The Chinese military is ramping up its ability to disrupt key American infrastructure, including power and water utilities as well as communications and transportation systems, according to U.S. officials and industry security officials.
Hackers affiliated with China’s People’s Liberation Army have burrowed into the computer systems of about two dozen critical entities over the past year, these experts said.
The intrusions are part of a broader effort to develop ways to sow panic and chaos or snarl logistics in the event of a U.S.-China conflict in the Pacific, they said.
Among the victims are a water utility in Hawaii, a major West Coast port and at least one oil and gas pipeline, people familiar with the incidents told The Washington Post. The hackers also attempted to break into the operator of Texas’s power grid, which operates independently from electrical systems in the rest of the country.
Several entities outside the United States, including electric utilities, also have been victimized by the hackers, said the people, who spoke on the condition of anonymity because of the matter’s sensitivity.
None of the intrusions affected industrial control systems that operate pumps, pistons or any critical function, or caused a disruption, U.S. officials said. But they said the attention to Hawaii, which is home to the Pacific Fleet, and to at least one port as well as logistics centers suggests the Chinese military wants the ability to complicate U.S. efforts to ship troops and equipment to the region if a conflict breaks out over Taiwan.
These previously undisclosed details help fill out a picture of a cyber campaign dubbed Volt Typhoon, first detected about a year ago by the U.S. government, as the United States and China struggle to stabilize a relationship more antagonistic now than it has been in decades. Chinese military commanders refused for more than a year to speak to American counterparts even as close-call intercepts by Chinese fighter jets of U.S. spy planes surged in the western Pacific. President Biden and Chinese President Xi Jinping agreed only last month to restore those communication channels.
“It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis,” said Brandon Wales, executive director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). “That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage.”
Morgan Adamski, director of the National Security Agency’s Cybersecurity Collaboration Center, confirmed in an email that Volt Typhoon activity “appears to be focused on targets within the Indo-Pacific region, to include Hawaii.”
The hackers often sought to mask their tracks by threading their attacks through innocuous devices such as home or office routers before reaching their victims, officials said. A key goal was to steal employee credentials they could use to return, posing as normal users. But some of their entry methods have not been determined.
The hackers are looking for a way to get in and stay in without being detected, said Joe McReynolds, a China security studies fellow at the Jamestown Foundation, a think tank focused on security issues. “You’re trying to build tunnels into your enemies’ infrastructure that you can later use to attack. Until then you lie in wait, carry out reconnaissance, figure out if you can move into industrial control systems or more critical companies or targets upstream. And one day, if you get the order from on high, you switch from reconnaissance to attack.”
The disclosures to The Post build on the annual threat assessment in February by the Office of the Director of National Intelligence, which warned that China “almost certainly is capable” of launching cyberattacks that would disrupt U.S. critical infrastructure, including oil and gas pipelines and rail systems.
“If Beijing feared that a major conflict with the United States were imminent, it almost certainly would consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide,” the assessment said.
Some of the victims compromised by Volt Typhoon were smaller companies and organizations across a range of sectors and “not necessarily those that would have an immediate relevant connection to a critical function upon which many Americans depend,” said Eric Goldstein, CISA’s executive assistant director. This may have been “opportunistic targeting ... based upon where they can gain access” — a way to get a toehold into a supply chain in the hopes of one day moving into larger, more-critical customers, he said.
Chinese military officers have described in internal documents how they might use cyber tools or “network warfare” in a conflict, said McReynolds, who has seen some of the writings. He said military strategists speak of synchronizing air and missile strikes with disruption of command-and-control networks, critical infrastructure, satellite networks and military logistics systems.
They have talked about these tools applying in amphibious invasions, he said. “This is stuff they pretty clearly see as relevant to a Taiwan scenario,” he said, “though they don’t explicitly say this is how we’re going to take over Taiwan.”
This is far from China’s first foray into hacking critical infrastructure. In 2012, a Canadian company, Telvent, whose software remotely operated major natural gas pipelines in North America, notified customers that a sophisticated hacker had breached its firewalls and stolen data relating to industrial control systems. The cybersecurity firm Mandiant traced the breach to a prolific PLA hacking group, Unit 61398. Five members of the unit were indicted in 2014 for hacking U.S. companies.
This is far from China’s first foray into hacking critical infrastructure. In 2012, a Canadian company, Telvent, whose software remotely operated major natural gas pipelines in North America, notified customers that a sophisticated hacker had breached its firewalls and stolen data relating to industrial control systems. The cybersecurity firm Mandiant traced the breach to a prolific PLA hacking group, Unit 61398. Five members of the unit were indicted in 2014 for hacking U.S. companies.
Read the full article at The Washington Post.