Critical infrastructure hacks raise alarms on Chinese threats

A U.S. law enforcement operation in December disrupted a botnet of hundreds of routers operated by Chinese nation-state actors. The campaign has raised concerns about potentially destructive cyberattacks from the country.

The Department of Justice (DOJ) announced Wednesday that a Chinese state-sponsored group known as Volt Typhoon, utilized hundreds of privately owned, U.S.-based small office/home office (SOHO) routers infected with a botnet malware "to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims." The activity primarily targeted entities in the critical infrastructure sector.

"The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet," the press release read. The primary devices hijacked, the DOJ said, were end-of-life Cisco and Netgear routers that no longer received updates.

The law enforcement operation that led to the takedown, the DOJ said, was court authorized in December and led by the FBI Houston Field Office and Cyber Division, U.S. Attorney's Office for the Southern District of Texas and the National Security Cyber Section of the Justice Department's National Security Division.

Reuters first reported the disruption of the Chinese hacking campaign Monday. U.S. agencies have previously tracked and disclosed threat activity from Volt Typhoon, which has been active since mid-2021. Last spring, Microsoft published a report on Volt Typhoon's targeting of critical infrastructure organizations in Guam and the U.S. While the threat group usually engaged in cyber espionage, the tech giant warned that Volt Typhoon's goals might have changed.

"Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," Microsoft said.

The detection and disruption of the KV botnet has stoked additional concerns within the U.S. government. During a Wednesday hearing before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party regarding the takedown, CISA Director Jen Easterly testified about the threat posed by the recent Chinese cyber activity.

"Chinese cyber actors, including a group known as Volt Typhoon, are burrowing deep into our critical infrastructure to be ready to launch destructive cyber-attacks in the event of a major crisis or conflict with the United States," Easterly said in her opening statement. "This is a world where a major conflict halfway around the globe might well endanger the American people here at home through the disruption of our gas pipelines; the pollution of our water facilities; the severing of our telecommunications; the crippling of our transportation systems -- all designed to incite chaos and panic across our country and deter our ability to marshal military might and citizen will."

FBI Director Christopher Wray made similar remarks in his opening statement and said Chinese hacking operations posed enormous risk to U.S. civilian critical infrastructure.

"The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors," Wray said. "Steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous. And let's be clear: Cyber threats to our critical infrastructure represent real-world threats to our physical safety."

In a CISA cybersecurity advisory from May that offered additional technical insights into Volt Typhoon, the agency said the nation-state threat group used living off the land techniques, meaning it uses built-in network administration tools such as PowerShell, wmic, and ntdsutil to avoid endpoint detection and response products.

The agency also published a resource guide on Wednesday with secure by design recommendations for SOHO router manufacturers. In addition to eliminating "exploitable defects," CISA urged manufacturers to adjust default configurations to enable automatic updates and require manual overrides to change security settings.

Despite the concerns over Chinese hacking operations, Sandra Joyce, vice president of Mandiant Intelligence at Google Cloud, expressed optimism about the fight against Volt.

"Volt Typhoon's purpose was to dig in quietly for a contingency without drawing attention to itself. Fortunately, Volt Typhoon has not gone unnoticed. And even though the hunt is challenging, we are already adapting to improve collecting intelligence and thwart this actor. We see them coming, we know how to identify them, and most importantly we know how to harden the networks they are targeting," she said in a statement shared with TechTarget Editorial.

TechTarget Editorial contacted the FBI for additional comment.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.