Skip links

Volt Typhoon not the only Chinese crew lurking in US energy, critical networks

Volt Typhoon isn’t the only Chinese spying crew infiltrating computer networks in America’s energy sector and other critical organizations with the aim of wrecking equipment and causing other headaches, the US government has said.

This warning came within hours of Uncle Sam earlier today confirming Volt Typhoon had compromised “multiple” IT environments across communications, energy, transportation, water, and wastewater processing sectors in the United States. American officials said China’s cyberspies were able to avoid detection and snoop around those networks, in some cases for up to five years. There is a fear that President Xi has instructed agents to sneak into America’s key civil systems, and lay in wait to steal data and trigger disruption to vital services and supply lines as needed.

Volt Typhoon is certainly not the only Chinese group conducting this type of activity

“This stealthy access increases our concern that they are lurking, waiting for the right moment to cause devastating impact,” said Cynthia Kaiser, deputy assistant director for the FBI’s cybersecurity division, on a call with journalists Wednesday afternoon.

The Chinese snoops were seeking access to and information about organizations’ operational technology to either position themselves for or gain vital information about these OT systems for future cyberattacks, she added.  

Last week, the FBI said it obtained search warrants and issued a remote kill command to wipe Volt Typhoon’s botnet after the gang infected hundreds of end-of-life routers with backdoor malware to break into critical infrastructure networks.

“But perhaps even more concerning is that Volt Typhoon is certainly not the only Chinese group conducting this type of activity,” Kaiser noted. She declined to identify the other Beijing-backed gangs that have been found burrowing into US critical infrastructure.

The US Department of Energy’s Mara Winn echoed this assessment, and noted that DoE has been working with energy system owners and operators “over the last several months” to detect compromised systems and stamp out the intruders.

“Our assessment is that the threat is actively positioning itself on critical infrastructure IT networks with the explicit goal of being able to disrupt the functioning of operational technology,” said Winn, the deputy director for preparedness, policy, and risk assessment in the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response.

In the Feds’ Wednesday warning, officials emphasized the importance of identity management for critical infrastructure owners and operators. This includes implementing phishing-resistant multi-factor authentication (MFA).

“What we see is these actors stealing administrative credentials and using those credentials to maintain persistent access to the network,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein said on the call with reporters. 

OT systems could be manipulated to cause major shutdowns of essential services

“Those credentials allow the PRC to conduct any activity that those administrators would be able to conduct on the network, whether that’s deleting information off the network, whether the changing credentials for other users or other kinds of activities,” he added.

This is especially concerning given Volt Typhoon’s interest in OT systems, according to John Hultquist, chief analyst at Google Cloud’s Mandiant Intelligence. “OT systems could be manipulated to cause major shutdowns of essential services, or even to create dangerous conditions,” he told The Register.

“Evidence of forays into OT systems justify our concerns that the actor is a serious threat,” Hultquist added. “If there was any skepticism as to why this actor was carrying out these intrusions, this revelation should put it to rest.”

Presumably the concept of infiltrating and backdooring foreign critical infrastructure just in case has not escaped the bright minds at the Pentagon either. ®