Chinese hackers embedded in U.S. networks for years, pre-positioning for future attacks, IC warns

hakule/getty images

The intelligence community used a contested surveillance tool to detect the hacking attempts.

An advisory issued by the Cybersecurity and Infrastructure Security Agency warns that China-linked hackers have been operating inside certain U.S. systems for at least five years and are preparing to carry out destabilizing cyberattacks on critical infrastructure.

The notice was published in conjunction with other Western intelligence partners, including Australia and Canada, following an FBI operation announced last week that jettisoned the China-linked Volt Typhoon hacking campaign from botnet infrastructure that was helping the cyberspies burrow inside compromised routers and other hardware.

“Our evidence strongly suggests that the PRC actors are pre positioning to launch future disruptive or destructive cyber attacks that could cause impact to national security, economic security or public health and safety,” CISA Executive Assistant Director Eric Goldstein told reporters during a briefing on the advisory.

The hackers have been using “living off the land techniques” that allow them to hide inside systems and bypass detection, the report says, noting that they have breached American facilities in Guam, as well as other key infrastructure in facilities both inside and outside the U.S. The FBI operation targeted home internet routers in southern Texas and other locations redacted in official court documents.

Chinese embassy spokesperson Liu Pengyu previously denied the hacking attempts and turned the accusations against the U.S., encouraging the American intelligence community to stop “irresponsible criticism” against Beijing.

U.S. operatives were able to detect the hacking attempts through use of a contested surveillance tool known as Section 702 of the Foreign Intelligence Surveillance Act, according to Cynthia Kaiser, the deputy assistant director for the FBI’s cybersecurity division.

Section 702 allows the FBI and NSA to gather electronic data without a traditional warrant when the target is a foreigner overseas and the collection is for foreign intelligence purposes. But those intercepted exchanges sometimes include conversations with Americans, raising privacy skeptics’ fears that American communications are warrantlessly swept up in the process.

Kaiser declined to tell reporters if the spying power was used in the recently announced Volt Typhoon operation but stressed that the authority has been critical to cyberspace operations. She said 702 has been involved in U.S. person sweeps when they are querying individuals impacted by hacking attempts so they can notify victims.

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” FBI Director Christopher Wray said in a statement. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate.”