it had disrupted an effort by Volt Typhoon to infiltrate hundreds of insecure U.S. home routers and gain access to critical infrastructure.

The U.S. and its allies revealed the group’s actions last May when analysts at Microsoft found it had targeted systems ranging from U.S. telecommunication networks and transportation hubs to the military installation on the island territory of Guam.

Since then, the Biden administration has published over six digital security adversaries warning of the Volt Typhoon’s tactics and techniques.

“From the beginning, it’s been a broad campaign,” said Joyce, who noted targets included airlines as well as energy and pipeline organizations.

“The intent really goes back to inspiring societal panic,” he said.

That would, in turn, force the U.S. to “turn inward” and prevent the nation from being able to mobilize and support a conflict in the South Pacific, he told reporters, adding the view of the activity changed as we “expanded our knowledge about it”

That said, officials believe it would be a “pretty high bar” for Beijing to activate the group’s pre-positioning in Western networks, according to Joyce.

He told reporters he hoped Chinese officials would be “thoughtful” following the national anger at the discovery of Beijing’s high-altitude balloon campaign last year.

China’s military “sorely underestimated” the country’s response to that event, an anger that would only grow if state-backed hackers struck water and transportation systems, he predicted.

Joyce, who was the NSA’s initial pick to be its latest No. 2, instead will retire at the end of the month. 

He will be replaced by Dave Luber, who has held various posts at U.S. Cyber Command and has served as the Cybersecurity Directorate’s deputy chief for almost the last four years.