China-backed hackers have been infiltrating major U.S. critical infrastructure sectors for “at least five years,” an intelligence advisory revealed today. This campaign, detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI, underscores a bold shift in China’s cyber operations strategy, extending beyond traditional espionage to potentially seizing control of vital U.S. systems.
The advisory sheds light on the activities of the China-associated hacking group, Volt Typhoon, which has systematically targeted and gained prolonged access to networks within critical sectors, including water, transportation, energy, and communications. By exploiting vulnerabilities in routers, firewalls, and VPNs, and leveraging stolen administrator credentials, Volt Typhoon has not only infiltrated but also maintained its foothold within these essential systems for years.
One alarming capability of Volt Typhoon is its control over surveillance camera systems of some victims, which, combined with its sustained network access, could enable the group to disrupt critical controls in energy and water facilities. The use of “living off the land” techniques by the group — utilizing built-in tools to minimize detection — further complicates efforts to identify and mitigate these threats.
International concerns and defensive measures
The advisory, which also drew contributions from authorities in Canada, Australia, and New Zealand, highlights a growing international concern over China’s cyber activities. The collaborative warning points to a broader pattern of targeting by China, not limited to the U.S. but extending to other allied nations as well.
This revelation comes amid heightened U.S. apprehensions that China might initiate destructive cyberattacks in the context of escalating tensions over Taiwan. Previous alerts from Microsoft and the U.S. government have indicated Volt Typhoon’s strategic positioning to attack U.S. infrastructure, including water utilities and ports. Although recent efforts have thwarted the group’s immediate access, officials caution that Volt Typhoon remains determined to find alternative entry points.
The advisory underscores the systemic vulnerabilities plaguing U.S. critical infrastructure, from inadequate password management and security update protocols to financial constraints hindering security improvements in sectors like water systems. Legal obstacles have further impeded government efforts to mandate cybersecurity audits.
In response to these China-backed hackers, U.S. cyber defense agencies are urging infrastructure operators to strengthen their security postures. Recommended measures include applying software updates to all internet-facing systems, enabling multi-factor authentication, and activating activity logs to monitor for suspicious behavior.