FBI director Christopher Wray, CISA director Jen Easterly and others addressed the House last week and had some heartening new information about the blow struck to Volt Typhoon, an operation that was first reported to the media anonymously. However, it was accompanied by a warning that brought the proceeding straight back to Earth: not only are Chinese hackers still highly active, they are most likely still capable of attacking critical infrastructure and are not about to ease up on their attempts.
“Plan” for Chinese hackers is to maintain ability to destroy critical infrastructure
The plan for Chinese hackers appears to be a focus on the critical infrastructure that supports military installations, but Wray warns that these groups are also likely to make more general attacks aimed at causing chaos in the lives of US civilians. Their hope would be that power and internet outages would reduce support for the US fighting to defend Taiwan in the scenario of a Chinese military invasion.
These outages could very well be more than just an inconvenience. Critical infrastructure attacks could very well result in loss of life. There have already been several instances of ransomware hitting a hospital and causing related injury or even death, and those cases involved criminals attacking in a more indiscriminate way. Disgruntled former employees have also made attempts against water systems that they retained remote access to, with a combination of mechanical failsafes and diligent on-site workers preventing water supplies from being tainted with dangerous levels of cleaning chemicals.
The US does not appear to have plans to respond in kind as various speakers characterized the Chinese hackers as “irresponsible” and engaging in “low blows” by targeting civilians, among other descriptors. China has repeatedly denied involvement in any of this hacking and has claimed that the whole thing is a propaganda exercise by the US and its allies.
Volt Typhoon dealt a blow, but Chinese hackers still pursuing US targets
Wray said that the agency had broken up a botnet of home and small office routers that the Chinese hackers were using; prior information from the anonymous officials indicates that this was used to mask traffic by making it look more natural. That does not mean the group is broken up or has been entirely evicted from critical infrastructure, however, and there are numerous other state-backed threat actors working at the same task.
Volt Typhoon was preying on specific end-of-life models of Cisco and Netgear routers with known vulnerabilities, models that really just need to be removed from circulation at this point. Wray said the FBI accessed the compromised routers to wrest them from the Chinese hackers and somehow safeguard them against future attacks, something that is very rarely done without notifying owners in advance.
Easterly used the briefing and this incident to reiterate the importance of lawmakers pushing device manufacturers to ensure that their products are up to security standards when they hit store shelves. Wray again noted that state-sponsored Chinese hackers badly outnumber the FBI’s defensive teams, by a count of 50 to 1, and that the agency is on a pace of opening about two new counterintelligence cases involving the country every day.