US diplomats told China to stop Volt Typhoon campaign — It’s becoming more advanced, intelligence officials say

SAN FRANCISCO — The U.S. operation that pulverized a cluster of compromised internet equipment used by Chinese hackers to stage breaches into American critical infrastructure was only the very beginning of what’s become a rapidly evolving cyber challenge for the intelligence community.

FBI Director Christopher Wray announced the court-authorized takedown at a high-profile January hearing, telling lawmakers that its cyber operatives disabled KV-botnet, a digital entity of chain-linked equipment, including cameras and routers, that was compromised and used to form a data transfer network for the group — known as Volt Typhoon — to quietly tunnel into critical infrastructure in preparation for what officials publicly say is U.S. military conflict with Beijijng.

Its operations were significantly slowed down, but the KV-botnet was just one of many staging grounds. Volt Typhoon, believed to be working on behalf of Chinese state authorities, is using multiple covert networks now, making it seemingly impossible to completely stop the entity in its tracks, officials told reporters at RSA Conference in San Francisco.

The news comes after a recent a diplomatic trip to China two weeks ago, where the State Department’s cyberspace and digital policy ambassador Nathaniel Fick and Secretary of State Anthony Blinken told Chinese officials in Shanghai and Beiijng that the Volt Typhoon activity has hit a boiling point, Fick told reporters in a separate briefing at the conference.

The breach into critical infrastructure “contravenes the spirit of the framework,” said Fick, referring to a newly unveiled global cyberspace and digital policy blueprint focusing on “digital solidarity” among partners in the global internet ecosystem.

“Secretary Blinken was very clear that holding American critical infrastructure at risk — especially civilian critical infrastructure — is dangerous. It’s escalatory. It’s unacceptable,” he said.

On the domestic front, halting Volt Typhoon altogether presents a new challenge. The hacking collective first caught the attention of national security officials and researchers around 2021, as analysts spotted its unique behavior in cyberspace.

“In 2021, we knew that we were seeing activity likely from China that represented a different type of threat and intent,” said Morgan Adamski, the head of the NSA Cybersecurity Collaboration Center and incoming director of the CYBERCOM combatant command. The group was burrowing into infrastructure environments that had no immediate intelligence value, contradicting historical Chinese cyberespionage.

“Stopping them is specific to an individual now. We could stop them in a network and we could harden the network and stop them from going back there. But they’re just going to find another target to go after that hasn’t taken the same precautions,” she added.

The Volt Typhoon hackers have been using “living off the land techniques” that allow them to hide inside systems and bypass detection, U.S. reports say, noting that they have breached American facilities in Guam and other vital infrastructure in U.S. facilities both inside and outside the country. 

The clandestine activities involve a tradecraft that’s difficult to uncover because of the group’s reliance on stolen administrator credentials that allow them to more easily mask their exploits. 

For targeted victims, they’ll have to take steps to better manage account credentials, like changing default passwords that automatically come with shipped software products used to log in during first-time setup.

“I don’t think that anybody here would say we’ve done one operation and just eradicated everything. That's not how this works,” said Cynthia Kaiser, a deputy lead in the FBI Cyber Division. Looking ahead, conducting takedown operations like that of KV-botnet takes time away from the hackers to seek shelter in other exploitable domains, and the goal is to “frustrate, delay and impede them” from hunting other U.S. networks, she added.

At this point, officials are unable to slap a measurable figure on how far Volt Typhoon has spread. The number of compromised victims is too hard to measure because it’s still being constantly chased, Adamski said.

A leading cybersecurity CEO recently told Nextgov/FCW the hacking campaign is so robust and widespread that there will be victims targeted in the operation who won’t know they are impacted.

“The only people who know … is the PRC,” said Andrew Scott, CISA’s associate director for China operations. “They know what they’re targeting, they know where they’re targeting. So our job is to illuminate that as far as we can.”