China’s communist regime is pre-positioning malware in U.S. systems in preparation for a major conflict, according to the United States’ top cyber agency.
A Feb. 7 advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) seeks “to warn critical infrastructure organizations” about China’s attempts to infiltrate, disrupt, and destroy vital U.S. facilities.
“[Chinese] state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States,” the advisory said.
The malware is devised “to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness.”
That malware targeted water, gas, energy, rail, air, and port infrastructure.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said the operation only targeted a fraction of the Chinese malware that seeks to infiltrate U.S. systems every day.
China Preparing for Attacks on US
Mr. Goldstein said that the volume and type of malware now being intercepted by intelligence agencies indicated a shift in China’s cyber strategy against the United States.Whereas the regime previously focused on intellectual property theft and espionage, he said, it now appeared intent on causing physical harm and social panic in the event of a conflict.
“It is worth noting that the information that we are releasing with this advisory is reflecting a strategic shift in [China’s] malicious cyber activity from a focus on espionage and IP theft to pre-positioning for future disruptive or destructive attacks,” he said.
“Our evidence strongly suggests that the [China-based] actors are pre-positioning to launch future disruptive or destructive cyber attacks that could cause impacts to national security, economic security, or public health and safety,” Mr. Goldberg said.
Relatedly, Mr. Goldberg said the KV Botnet, which U.S. intelligence dismantled last month, had not targeted federal government agencies but instead focused on the private entities that facilitate the nation’s most critical infrastructure.
The botnet served as a support mechanism for the Chinese hacking group Volt Typhoon and used legitimate credentials and tools to conceal itself on outdated software that had passed its functional end of life.
“Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence,” the CISA advisory said.
“Their aim is to achieve and maintain persistence on the network.”
Cynthia Kaiser, deputy assistant director for the FBI’s cyber division, described the technique as “living off the land,” wherein a malign group is able to blend into the existing infrastructure by using authentic credentials and deleting any abnormal activity.
“Volt typhoon actors are able to evade detection by blending in with normal systems and activities, helping them to maintain persistent access to networks of interest for future activities,” Ms. Kaiser said.
US Response Took Months
Volt Typhoon was first reported on by Microsoft in May 2023, at which time it said the group dated to around 2021.CISA’s new advisory suggests that the group actually maintained “access and footholds within some victim IT environments for at least five years,” however, suggesting that Chinese malware has been affecting U.S. systems for far longer than officials have been aware of it.
Similarly, while Ms. Kaiser portrayed the malware as “a Significant threat to the U.S.,” the interagency response that eradicated the botnet was less than immediate.
Responding to a question by The Epoch Times, Ms. Kaiser said the operation was conducted in December 2023 and January 2024, more than half a year after Volt Typhoon was first reported by Microsoft.
Ms. Kaiser did not clarify whether the FBI had acted as soon as it was able to eradicate the threat but said such operations require extensive planning and inter-agency coordination.
“These operations often take a certain amount of time to plan and technically be able to accomplish,” Ms. Kaiser said.
“The FBI had determined that the best action was to conduct a technical operation to decisively neutralize the botnet in a timely and also coordinated manner that’s curtailing the Chinese government’s ability to further target U.S. entities through this obfuscation network.”
That delay may create concerns among security professionals. It remains unclear if the Chinese state-backed actors behind the malware could have launched attacks on U.S. infrastructure in the lengthy time between discovery and eradication.
“We know that their targets include numerous sectors [such as] communication, manufacturing, utilities, transportation, construction, maritime, government and information technology, and education,” Ms. Kaiser said.
Agencies Used Controversial Spying Law
Importantly, U.S. detection and response to the Volt Typhoon botnet required the use of a controversial provision that allows intelligence agencies to collect data.Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows for the warrantless surveillance of broad swaths of foreign communications without court orders. Many critics of the law, including in Congress, argue that it provides federal agencies a “backdoor” to Americans’ private information if they interact with foreign persons.
Ms. Kaiser said the law was key, however, to discovering and combating the rising tide of Chinese malware targeting the United States.
She highlighted one case in which intelligence agencies witnessed the initial targeting of an entity in the transportation sector through information collected under FISA 702, and was able to inform the victim and provide assistance.
“FBI FISA 702 also identified other Chinese state-sponsored cyber actors conducting similar activity,” Ms. Kaiser said. “And, in fact, we only know about many critical infrastructure entities compromised by the Chinese because of FBI FISA 702 collection.”
Ms. Kaiser described the law as “critical” to FBI cyber operations, suggesting such threats would still be hiding in plain sight without the law.
“Because the FBI saw the initial targeting through FISA 702 information, we were able to obtain information from that, bring it to the victim, and provide it to them. That enabled them to kick the Chinese off their system before they were ever able to move further.”
CCP Seeks to Deter US Military
CISA’s advisory appears to confirm growing concern that the Chinese Communist Party (CCP) is preparing for a conflict with the United States or, at the least, trying to deter the United States from interfering in one it initiates.To that end, the advisory says that Chinese hackers are “pre-positioning themselves” “to disrupt functions” of vital infrastructure that could affect “the continental and non-continental United States and its territories, including Guam,” as well as U.S. allies Australia, Canada, and New Zealand.
Andrew Scott, associate director for China operations at CISA, said the effort was likely intended to deter the United States and its allies from interfering in a CCP-initiated conflict by “impeding decision making, inducing societal panic and interfering with the deployment of U.S. forces.”
“We’re now able to confirm the types of compromises we’re seeing in critical infrastructure against victims that don’t have an intelligence value but would have value for other strategic goals,” Mr. Scott said.
