U.S. still finding victims of advanced China-linked hacking campaign, NSA official says

National Security Agency Cybersecurity Director Rob Joyce (left) and Deputy Cybersecurity Director David Luber speak to reporters at an event at agency headquarters in Ft. Meade, Md.

National Security Agency Cybersecurity Director Rob Joyce (left) and Deputy Cybersecurity Director David Luber speak to reporters at an event at agency headquarters in Ft. Meade, Md. National Security Agency photo.

The Volt Typhoon hacking collective, backed by the Chinese People’s Liberation Army, has been working to burrow into sensitive U.S. systems, officials previously said.

The U.S. is still identifying victims targeted by an extensive China-backed hacking campaign that became the subject of a recent FBI takedown operation and other advisories from officials over the past year, a top NSA cyber official said.

Rob Joyce, the agency’s outgoing cybersecurity director, said on Friday that the U.S. is still finding victims of the Volt Typhoon hacking collective that’s been latching onto critical infrastructure through compromised equipment including internet routers and cameras, and that NSA is not yet done with efforts to eradicate such threats.

The clandestine activities, which are said to be backed by the Chinese government, have allowed the hackers to conceal their intrusions into U.S. and foreign allies’ systems for at least five years, officials have previously said. 

The FBI in January announced it had jettisoned a significant portion of the group’s operations from compromised equipment it had burrowed into. These claims were subsequently affirmed by analysis from the private sector. But Friday’s remarks indicate there is still a way to go before Volt Typhoon is completely eradicated from U.S. networks.

Joyce, who was speaking to a group of reporters, declined to give a precise account of how many victims were remaining, but said the Chinese cyberspies are using tradecraft that’s difficult to uncover because of its reliance on stolen administrator credentials which allow them to more easily mask exploits.

The Volt Typhoon group has been carrying out “station keeping” activities, in an effort to preposition themselves to take down key infrastructure like transportation networks, he said. As for when the dismantling order would come down from Chinese authorities, the agency assesses it would be a “pretty high bar” reserved for major conflict like a possible Chinese invasion of Taiwan, he said.

The Volt Typhoon hackers have been using “living off the land techniques” that allow them to hide inside systems and bypass detection, previous U.S. reports said, noting that they have breached American facilities in Guam, as well as other key infrastructure in facilities both inside and outside the U.S.

Joyce added that NSA has been able to use techniques backed by advanced artificial intelligence tools to detect the Volt Typhoon hackers, which were also touted by David Luber, Joyce’s successor, who was also present at the media briefing. 

A senior FBI official previously said Chinese hacking groups have been detected through Section 702 of the Foreign Intelligence Surveillance Act, which allows spy agencies to scoop up foreign communications and use them for national security investigations. The official at the time declined to comment on whether the authority was used specifically for Volt Typhoon investigations, but stressed it has been critical to cyberspace operations. 

Section 702 authorities, which are set to expire next month unless reauthorized by Congress, are contested by civil liberties groups, who argue the policy violates Americans’ Fourth Amendment rights because the tool sometimes sweeps up domestic communications during intelligence-gathering activities. The ordinance was born out of Bush-era surveillance measures enacted in 2008 which sought to provide a legal framework for the spying capabilities of U.S. intelligence agencies in the aftermath of the September 11 attacks, lifting silos on telecommunications data sharing and other common data types.

Joyce doubled down on the spying power, calling it an “absolutely vital” authority and added that he’s going to “continue to be worried” about whether Congress will reauthorize it by next month. He declined to give specifics on congressional efforts to remodel the authority with provisions like a warrant requirement, deferring to the White House’s position on the discussions.

Intelligence community heavyweights gave a stark warning to lawmakers in January that China-backed hacking activities against the U.S. have reached a new level of complexity, and that the federal government must work to deter Beijing-sponsored cyber threats amid broader diplomatic tensions between the two nations.

Joyce also said that China has been more closely aligning with Russia-like hacking activities that have sought to sow divisiveness into the U.S. political process, which could resurface further as the November presidential election approaches. 

An assessment released by the IC this week said that China, Russia and Iran are capable of and willing to launch cyberattacks seeking to disrupt U.S. election processes. China may attempt to influence election outcomes in November “because of its desire to sideline critical of China and magnify U.S. societal divisions,” the whitepaper says.