Chinese hacking operations have entered a far more dangerous phase, US warns

China’s cyber activity is moving beyond the last decade’s spying and data theft toward direct attacks on U.S. critical infrastructure, the directors of the FBI, NSA, and the Cybersecurity and Infrastructure Security Agency told lawmakers Wednesday. 

The Volt Typhoon hacking group is planting malware on network routers and other internet-connected devices that, if triggered, could disrupt water, power, and rail services, possibly causing widespread chaos or even injuring and killing Americans, they said. 

While Russia is known for cyber attacks that cause real-world harm—for example, targeting U.S. political campaigns and Ukrainian power plants—China is viewed as far more risk-averse. It’s best known for cyber theft, of intellectual property or government information, such as the Office of Personnel Management hack uncovered in 2015. But Volt Typhoon, which Microsoft revealed last May, represents something far more threatening. 

At a meeting with reporters last week, a senior NSA official put the issue in starker terms. 

“They're in places that they are not there for intelligence purposes. They are not there for financial gain. Those are two hallmarks of Chinese intrusions in other sets and other lanes,” the official said. 

China is still undertaking those activities, “but this is unique in that it's prepositioning on critical infrastructure, on military networks, to be able to deliver effects at the time and place of their choosing so that they can disrupt our ability to support military activities or to distract us, to get us to focus on, you know, a domestic incident at a time when something's flaring up in a different part of the world and they don't want us facing the foreign aspects of that,” the official said.

FBI Director Christopher Wray underscored the seriousness to lawmakers on the House Select Committee on the CCP on Wednesday. 

“There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure, our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems, and the risk that poses to every American requires our attention. Now, China's hackers are positioning on American infrastructure, in preparation to wreak havoc and cause real-world harm to American citizens and communities,” Wray said.

CISA chief Jen Easterly told lawmakers that a cyber attack on infrastructure could cause massive disruption. 

“The Chinese government got a little bit of a taste of this in the aftermath of the [Russian-linked] ransomware attack on Colonial Pipeline, May of 2021, that shut down gas to the Eastern Seaboard for several days. Americans couldn't get to work. They couldn't take their kids to school, get folks to the hospital. It caused a bit of panic. Now, imagine that on a massive scale. Imagine not one pipeline, but many pipelines disrupted. Telecommunications going down so people can't use their cell phone. People start getting sick from polluted water. Trains get derailed, air traffic control systems, port control systems are malfunctioning,” she said.

Easterly said that escalation shows that China is preparing the digital landscape for possible military activity, a huge leap from simple espionage and data theft. 

“It is Chinese military doctrine to attempt to induce societal panic in their adversary,” she said. “This is truly an Everything Everywhere, All at Once scenario. And it's one where the Chinese government believes that it will likely crush American will for the U.S. to defend Taiwan in the event of a major conflict there.”

Gen. Paul Nakasone, the outgoing head of the NSA, told lawmakers that the targeting of critical infrastructure on Guam could affect U.S. military operations, describing the potential impact as “significant.” 

“We need to provide a series of different options that our commander in the Indo-Pacific region would want to respond with communications and ability to be able to leverage our most lethal weapon systems,” Nakasone said. 

The NSA official wouldn’t say whether Volt Typhoon shows that China has developed a higher tolerance for risk. 

“That is absolutely what we're trying to address. You can take away Volt Typhoon infrastructure, you can take away some of their tradecraft, but…they have a military need to do these things. They're going to come back and build new infrastructure. Find new tradecraft.”

U.S. national security leaders believe China is vulnerable to bad press and negative public opinion, more so than Russia. So the United States and other countries may be able to convince Chinese authorities that fostering groups like Volt Typhoon pose an unacceptable risk. 

“We have to get to the point where PRC leadership decides that the embarrassment in the international community of being caught at this, the horror of the international community that somebody would hold civilians at risk with cyber, is intolerable. So we have to change that decision calculus and alter the decision makers point of view,” the official said. 

Last year’s drama over the Chinese spy balloon shows that not every event linked to Chinese military activity represents the will of top leadership. Sometimes commanders undertake entrepreneurial operations and when those cause harm to public perception, higher authorities can step in to stop the behavior. 

“I don't think the people that ran that [balloon] operation really thought through the risk calculus,” the official said. “The people who made those decisions did not think through the policy implications at a sophisticated level.”

Wray also disclosed yesterday that the FBI, working with other partners, had identified “hundreds of routers that had been taken over” by the group.