Here's How the FBI Stopped a Major Chinese Hacking CampaignFBI and CISA Detail Operation to Prevent China's Attacks on Critical Infrastructure
Federal authorities shut down attempts by a Chinese government hacking group to attack U.S. critical infrastructure through a malware campaign that gained unauthorized access to "hundreds" of personally owned routers, FBI Director Christopher Wray testified Wednesday.
The FBI conducted a court-authorized sting operation against the Chinese hacking group known as Volt Typhoon, which Wray said had targeted the U.S. electric grid, oil and natural gas pipelines, major transportation hubs and water treatment plants across the country (see: FBI and DOJ Disrupt Chinese Hacking Operation).
"They're not focused just on political and military targets," Wray told the House Select Committee on the Chinese Communist Party. "We can see from where they position themselves across civilian infrastructure that low blows aren't just a possibility in the event of conflict: Low blows against civilians are part of China's plan."
Wray said the FBI had carried out the operation alongside the Cybersecurity and Infrastructure Security Agency, the National Security Alliance and other federal cyber authorities. CISA issued a cybersecurity advisory about Volt Typhoon in May 2023 warning that the hacking group had been conducting operations that affect "networks across U.S. critical infrastructure sectors" (see: Chinese State Hacker 'Volt Typhoon' Targets Guam and US).
After gaining court authorization, Wray said, U.S. officials dismantled Volt Typhoon's malware from "hundreds" of victims' routers in homes and small businesses nationwide and then took steps to ensure the routers could not be reinfected with malicious software.
"The Volt Typhoon malware enabled China to hide, among other things, pre-operational, reconnaissance and network exploitation against critical infrastructure, like our communications, energy, transportation [and] water sectors - steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," Wray said."
Volt Typhoon's primary tactics involve using built-in network administration tools to evade endpoint detection while carrying out its operations, a technique known as "living off the land." CISA Director Jen Easterly, who also testified to the House select committee Wednesday, said federal agencies "found and eradicated" Chinese-linked cyber campaigns targeting a wide variety of sectors, including transportation, water and energy.
"They've elevated their ability to act like a system administrator so you really can't tell that it's a Chinese actor," Easterly told lawmakers about hackers linked to Beijing, adding that the U.S. must prepare for a major cyberattack in the event of a Chinese invasion of Taiwan.
"This is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities [and] the crippling of our transportation modes," Easterly said, "all to ensure [China] can incite societal panic and chaos and deter our ability to marshal military might and civilian will."
In recent months, the White House held meetings with technology companies to request support for its efforts to track and shut down Volt Typhoon, according to a Reuters report published Monday. The news agency cited anonymous sources that said the hacking group had expanded its operations and changed its techniques after its campaign first came to light in May.
Wray also said the U.S. public should be prepared for possible widespread cyber incidents if China invades Taiwan.
"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," the FBI director said.