Of the cybersecurity risks facing the United States today, few are more significant than the potential sabotage capabilities posed by Chinese-backed hackers, which senior US officials have described as an “epoch-defining threat.”
In recent months, U.S. intelligence officials said hackers backed by the Chinese government have been reaching deep into U.S. critical infrastructure networks, including water, energy and transportation providers. The goal, officials say, is to lay the groundwork for potentially destructive cyberattacks in the event of a future conflict between China and the United States, such as a possible Chinese invasion of Taiwan.
“Chinese hackers are positioning themselves in American infrastructure in preparation to wreak havoc and cause harm in today's world to American citizens and communities, if China determines that the time has come to strike,” said FBI Director Christopher Wray, to lawmakers earlier this year.
Since then, the US government and its allies have taken action against the “Hurricane” family of Chinese hacking groups and released new details about the threats they pose.
In January, the United States disrupted the so-called “Volt Hurricane,” a group of Chinese government hackers tasked with setting the stage for destructive cyberattacks. Later in September, the feds hijacked a botnet run by another Chinese hacking group called “Flax Hurricane,” which poses as a private company in Beijing and whose role was to help hide the activities of Chinese government hackers. . Since then, a new Chinese-backed hacking group called “Salt Hurricane” has emerged, capable of gathering intelligence on Americans (and potential targets of American surveillance) by compromising the wiretapping systems of the United States' phone and Web providers. USA
Here's what we know so far about Chinese hacker groups preparing for war.
Typhoon Volt
Volt Hurricane represents a new generation of Chinese-backed hacking groups; They are no longer just aiming to steal sensitive secrets from the United States, but rather are preparing to disrupt the “mobilization capacity” of the US military, according to the FBI director.
Microsoft first identified Volt Hurricane in May 2023, and found that hackers had attacked and compromised network equipment, such as routers, firewalls, and VPNs, since mid-2021 as part of an ongoing, concerted effort to infiltrate deeper into US critical infrastructure. In reality, hackers may have been operating for much longer; potentially up to five years.
Volt Hurricane compromised thousands of web-connected devices in the months following Microsoft's report, exploiting vulnerabilities in web-connected devices that were considered “end of life” and, as such, would no longer receive security updates. As such, the hacking group subsequently managed to compromise the IT environments of multiple critical infrastructure sectors, including aviation, water, energy and transportation, prepositioning themselves to trigger future potentially disruptive cyberattacks.
“This actor is not conducting the silent intelligence gathering and secret theft that has been the norm in the US. They are probing sensitive critical infrastructure so they can disrupt important services when the order is carried out,” said John Hultquist, chief analyst. from the security firm Mandiant.
The US government said in January that it had successfully disrupted a botnet, used by Volt Hurricane, consisting of thousands of hijacked home and small office network routers in the US, which the Chinese hacking group The FBI said it was able to remove the malware from the hijacked routers, severing the Chinese hacker group's connection to the botnet.
Linen Typhoon
Flax Hurricane, first discovered in an August 2023 report by Microsoft, is another Chinese-backed hacking group that officials say has operated under the guise of a publicly traded cybersecurity company based in Beijing. The company, Integrity Know-how Group, has publicly acknowledged its connections to China's government, according to U.S. officials.
In September, the US government said it had taken control of another botnet, used by Flax Hurricane, that leveraged a custom variant of the infamous Mirai malware, made up of hundreds of thousands of web-connected devices.
U.S. officials said at the time that the botnet controlled by Flax Hurricane was being used to “conduct malicious cyber activity disguised as routine Web traffic from infected consumer devices.” Prosecutors said the botnet run by Flax Hurricane allowed other hackers backed by China's government to “hack into networks in the United States and around the world to steal information and keep our infrastructure at risk.”
According to Microsoft's profile of the government-backed group, Flax Hurricane has been active since mid-2021, primarily targeting “government agencies and education, critical manufacturing, and information technology organizations in Taiwan.” The Justice Department said it corroborated Microsoft's conclusions and that Flax Hurricane also “targeted multiple U.S. and foreign corporations.”
Salt typhoon
The latest (and potentially most sinister) group of China's government-backed cyber army discovered in recent months is Salt Hurricane.
Salt Hurricane made headlines in October for a much more sophisticated operation. As first reported by the Wall Street Journal, the China-linked hacking group is believed to have compromised the wiretapping systems of several US telecommunications and Web providers, including AT&T, Lumen (formerly CenturyLink), and Verizon.
According to a report, Salt Hurricane may have gained access to these organizations using compromised Cisco routers. The US government is said to be in the early stages of its investigation.
While the extent of the Web vendors' compromises is unknown, the Journal, citing national security sources, said the breach could be “potentially catastrophic.” By hacking into systems that law enforcement agencies use for court-authorized customer data collection, Salt Hurricane potentially gained access to data and systems that host much of the U.S. government's requests. , including the possible identities of Chinese targets of US surveillance.
It's not yet known when the breach occurred, but the WSJ reports that hackers may have maintained access to Web providers' wiretapping systems “for months or longer.”