U.S. officials said Wednesday they disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure, as the head of the FBI warned that Beijing is positioning itself to disrupt the daily lives of Americans if the United States and China ever go to war.
The operation, announced just before FBI Director Chris Wray addressed House lawmakers, disrupted a botnet of hundreds of U.S.-based small office and home routers owned by private citizens and companies that had been hijacked by the Chinese hackers to cover their tracks as they sowed the malware. Their ultimate targets included water treatment plants, the electrical grid and transportation systems across the United States.
Speaking before the House Select Committee on the Chinese Communist Party, Wray said there’s been far too little public focus on a cyber threat that affects “every American.”
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” Wray said.
Jen Easterly, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, voiced a similar sentiment at the hearing.
“This is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes — all to ensure that they can incite societal panic and chaos and to deter our ability” to marshal a sufficient response, she said.
The comments align with assessments from outside cybersecurity firms including Microsoft, which said in May that state-backed Chinese hackers had been targeting U.S. critical infrastructure and could be laying the technical groundwork for the potential disruption of critical communications between the U.S. and Asia during future crises.
At least a portion of that operation, attributed to a group of hackers known as Volt Typhoon, has now been disrupted after FBI and Justice Department officials obtained search-and-seizure orders in Houston federal court in December. U.S. officials did not characterize the disruption’s impact, and court documents unsealed Wednesday say the disrupted botnet was just “one form of infrastructure used by Volt Typhoon to obfuscate their activity.” The hackers have infiltrated targets through multiple avenues, including cloud and internet providers, disguising themselves as normal traffic.
The U.S. has in the past few years become more aggressive in trying to disrupt and dismantle both criminal and state-backed cyber operations, with Wray warning Wednesday that Beijing-backed hackers aim to pilfer business secrets to advance the Chinese economy and steal personal information for foreign influence campaigns.
“They are doing all those things. They all feed up ultimately into their goal to supplant the U.S. as the world’s greatest superpower,” he said.
Complicating the threat is that state-backed hackers, especially Chinese and Russian, are good at adapting and finding new intrusion methods and avenues.
U.S. officials have long been concerned about such hackers hiding in U.S.-based infrastructure, and the end-of-life Cisco and NetGear routers exploited by Volt Typhoon were easy prey because they were no longer supported by their manufacturers with security updates. Because of the urgency, law enforcement officials said, U.S. cyber operators deleted the malware in those routers without notifying their owners directly — and added code to prevent re-infection.
A Justice Department official who briefed reporters on condition of anonymity under ground rules set by the government said officials were determined to disrupt the Volt Typhoon operation as soon as possible because the hackers were using the botnet as a stepping stone to hide in U.S. internet traffic while burrowing into the networks of critical infrastructure, ready to maliciously exploit that access at a time of their choosing.
“The truth is that Chinese cyber actors have taken advantage of very basic flaws in our technology,” Easterly said. “We’ve made it easy on them.”
Cybersecurity veteran Amit Yoran, the CEO of Tenable, called Wray’s warning “an urgent call to action. Continuing to turn a blind eye to the risk sitting inside our critical infrastructure is the definition of negligence.”
Cybersecurity experts say major software providers too often sacrifice security for convenience, and that’s biting back.
On the eve of a June visit to China by Secretary of State Antony Blinken, state-backed Chinese hackers foiled Microsoft cloud-based security in hacking the email of officials at multiple U.S. agencies that deal with China.
On Wednesday, U.S. officials said allies were also affected by Volt Typhoon’s critical infrastructure hacking but, asked by reporters, would not discuss any countermeasures they might be taking.
China has repeatedly denounced the U.S. government’s hacking allegations as baseless. Beijing has accused the U.S. of “almost daily” and “huge amounts of intrusions against Chinese government, with Wang Wenbin, a spokesman for the Chinese foreign ministry, saying last year that “China is the biggest victim of cyber attacks.”
But Gen. Paul Nakasone, the outgoing commander of U.S. Cyber Command and the National Security Agency, said “responsible cyber actors” do not target civilian infrastructure.
“There’s no reason for them to be in our water,” Nakasone said. “There’s no reason for them to be in our power.”
On Tuesday, testifying before the same committee, Leon Panetta, who served as the director of the Central Intelligence Agency and the defense secretary in the Obama administration, said he believed that the Chinese agents had “planted malware within our own computer networks” and warned that the Chinese government would use artificial intelligence to spread disinformation.
The committee, chaired by Republican Rep. Mike Gallagher of Wisconsin, was established last year with a mandate of countering China, kicking off with a prime-time hearing. The Chinese government has lashed out at the committee, demanding that its members “discard their ideological bias and zero-sum Cold War mentality.”
Related: China-Linked Volt Typhoon Hackers Possibly Targeting Australian, UK Governments
Related: Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
