Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

FBI says it’s shut down sources of recent Chinese infrastructure hacks

Federal Bureau of Investigation Director Christopher Wray testifies before the Senate Judiciary Committee in the Hart Senate Office Building on Capitol Hill on Dec. 5, 2023, in Washington, D.C.  (Kevin Dietsch)
By Cate Cadell and Joseph Menn Washington Post

FBI Director Christopher A. Wray said Wednesday that the bureau had disrupted a major Chinese government-backed effort to hack into U.S. water, communications, transportation and energy facilities that could enable it to shut down essential services and foment chaos in the event of a conflict.

Wray testified in a House committee hearing that the FBI used court-authorized operations to wrest control of hundreds of routers that the Chinese group known as Volt Typhoon had been using as springboards to get inside sensitive infrastructure.

Wray also urged lawmakers to support investments in U.S. cyberdefense, warning that China’s hacking force far outnumbered America’s. “If you took every single one of the FBI cyber agents, intelligence analysts and focused them exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1,” he said.

The hacking campaign attributed to Volt Typhoon was first publicly reported in May, when Microsoft said it had found traces embedded in critical infrastructure in Guam, the closest U.S. territory to Taiwan and which is home to a significant U.S. military presence.

The Washington Post reported in December that victims of the Volt Typhoon malware attacks included a water utility in Hawaii, a major West Coast port, and at least one oil and gas pipeline. None of those intrusions affected critical functions of the infrastructure they targeted, but they alarmed officials who said they were close to or served U.S. military operations.

Future destructive commands could have compromised the U.S. ability to resupply bases in the Pacific, officials told the Post.

“This is likely just the tip of the iceberg,” said U.S. Cybersecurity and Infrastructure Agency Director Jen Easterly, who also testified before the House select committee on the Chinese Communist Party.

The routers recaptured by the FBI were generally old machines in small offices that were no longer being maintained with security patches from the manufacturers or software providers. When vulnerabilities were discovered, that made them easy prey for hackers scanning the internet for attached devices.

Volt Typhoon used those routers to hide the international origins of the traffic and reach inside the utilities and other targets with malicious code, frequently stealing employee log-in credentials to preserve future access. The hackers also installed what are known as “back doors” that could be used to access the systems.

The FBI sent commands to the compromised Cisco and NetGear routers that removed the malware being used to control them and block reinfections, Justice Department officials said. It applied for four warrants as it found new clusters of infections.

Those actions would not by themselves disable the backdoor channels or prevent further incursions, said Danny Adamitis of Lumen Technologies, who found some of the infections last year. But he said the routers were the “highway” that the hackers used to move quickly around the internet.

“We believe the actor could still operate, but we suspect it would not be able to move at the same speed as before,” Adamitis said.

Wray’s comments were the first public acknowledgment of a broad operation to crack down on the intrusions, which have been difficult to target because the hackers used advanced techniques and often leveraged legitimate programs to move within the targeted environments.

Easterly said U.S. authorities have observed a “deeply concerning evolution of Chinese hacks that target U.S. critical infrastructure in recent years.

“A major crisis halfway across the planet could well endanger the lives of Americans here at home through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes all to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will,” she testified.

Previously, China’s Foreign Ministry has denied any link between Beijing and Volt Typhoon. Liu Pengyu, a spokesman at the Chinese Embassy in Washington, did not repeat that denial Wednesday but called the U.S. criticism of other countries’ cyber policies “irresponsible.”

“The Chinese government has been categorical in opposing hacking attacks and the abuse of information technology,” he said. “The United States has the strongest cybertechnologies of all countries, but has used such technologies in hacking, eavesdropping more than others.”

The hearing comes at a time when both Washington and Beijing have sought to ease friction in the relationship, opening new channels of communication between military officials as well as holding fresh dialogues on counternarcotics, climate and the economy since President Biden and Chinese President Xi Jinping met in San Francisco in November.

Last week, U.S. national security adviser Jake Sullivan met with Chinese Foreign Minister Wang Yi in Thailand, where they pledged to continue discussions on key issues, including talks on regulating artificial intelligence planned for spring.

Despite those diplomatic advances, relations remain strained as the United States heads toward a general election and candidates are refining their positions on China policy. Asked about a CNN report that said Beijing has pledged not to interfere in the election, Wray expressed skepticism.

“China’s promised a lot of things over the years, so I guess I’ll believe it when I see it,” he said.

The hearing is the latest in a series held by the House committee, which was formed early last year and has developed a tough bipartisan stance on what it describes as a severe threat to the United States in the form of rising Chinese military, economic and technical aggression.

Mike Gallagher (R-Wis.), chair of the committee, said Wednesday that the threat posed by the latest Chinese hacking operations was “unacceptable.”

“This is the cyberspace equivalent of placing bombs on American bridges, water treatment facilities and power plants. There is no economic benefit for these actions. There’s no pure intelligence-gathering rationale. The sole purpose is to be ready to destroy American infrastructure,” he said.

- – -

Cadell reported from Washington and Menn from San Francisco. Devlin Barrett and Eva Dou contributed to this report.