Any number given of Volt Typhoon victims ‘likely an underestimate,’ CISA says
SAN FRANCISCO – The government of China’s objective in deploying Volt Typhoon hackers to break into U.S. critical infrastructure is to “cause disruption and sow societal panic,” a senior cybersecurity official said Tuesday.
As China has increased its aggressiveness toward Taiwan, Volt Typhoon hackers have pre-positioned themselves in U.S. critical infrastructure in Guam and elsewhere with the intent of slowing any potential mobilization of forces. The Volt Typhoon campaign has set off an effort by the White House and other arms of the U.S government to not only root out the hackers but also harden critical infrastructure.
In a roundtable on Tuesday at the RSA conference in San Francisco, Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), explained that they have found the hackers using living-off-the-land techniques on targets “where there is no reasonable espionage benefit.”
When asked about the total number of Volt Typhoon victims, CISA Executive Director Brandon Wales said any number given “is likely an underestimate.”
“And that is, in part, based on the fact that Chinese targeting of our critical infrastructure is broad-based,” he said.
“It is not against the largest, most significant critical infrastructure in the United States. It is against a broad swath of small- and medium-sized companies that are potentially critical in individual supply chains or just capable of causing societal panic in some place around the country.”
The goal, Wales said, is to disrupt the flow of U.S. military support to allies and partners in Asia while also hampering American systems to affect the government’s “geopolitical decision making.”
Nathaniel Fick, the State Department’s ambassador-at-large for cyberspace and digital policy, told reporters this week that the issue of Volt Typhoon has been raised directly in talks with Chinese officials. Three weeks ago, China’s Foreign Ministry denied the country’s involvement with the Volt Typhoon campaign and said it is “actually an international ransomware group.”
So many U.S. agencies are hard at work addressing the Volt Typhoon intrusions because “it is highly likely that in the next war, the first shot will be fired in cyber,” Wales added, noting that actions in a conflict “could be based upon the intrusions that are happening today to pre-position capabilities that will cause disruption or destruction in the future.”
Officials with the FBI, National Security Agency (NSA) and Defense Department have repeatedly reiterated their concerns about Volt Typhoon this week in San Francisco.
Goldstein said several U.S. agencies are working with critical infrastructure organizations to detect Volt Typhoon activities and harden edge devices to make the hackers work harder. At a future date, he said, the government will speak publicly about the progress it has made in finding Volt Typhoon intrusions and resolving them.
Marine Corps Maj. Gen. Lorna Mahlock, commander of Cyber Command's elite Cyber National Mission Force, said during a panel discussion on Tuesday that while the concerns about Volt Typhoon are warranted, people should know that the U.S. is not intimidated by the discoveries.
"I would offer that the adversary's not 10-foot-tall, and collectively we are not in the corner in the fetal position with an abacus,” Mahlock said. “We've got our industry partners who are thinking deliberately and really creatively about the threats that are out there. And I think that really is our asymmetric advantage and our superpower."
Port of Houston
Morgan Adamski, the next executive director of United States Cyber Command, outlined how Volt Typhoon activity was first discovered beginning around August 2021 — starting with the exploitation of the Pulse Secure VPN product, which is owned by IT giant Ivanti.
The initial discovery involved the compromise of systems at the Port of Houston and immediately tipped off investigators because it was a different brand of nation-state activity. Over the next two years, U.S. agencies gathered troves of data on the group’s tactics.
But they faced difficulties because of the hackers’ skills and penchant for covert actions.
“Because it is an activity where you're pre-positioning on the most critical infrastructure, you're not seeing large amounts of data leaving the network,” she said, explaining that the hacker often went undetected because they only took minor actions every month or two.
“It's very difficult for you to find the adversary if you don't have logs to go back that far,” she said.
By 2023, U.S. officials were able to put together a hunt guide based on previous incidents that allowed owners and operators of critical infrastructure to search their systems for evidence of compromise.
The FBI and CISA worked with sector risk management agencies to do outreach to each sector about Volt Typhoon.
CISA’s Andrew Scott said multiple teams were deployed across dozens of sectors to provide assistance but it became easier and faster over time as officials discovered common patterns of behavior.
“You have a PRC actor in Beijing or Shanghai whose mission in life is to gain access to critical infrastructure in the United States. The first stop is these authentication networks that we're talking about, all the different ways to hide the noise and build out the command and control infrastructure necessary to harden access,” Scott said.
“At that point, they are compromising edge devices, virtual private servers, email gateways, routers, these sorts of things that are external parts of your networks that are highly, highly permissible and set up in a way that once you have access to them, you then have access to the network.”
Scott added that the hackers were typically focused on stealing credentials that would allow them persistent access — often coming back to the same place to steal new credentials just in case.
Cynthia Kaiser, deputy assistant director of the FBI’s cyber division, said Volt Typhoon actors are adept at moving laterally through networks, often identifying links between networks that victim organizations believed were segmented from each other.
The hackers are able to find the common point between networks and bridge them. In some cases this bridge was a single administrator with access to both networks.
Kaiser noted that they are still getting more tips from victim organizations but the task has been difficult because even organizations that found no evidence of compromise may not be in the clear.
She described several somewhat awkward victim engagements where organizations did not know who had access to their security products or even when the last time security tools were checked.
Read More: Live updates from the 2024 RSA Conference
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.
Martin Matishak
is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.