In February 2024, we noted reporting by UnderstandingWar.org that China has been launching cyberattacks to degrade the ability of countries “to engage in military action against the PRC during a crisis,” such as perhaps a PRC attack on Taiwan.
US and foreign partner cybersecurity and intelligence agencies confirmed in a joint advisory on February 7 that a PRC state-sponsored cyber threat actor known as Volt Typhoon infiltrated critical infrastructure organizations in the continental United States and US territories. The authoring agencies assessed with high confidence that Volt Typhoon’s goal was to develop the capability to disrupt key operational technology.
Waiting for orders
According to an NBC News story also published in early February, federal agencies were reporting that Chinese hackers have “at times secretly hidden in U.S. infrastructure for up to five years, ready to conduct a potentially destructive cyberattack if the two countries were to go to war.”
The report doesn’t name any specific victims, but said the “PRC state-sponsored” hackers have targeted key infrastructure, “primarily in Communications, Energy, Transportation Systems, and Waste and Wastewater Systems Sectors—in the continental and non-continental United States and its territories.”
One characteristic of the campaign is how stealthy the hackers’ tactics are, making it difficult for owners of infrastructure companies to know they’ve been hacked. The report is the first public indication that China’s hackers have been working at the project for so long, or that they’ve gained access for so many years without being noticed.
A few months earlier, Monkton had cited a Washington Post story that stressed the preparatory nature of the lurking in many systems; infrastructure wasn’t being hobbled now (“China’s cyber intrusions have hit ports and utilities, officials say,” December 11, 2024):
None of the intrusions affected industrial control systems that operate pumps, pistons or any critical function, or caused a disruption, U.S. officials said. But they said the attention to Hawaii, which is home to the Pacific Fleet, and to at least one port as well as logistics centers suggests the Chinese military wants the ability to complicate U.S. efforts to ship troops and equipment to the region if a conflict breaks out over Taiwan.
These previously undisclosed details help fill out a picture of a cyber campaign dubbed Volt Typhoon, first detected about a year ago by the U.S. government, as the United States and China struggle to stabilize a relationship more antagonistic now than it has been in decades.
Steps to take
The Post story was a preview of the big report by the Cybersecurity & Infrastructure Security Agency published February 7, 2024, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.”
In this report, the agency advised organizations to take the following steps “to mitigate Volt Typhoon activity”:
1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
2. Implement phishing-resistant MFA [multifactor authentication].
3. Ensure logging is turned on for application, access, and security logs and store logs in a central system.
4. Plan “end of life” for technology beyond manufacturer’s supported lifecycle.
The Volt Typhoon cyberhacking is hard to detect and does not cause disruptions now. Also, the managers of utilities and other infrastructure may not be keeping up to date with CISA advisories. And may always have some more evident urgent matters to attend to. Presumably, though, certain systems, such as those mentioned in the Post report, are more strategically important and are receiving more scrutiny.
Since February, CISA has issued an Infrastructure Resilience Planning Framework to provide “a process and series of resources for incorporating critical infrastructure resilience considerations into planning activities” (March 25, 2024) and a guide to this Framework, a Playbook, that according to a CISA official articulates IRPF steps “with clear inputs and outputs” (July 17, 2024).
One of the Key Takeaways of the Playbook: “It is important to identify a Project Champion who can authorize time and resources for the planning effort and is invested in incorporating infrastructure resilience into planning. A strong champion can help generate buy-in, arrange resources as needed, and help coordinate stakeholder participation.”
Is it the guidance and the lingo helping? Have many strong and invested Project Champions leapt into action? I guess we won’t know for sure unless and until China throws the switch and the disruptions start happening or not happening and get promptly fixed or not fixed.
Also see:
Cybersecurity & Infrastructure Security Agency: “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure”
