Apr 14, 2024 - Technology

China's attacks on U.S. infrastructure aren't going anywhere

Illustration of the flag of China as a chart with the stars creating a ripple effect

Illustration: Sarah Grillo/Axios

Nearly a year after the U.S. government first named and shamed an ongoing Chinese hacking campaign against American infrastructure, top cybersecurity leaders say the threat is still as palpable as ever.

Why it matters: China's Volt Typhoon group has displayed a persistence that's rare among nation-state hackers, experts say.

What they're saying: "Am I alarmed and do I have heartburn over what Volt Typhoon and what other Chinese actors are capable of doing? Yes, absolutely," Kemba Walden, the former acting national cyber director, said at last week's Verify conference outside San Francisco.

  • "They're motivated, they're creative," she added. "It tells me that we need to continue to focus on the basics."

Catch up quick: Last May, Microsoft and the National Security Agency publicly outlined how Volt Typhoon was stealthily lurking inside American infrastructure — in some cases, maintaining access to those networks for at least five years.

  • Officials have seen evidence of the group targeting electric grid operators, shipping ports and water systems, according to reports.

Threat level: But Volt Typhoon hasn't changed its behavior — even after a series of U.S. congressional hearings, advisories and botnet takedowns, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), told Politico late last month.

Between the lines: Volt Typhoon doesn't rely on sophisticated tactics to break into systems. It's just the group's persistence — paired with many infrastructure operators' lack of resources — that makes this threat unique, experts say.

  • Many of the tactics that Volt Typhoon uses to obfuscate its activities, gain access to a network, and maintain that access are relatively easy for any skilled hacker to do, Ben Read, director of Mandiant's cyber espionage analysis team, told Axios.
  • But clamping down on the activity requires a level of coordination among critical infrastructure operators that doesn't really exist.

Zoom in: For example, the overall U.S. water system has at least 150,000 individual systems, each run by different entities and individuals.

  • To keep Volt Typhoon out, each system operator would need to be able to prioritize software upgrades, password resets and other CISA advice.
  • Most of the country's 16 critical infrastructure sectors are similarly fragmented.

The big picture: American infrastructure has gotten caught up in an increasingly tense relationship between China and the U.S.

  • So long as the fears about Chinese espionage and a potential invasion of Taiwan exist, infrastructure operators will continue to be targets, Tom Pace, CEO of cyber firm NetRise, told Axios.
  • "This is normal nation-state, game-theory shenanigans," said Pace, who previously worked on cybersecurity at the Department of Energy.

Yes, but: David Scott, a special agent in the FBI's cyber division, said at the Verify conference that the country has made a "great deal of progress" in raising awareness across the private sector and in mitigating Volt Typhoon.

  • Rear Adm. Jason Tama, the incoming commander of the U.S. Coast Guard Cyber Command, added that the government's ability to talk openly about the operation has also helped in meetings with infrastructure operators.

The bottom line: Federal agencies recommend operators implement multifactor authentication, enable and regularly review network activity logs, and set up automated threat detection tools.

Go deeper: What to know about China's cyber threats

Go deeper