Some Volt Typhoon victims ‘won’t know they’re impacted,’ Mandiant CEO says

Cybersecurity executive Kevin Mandia, shown here at a Senate hearing in 2021, says that victims of a recent China-backed hacking campaign might not know they've been infiltrated.

Cybersecurity executive Kevin Mandia, shown here at a Senate hearing in 2021, says that victims of a recent China-backed hacking campaign might not know they've been infiltrated. Drew Angerer/afp via Getty Images

The efforts of the Beijing-linked Volt Typhoon hacking group represent the “natural progression” of Chinese espionage, according to Kevin Mandia.

LAS VEGAS — As intelligence agencies work to jettison Chinese cyberspies embedded in critical infrastructure and internet equipment throughout the U.S., a top cybersecurity CEO says that the hackers’ campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.

“To me, Volt Typhoon is the natural progression of great … Chinese cyberespionage,” said Kevin Mandia, CEO of Google cybersecurity subsidiary Mandiant, who spoke in an exclusive interview with Nextgov/FCW at the Google Cloud Next conference in Las Vegas.

The Volt Typhoon Chinese hacking collective has acutely caught the attention of national security officials and researchers over the past year. The warnings culminated in a January hearing with intelligence community heavyweights who said the operatives are prepositioning themselves into critical systems and awaiting an order from Beijing to corrupt or shutter them in the event the U.S. enters conflict with China.

Private sector analysis has shown recent U.S. offensives aimed at crippling Volt Typhoon have slowed its operations, but officials have recently said the U.S. is still identifying victims targeted by the group. The remarks from Mandia spell out the extensiveness and adeptness of China’s hacker army, which is now the top cyber adversary facing the United States, he said.

“China has now graduated with the most zero days,” he said, referring to the nation’s ability to detect and exploit unknown flaws in computer systems, which get their name because developers have been given “zero days” to patch them before being exploited by hackers.

“It’s harder to pierce anonymity now, or at least [it’s] more complex. China’s gotten better,” he said. Volt Typhoon is using tradecraft that’s difficult to uncover because of its reliance on stolen administrator credentials that allow them to more easily mask exploits, according to previously released U.S. analysis on the entity.

The clandestine activities, which are said to be backed by the Chinese government, have allowed the hackers to conceal their intrusions into U.S. and foreign allies’ systems for at least five years, intelligence officials have previously said.

“The best offense masquerades as an insider, quite frankly, and does not use malware,” Mandia later added when asked about the investments China has made into augmenting its cyber activities. 

The Volt Typhoon hackers have been using “living off the land techniques” that allow them to hide inside systems and bypass detection, a May 2023 CISA report said, noting that they have breached American facilities in Guam and other vital infrastructure in U.S. facilities both inside and outside the country. They have also burrowed into internet routers in southern Texas and other locations, according to redacted court documents.

As for when the dismantling order would come down from Chinese authorities, the NSA has assessed it would be a “pretty high bar” reserved for major conflict, like a possible Chinese invasion of Taiwan, according to former NSA Cybersecurity Director Rob Joyce.

A whitepaper released by the intelligence community last month said that China and other top U.S. adversaries are capable of and willing to launch cyberattacks seeking to disrupt the November presidential election process. 

That willingness may not present itself as hackers directly trying to change vote tallies or other metrics embedded into election infrastructure, Mandia said, arguing that “so many systems and so many agencies” watch how voting processes play out.

“I would think long and hard — if I’m another nation trying to influence the [election] outcomes, I'm gonna stick with artificial amplification, disinformation and pushing agendas,” he said.

Chinese government-backed operatives deployed a slew of fake social media personas and engaged with real-life accounts on the X platform to assess U.S. domestic issues and learn what political themes divide voters, according to an assessment from Microsoft released last week.

“Nobody knows how to measure [disinformation]. It’s hard to defeat,” Mandia said. “It’s hard to get a litmus of what the American people really think, and how much that needle gets moved by domestic actors as well as international actors.”