The People’s Republic of China is accelerating the development of its military capabilities – including cyber operations – because it believes it will be necessary to deter and confront the United States, US officials said yesterday.
And indeed, experts say, China-linked cyber attackers have increasingly focused on critical infrastructure systems, particularly as part of a campaign by Beijing to prepare for a broader conflict — a marked shift in strategy by China , experts said. For example, the highly active Volt Typhoon group (also known as Bronze Silhouette and Vanguard Panda) has been conducting attacks against the US government and defense contractors since at least 2021, but since last May it has been recognized as a threat to critical infrastructure and military bases. In fact, she is seen as such a clear threat that she was recently discontinued by the US government and private sector companiesofficials said this week.
“Over the past two years, we have become increasingly concerned about a strategic shift in the PRC’s malicious cyber activity against Critical infrastructure of the United States” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the US Department of Homeland Security, in written testimony on January 31 to the US House of Representatives Select Committee on Strategic Competition among United States and the Chinese Communist Party.
He added: “We are deeply concerned that PRC actors, particularly a group referred to in industry reports as Volt Typhoon – are trying to compromise US critical infrastructure prepare disruptive or destructive cyberattacks against such infrastructure in the event of conflict, to prevent the United States from projecting power into Asia, or to cause social chaos within the United States.”
China is the “defining cyber threat of this era”
Cyberattacks by China-linked groups have been a standard feature of the past two decades. In most cases, however, the attacks were attempts by cybercriminals seeking profit or espionage operations aimed at stealing government secrets and corporate intellectual property. The infamous Chinese cyber espionage group APT1, for example, represents a team run by the People’s Liberation Army, details of which have been first published by Mandiant in 2013.
And as Chinese hackers continue to steal data, commit cybercrimes and target dissidents, industry sources confirm the shift in disruption readiness reported by the U.S. government.
“I think given the volume, it seems like a shift in strategy,” says Chris Wysopal, CTO at software security company Veracode. “The main theme has always been ‘they’re stealing our intellectual property,’ but those days are over – it’s so much more.”
As for targets, China’s Advanced Persistent Threats (APTs) are preparing to “cripple vital assets and systems” in the event that China invades Taiwan, or to respond to ongoing threats economic and trade tensions in the South China SeaFBI Director Christopher Wray said in written testimony to the House Select Committee on the CCP, citing assessments from the U.S. intelligence community.
“The People’s Republic of China represents the defining threat of this era,” he said. “There is no country that presents a broader and more global threat to our ideas, our innovation, our economic security and, ultimately, our national security. … The PRC uses all means at its disposal to impact the our economic security: blending cyber capabilities, human intelligence, corporate transactions, and other means to attack and exploit U.S. companies to advance its own economic growth, national power, and military capability.”
Wray also used the testimony to argue for the FBI’s budget and foreign surveillance powers. Any reduction in the FBI’s budget would harm the agency’s ability to monitor and thwart preparatory attacks by Chinese actors, she said.
“Even if the FBI focused all of its cyber agents and intelligence analysts on the PRC threat, PRC-backed cyber threat actors would still outnumber FBI cyber personnel at least 50 to one,” Wray said. “They are attempting multiple cyber operations every day in the domestic Internet space, where only the FBI has the authorities to monitor and disrupt.”
Industrial cyber attacks are becoming increasingly difficult to detect
A key tactical component of China’s latest cyberattacks on critical infrastructure has been the small office and home office (SOHO) router compromise. – attackers, including Volt Typhoon, are then using such compromises to cover the source of subsequent attacks. The focus on small business routers has once again highlighted that unmanaged technologies have become a national security concern. Of the 34 router vulnerabilities currently in CISA’s Known Exploited Vulnerabilities (KEV) catalog, nine appear to have no patches available from manufacturers, Veracode’s Wysopal noted.
“So that’s pretty telling: Over 25% of the routers that are being actively attacked don’t even have patches,” he says. “This is the state-of-the-art situation in small offices and homes, but I imagine the same thing is happening in the corporate world with all those different edge devices and VPN devices.”
Furthermore, rather than using malware, attackers often use system administration tools to hide their attacks within legitimate activities, at tactic known as “living off the land.” According to officials, disguising their offensive cyber actions as legitimate activities made the attacks much harder to detect.
Overall, US tech companies and their customers – both businesses and individuals – need to take stock of how their use of technology, and failure to maintain that technology, may be contributing to the threat to critical infrastructure, says Lisa Plaggemier , executive director of the University of Washington. National Cybersecurity Alliance, a nonprofit cybersecurity education and awareness organization.
The fact that attackers are taking control of small businesses’ routers “should be disturbing if they’re a small business or an individual,” he says. “It should be a wake-up call that there are things [for which] you have responsibilities and you need to be knowledgeable about how to use technology.”