• China-backed hackers have had access to critical U.S. infrastructure for “at least five years,” with the long-term goal of launching “destructive” cyberattacks.
  • The agencies mark a “strategic shift” in Chinese-sponsored hacking or intelligence gathering, as they prepare to disrupt combat technology in the event of a major conflict or crisis.
  • The Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNS to gain initial access to critical infrastructure across the country and, in some cases, the ability to tap into critical infrastructure’s camera surveillance systems.

According to a report released by Microsoft in May 2023, Typhoon Volt has been targeting and damaging critical infrastructure in the U.S. since at least mid-2021.

Potential dangers

A coalition of US intelligence agencies said on February 7 that Chinese-backed hackers had access to critical US infrastructure for “at least five years” with the long-term goal of launching “damaging” cyber attacks.

The NSA, cisa and FBI said in a joint report released on Wednesday that the Volta Typhoon is a hacking group funded by the Chinese government that has been breaking into the networks of aviation, rail, public transportation, highways, maritime, pipeline, water and sewage organizations, none of which were named, The goal is to prepare for a devastating cyberattack.

The agencies mark a “strategic shift” from traditional cyber espionage or intelligence gathering by China-backed hackers, who are instead preparing to disrupt combat techniques in the event of a major conflict or crisis.

Also read: FBI Alerts on Escalating Threat of Dual Ransomware Attacks

The report, co-signed by cybersecurity agencies in Britain, Australia, Canada and New Zealand, comes a week after FBI Director Christopher Wray issued a similar warning. Christopher Wray, speaking at a U.S. House of Representatives committee hearing on the cyber threat posed by China, called Typhoon Volta “the defining threat to our generation” and said the group’s goal was to “disrupt our military’s ability to mobilize” in the early stages of an expected conflict over Taiwan.

Crisis for Five Years

According to a technical advisory on Wednesday, the Volta Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNS to gain initial access to critical infrastructure across the country. For example, “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms, or disrupting critical energy and water controls, leading to major infrastructure failures.” In some cases, the Voltaic hackers were able to gain access to the camera surveillance systems of critical infrastructure – though it’s unclear whether they did.

The Voltaic Typhoon also uses “survival off the ground” techniques, in which an attacker uses legitimate tools and features already present in a target system to maintain long-term, undetected persistence. The hackers also conducted “extensive pre-intrusion reconnaissance” to avoid detection. “For example, in some cases, participants in Voltaic Typhoon may abandon the use of compromised credentials outside normal business hours to avoid triggering a security alert for unusual account activity,” the bulletin said.

The Volt Typhoon “is not the only Chinese state-backed cyber actor engaged in this type of activity”.
Last week, the FBI and the US Department of Justice announced that they had disrupted the KV botnet run by the Volt Typhoon, which had compromised routers in hundreds of small US businesses and home offices.The FBI said it was able to remove malware from the hijacked routers and cut them off from the Chinese government-backed hackers.