WASHINGTON—US authorities said Wednesday they had dismantled a network of hackers known as “Volt Typhoon,” which was targeting key American public sector infrastructure like water treatment plants and transportation systems at the behest of China.
FBI director Christopher Wray explained the operation in testimony before a congressional committee on US-China competition, and the Justice Department offered more details in a statement.
In May 2023, the United States and its allies had accused Volt Typhoon, described as a “state-sponsored hacking group” backed by China, of infiltrating critical US infrastructure networks—claims rejected by Beijing.
“Just this morning, we announced an operation where we and our partners identified hundreds of routers that had been taken over by the PRC state-sponsored hacking group known as Volt Typhoon,” Wray told lawmakers.
‘Real-world harm’
“The Volt Typhoon malware enabled China to hide, among other things, preoperational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation and water sectors.”
Wray accused the hackers of readying to “wreak havoc and cause real-world harm to American citizens and communities.”
“If and when China decides the time has come to strike, they’re not focused just on political or military targets,” he added. “Low blows against civilians are part of China’s plan.”
Assistant attorney general Matthew Olsen, who works in the Justice Department’s national security division, said access to US infrastructure sought by Volt Typhoon was something China “would be able to leverage during a future crisis.”
Court-approved
The US operation to disrupt the hackers was authorized by a federal court in Texas, the Justice Department said in its statement.
By taking control of hundreds of routers, which were vulnerable as they were no longer supported by their maker’s security patches or software updates, the hackers sought to disguise the origin of future China-based hacking activities, it said.
The operation succeeded in wiping the malware from the routers, without impacting their legitimate functions or collecting any information, it added, while saying there was no guarantee the routers could not be reinfected.
Readiness on Taiwan
Sources said US officials are concerned the hackers were working to hurt US readiness in case of a Chinese invasion of Taiwan.
China, which claims democratically governed Taiwan as its own territory, has increased its military activities near the island in recent years in response to what Beijing calls “collusion” between Taiwan and the United States.
The Justice Department and FBI declined to comment.
The Chinese embassy in Washington did not immediately respond to a request for comment.
China’s foreign ministry called the accusations “groundless” and “extremely irresponsible,” and said it was the United States that was “the initiator and master of cyberattacks.”
China: US hacking, too
“Since last year, China’s network security agencies have issued reports one after another, revealing that the US government has carried out cyberattacks on China’s key infrastructure for a long time.
Such irresponsible policies and practices put the global critical infrastructure at great risk,” ministry spokesperson Wang Wenbin told a regular news conference on Thursday.
When Western nations first warned about Volt Typhoon in May, Chinese foreign ministry spokesperson Mao Ning said the hacking allegations were a “collective disinformation campaign” from the Five Eyes countries, a reference to the intelligence sharing grouping of countries comprising Australia, Canada, New Zealand, the United Kingdom and the United States.
Volt Typhoon has functioned by taking control of vulnerable digital devices around the world—such as routers, modems, and even internet-connected security cameras—to hide later, downstream attacks into more sensitive targets, security researchers told Reuters.
Primary concern
This constellation of remotely controlled systems, known as a botnet, is of primary concern to security officials because it limits the visibility of cyberdefenders that monitor for foreign footprints in their computer networks.
“How it works is the Chinese are taking control of a camera or modem that is positioned geographically right next to a port or ISP (internet service provider) and then using that destination to route their intrusions into the real target,” said a former official familiar with the matter. “To the IT team at the downstream target it just looks like a normal, native user that’s sitting nearby.”
The use of botnets by both government and criminal hackers to launder their cyber operations is not new.
The approach is often used when an attacker wants to quickly target numerous victims simultaneously or seeks to hide their origins.
AFP is one of the world's three major news agencies, and the only European one. Its mission is to provide rapid, comprehensive, impartial and verified coverage of the news and issues that shape our daily lives.
Reuters, the news and media division of Thomson Reuters, is the world’s largest multimedia news provider, reaching billions of people worldwide every day. Reuters provides business, financial, national and international news to professionals via desktop terminals, the world's media organizations, industry events and directly to consumers.