Cyberthreat landscape permanently altered by Chinese operations, US officials say
SAN FRANCISCO — Even if the U.S. government eventually ejects a notorious Chinese hacking operation that has tunneled into critical infrastructure entities, the sweeping digital campaign has permanently altered the cyberthreat landscape, federal officials say.
The hacking activity, labeled Volt Typhoon, remains a major focus of federal national security leaders, who have scrutinized the group’s capabilities as well as its intent — to cause disruption and sow societal panic, especially in the event of a military conflict — and concluded Beijing will not back away from that approach in the future.
The end result is that China has moved beyond the traditional goal of nation-state hacking operations — spying on an adversary — into something more sinister, the officials say.
“And so, even as we hope that we raise the ability of critical infrastructure to detect living off the land activities, even as we work with edge device manufacturers to harden the vulnerabilities that are often providing additional access, even as we invest in the resilience of our critical functions — at least in the current state — our concern about the intent will remain,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), told reporters at the RSA Conference this week.
The shift in mindset is accompanied by techniques that could be emulated by other foreign adversaries. While Microsoft surfaced the threat of Volt Typhoon roughly a year ago, it didn’t register with the larger public until January when the Justice Department revealed the group had hacked into hundreds of office and home office routers to allow the Chinese government to access their data.
“When you think about the scope, scale and sophistication of the PRC, or even the Russians, they're always going to be pursuing their end goal objectives,” according to Dave Luber, head of the NSA’s Cybersecurity Directorate.
“If the end goal objective — as it appears that we've unraveled from the PRC — is to have placement and access to the United States for an attack at the time of their choosing, they're probably going to continue that path.”
That such technical, state-backed breaches, with a desire to compromise insecure or end-of-life devices to then pivot into more sensitive networks, could well become the new norm is an assessment shared by law enforcement.
“This threat is not going away,” Brett Leatherman, deputy assistant director of the FBI’s cyber division, told Recorded Future News during a sit-down interview.
“When you look at the lifespan of edge devices and hardware that go out of end-of-life, but still maintain operational functionality in U.S.-based networks … The actors recognize that U.S. internet space is trusted across the globe. They can compromise hundreds or thousands of U.S.-based devices with a much higher probability of targeting entities” than if they had Russian or Chinese IP addresses, he said.
FBI Director Christopher Wray revealed earlier this year that authorities had kicked Russian government hackers out of a network of more than 1,000 home and small business routers in an action dubbed Operation Dying Ember.
“It's going to continue to be a problem with nation-states targeting those devices, and criminal groups targeting those devices, because they see how effective it is and that it does have impact,” Leatherman said.
New ‘tradecraft’
Despite the DOJ's takedown of Volt Typhoon earlier this year, the federal government has yet to fully grasp the full scope and scale of the group’s nefarious work, and the full extent of it may not be known for some time.
A report issued in February by the U.S. and its allies said the group has maintained access and other footholds in victim networks for “at least” the last five years.
What’s more, the state-backed threat actor could have re-tooled after the law enforcement action — like others have done in the past — creating new tactics and methods to hold the country’s critical infrastructure at risk.
“Volt Typhoon is not over,” the NSA’s Luber said. China “demonstrated a new form of tradecraft and they've been caught in the act of using that tradecraft. But just because they've been caught doesn't mean that they're going to stop.”
“They're going to continue to develop tradecraft and look for ways to even evade some of the hunt guides that we've put in place,” he added.
Yet after six months of constant public warnings about the danger posed by Volt Typhoon, and the ongoing work to rip it from U.S. networks, officials signaled that better, more secure days could be ahead.
"I would offer that the adversary's not 10-foot-tall, and collectively we are not in the corner in the fetal position with an abacus,” Marine Corps Maj. Gen. Lorna Mahlock, head of U.S. Cyber Command’s Cyber National Mission Force, said during a panel discussion this week.
“We've got our industry partners who are thinking deliberately and really creatively about the threats that are out there. And I think that really is our asymmetric advantage and our superpower."
CISA’s Goldstein said that, as much as officials have rung the alarm about Volt Typhoon, the government also intends to trumpet its successes against the China-linked group.
“I do think that we will speak publicly about the progress that we are seeing in hardening and making more resilient critical infrastructure as we see it,” he said.
But even that “wouldn't fully ameliorate the U.S. government's grave concern.”
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.