What Could Cyber Attacks Like China’s Volt Typhoon Do With Emplaced Malware?

When public reports began in May about Chinese malware in Guam, the Chinese cyber intrusion was characterized as being detected and caught by Microsoft. The description was that the Chinese malware was targeting “critical infrastructure organizations” and “siphoning” data.

A Chinese state-sponsored group was the announced culprit, and one U.S. official said this was “part of a larger Chinese intelligence collection system.” The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released an advisory with perhaps a new cybersecurity buzz phrase of “living off the land.” One article posited whether this event signaled preparation for a Chinese attack. Still, the expert who was interviewed seemed at least partially dismissive of the thought.

The story resurfaced again in late July in a more concerning context. The term “military networks” was being used as the target of the Chinese malware, the concern was worldwide (not just in Guam), and the United States was hunting for the malware that “could disrupt American military operations” (instead of just siphoning data).

Coinciding with the identification of a China-linked cyberespionage campaign that Microsoft nicknamed Volt Typhoon, the United States passed its 2023 National Defense Authorization Act (NDAA) Section 1088, which directs a National Tabletop Exercise to assess “the resilience of domestic critical infrastructure and logistical chokepoints necessary for the United States Armed Forces to respond to a contingency involving Taiwan.” The operative question is, what damage can Volt Typhoon inflict upon U.S. critical infrastructure if preparations for conflict became real?

Disruption of Shipyards and Ports

The U.S. Navy is already in a state of crisis over shipbuilding, and despite the alarm bells, it seems to be unexplainedly going in the opposite direction. One great need is floating drydocks, large submergible platforms that can raise and lower a ship into the water for repair and construction. Currently, there are only a small number of large floating drydocks (larger than 20,000-ton lift) in existence. There’s the Vigorous in Portland; the Speede and the Titan in Norfolk, Virginia; the Pride of California in San Diego' the Evolution in Seattle; and Dry Dock #2 in San Francisco. The Vigorous, the Pride of California, and the Evolution are built in China. Two key shipyards, Bath Ironworks in Maine and Huntington in Mississippi, can’t launch ships without custom-built floating drydocks for their yards, one of which was made in China.

This isn’t a good situation. If American covert operators could implant technical characteristics in the control systems of a Siberian pipeline in 1982 and destroy it on command, who’s to say that these Chinese floating drydocks don’t have a built-in nefarious feature? The Chinese read and study all public-facing aspects of American intelligence and military operations and then replay them. These floating drydocks don’t need to explode; they just improperly fill or flood at the wrong moment, which could potentially capsize the entire drydock and the ships it’s holding. This mess could be a year-long salvage effort to clean up and place the drydock and ships back in operational status.

Where are these drydocks made? Many are made by Zhenhua Heavy Industries of Shanghai, the same company that dominates the container crane market and has been the center of concern for “spy cranes.” Zhenhua’s yard is next to Jiangnan Shipyard, where China’s aircraft carriers are made—civil-military fusion lined up in one place.

Degradation of Radars and Air Situational Awareness

The insertion of malware could disable or blind a radar or the entire combined air situational picture over a region. The disruption of radars was discussed in 2013 regarding possible American air operations in Syria by an experienced Israeli cyber operator. The Israeli was talking from a position of firsthand knowledge. It appears possible that a few years earlier, malware was emplaced to blind and degrade the Syrian air defense network and associated radars during Israel’s Operation Orchard/Outside the Box to destroy the secret Al-Kibar nuclear facility engaged in the research, development, and production of nuclear weapons. The attack was successful and also eliminated a number of the Syrian and North Korean specialists working at the facility.

As previously stated, the Chinese study these events with great passion and energy, and it’s unlikely that they missed the 2007 operation in Syria. The Chinese may very well replay this if they initiate kinetic matters in the western Pacific. It should be presumed that they'll attempt the same degradation of Allied sensors and missile defenses ashore in Guam and other places as well as the surveillance radars on ships. Ultimately, these data sources are integrated at regional command centers, and disrupting the common operational picture will likely be a prized goal of Chinese cyber operations through Volt Typhoon.

Shutting Down Power and Water Servicing Military Bases

Not well understood is that American military installations heavily depend on the power, water, and sewage systems of neighboring countries and cities. The pervasive nature of Chinese information technologies such as Huawei is present among servers in the administrative networks and industrial control systems used to manage these critical infrastructures. The loss of power would mean the loss of air conditioning systems at military installation facilities with extensive computer server racks. The loss of air conditioning would rapidly render these facilities and the systems they support inoperable.

When Target Corp. was breached by hackers in 2014, the cyber actors came in through the heating, ventilation, and air conditioning control system. The Volt Typhoon malware could have already enabled a similar or even more sophisticated cyber method. Military bases don’t normally have extensive backup power capability or redundant water and sewage systems. The loss of this critical infrastructure would render the Department of Defense facilities non-mission-capable in short order. This is exactly what NDAA 1088 is stress testing—almost concurrently with the Volt Typhoon malware emplacement.