Top US agencies claim to have confirmed that China has planted cyber-intruders in American critical infrastructure. More alarmingly, they seem to believe these digital sleeper agents could have been placed years ago for deployment in a future military conflict.
The provocative statement was jointly made on February 7th by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), and centers on a Chinese-backed cyber outfit known as Volt Typhoon.
It would appear to mark a doubling down by the US on its stance that China is the greatest long-term threat to American national interests – claims that the People’s Republic has denied.
“US authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” said the FBI, CISA, and NSA in their statement.
They add that the Chinese-backed group members “conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment.”
This entails tailoring tactics to specific targets and maintaining a persistent presence within compromised systems long after a breach, the agencies added.
American targets selected by Volt Typhoon – aka Vanguard Panda and Bronze Silhouette – included critical infrastructure such as wastewater, communications, energy, and transport systems.
But rather than be motivated by espionage, as is often the case with suspected Chinese threat actors, Volt Typhoon agents appear to be biding their time to cause more tangible damage at a later date, the statement suggests.
“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence-gathering operations,” the US agencies said, adding that they “assess with high confidence” that the group’s agents are “pre-positioning themselves on IT networks to enable lateral movement.”
Lateral movement occurs when a threat actor uses a breach point to move around to other parts of a target’s computer network, potentially wreaking havoc.
In the case of Volt Typhoon, the FBI and its co-authors have expressed a concern “about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”
The agencies say they observed the group’s activities last May, prompting further investigation that led them to confirm the intrusions and assess that actors backed by China are preparing for “destructive or disruptive cyberattacks against US critical infrastructure in the event of a major crisis or conflict.”
The stark warning is merely the prelude to a more detailed report released by the three agencies and counter-signed by parallel security bodies in the UK, Canada, and Australia.
“This activity is part of a broader campaign in which Volt Typhoon actors have successfully infiltrated the networks of critical infrastructure organizations in the continental and non-continental United States and its territories,” the report said.
The methods of attack chosen by Volt Typhoon to gain an initial foothold in a target organization’s systems also include using zero-day vulnerabilities – ones that cybersecurity defenders have been previously unaware of – in public-facing appliances such as routers, virtual private networks, and firewalls, as well as stealing admin credentials that have been poorly secured.
“After successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the compromised environment [...] suggesting their objective is to maintain persistence rather than immediate exploitation,” it added.
More from Cybernews:
Subscribe to our newsletter