The FBI's Brett Leatherman gives the latest ‘Typhoon’ forecast

SAN FRANCISCO — The discovery that Chinese state-backed hackers had burrowed into U.S. critical infrastructure with the aim of causing mass disruption continues to reverberate nearly two years after the hacking group behind the attacks was first publicly disclosed.

Several similar entities have emerged since the group, known as Volt Typhoon, was unveiled by Microsoft and U.S. officials in May 2023. They range from Salt Typhoon, which broke into U.S. telecom firms in a sweeping espionage campaign, to Silk Typhoon, which breached the Treasury Department, to Flax Typhoon, which targeted Taiwan.

For the latest on where U.S. efforts against these groups stand, Recorded Future News sat down with Brett Leatherman, FBI deputy assistant director of cyber operations, at the RSA Conference on Tuesday.

This conversation has been edited for length and clarity.

Recorded Future News: In December, the Biden administration said nine firms had been breached by Salt Typhoon. Have more been identified?

Brett Leatherman: The number is still nine, minimum, victims. We continue to work with a lot more telcos and companies where there may be suspected breaches. Attribution can be a tough thing; we are working with the companies to better understand the attribution. 

We're working with international partners to understand the impact to Europe, and elsewhere, as well. And so we continue to look at Salt Typhoon activity. 

The FBI just sent a message asking for additional information from the public related to Salt Typhoon because we still are in the counter-Salt Typhoon phase.

RFN: What does ‘counter’ mean?

BL: Counter is, number one, provide substantial assistance to the victim. We're fully engaged with the victims still, in order to ensure that there's containment, that there remains containment in the environment, and that, as the victims continue to do their work with CISA, their third-party remediation companies, they're working towards eradication or some sort of assurance of eradication, kicking the actors out of the environment.

When you have telcos that are national organizations, and they have infrastructure around the country, that process takes time. Until they can assure eradication, the goal is to ensure containment. The telcos are being very diligent at ensuring that they're watching their environments for indications that the adversary starts to engage in any sort of increased activity, or any activity whatsoever. 

When it comes to countering, though, our goal is to also deter actors as well. There's deterrence through defense and there's deterrence through offense. On the defensive side it's working with the victims. From our perspective, Volt Typhoon, Flax Typhoon last year demonstrated FBI enforcement action with partners to provide some level of deterrence to the actors, leveraging lawful authorities.

RFN: Is there a timeline to end this particular phase?

BL: That's largely driven by the victims themselves, not by us. It's very individual to the victims, too, depending on how broad the impact is to their infrastructure. But they're working with some of the best companies out there that do remediation. The organizations themselves, the third-party mediators, they're all doing this in a very smart way. No timelines but they continue to pressure the threat actors.

RFN: What is the latest assessment on Volt Typhoon?

BL: We continue to watch as Volt Typhoon, or similar groups out of the PRC, continue to leverage vulnerabilities in SOHO devices and end-of-life devices in order to amass proxy or obfuscation networks in support of similar activity targeting critical infrastructure.

The threat is always there. We don't see any sort of critical mass right now, like what we did with Volt Typhoon, but we are constantly working with our partners to understand where we might enter into a period of critical mass that we have to take some sort of action.

That said, Volt Typhoon, Flax Typhoon, Salt Typhoon, all these Typhoons, we continue to put intelligence out there via the joint cybersecurity advisories to help folks understand, ‘Let's not get to that critical mass. Take steps now to put relevant controls in place and to protect our devices so we don't get to that place.’

RFN: On Volt and Salt Typhoon, are they still in the networks?

BL: Volt Typhoon is still active. Salt Typhoon is still active. As far as being in the networks, for Salt Typhoon, that's a hard question for me to answer because the telcos themselves continue to look in those networks. The telcos have indicated to us, and publicly, that they've contained the actors. Until they've indicated they've eradicated them, there's a presumption they could still be in the networks.

For advanced persistent threats like the Typhoons, their goal is to establish persistence. They're very good. They're state actors who have tremendous money and resources behind them. Once they get into an environment, they don't want to rely on the vulnerability that got them in there all the time; they want to set up alternate ways to get in. That's what the companies and the threat mitigation firms are doing, trying to identify were there areas of persistence that they were able to obtain for later use and stay in the environment.

Our confidence right now is that we have eliminated their ability to have a substantial impact against United States critical infrastructure. But we do know that they continue to seek positions, not necessarily in critical infrastructure, but on end-of-life legacy devices. Our goal is to prevent them from getting to the point where they amass that kind of access.

RFN: After the indictments last month, have we seen the last of Silk Typhoon?

BL: We hope that we have seen the last of Silk Typhoon, but we're not confident we've seen the last of it.

The indictments were a goal to shine a light on what was happening. We use those opportunities to tell the world, ‘These actors are doing this, and it's important for this reason.’

At the same time we indicated that there was a company that was supportive of the PRC hacking efforts called I-Soon. I-Soon was part and parcel to what was happening related to silicon. We're very public about that. We do know that I-Soon has likely been tremendously impacted by the outing of their information, both as a result of the GitHub leaks and then as a result of the FBI and joint interagency publications.

Our goal is to, when companies like I-Soon are engaged in hacking against the United States, to remove revenue and other sorts of things that allow them to fuel the ability for them to hack us. 

RFN: The Office of the Comptroller of the Currency notified Congress it had been breached. The office is part of the Treasury Department. Are the two hacks connected?

BL: Not one I can answer.

RFN: Are there other parts of the Treasury that may have been breached?

BL: We're still conducting that investigation into the targeting breaches of the Treasury right now.