FBI director Chris Wray said at a security conference on Thursday that China’s legion of state-sponsored hackers “considers every sector that makes our society run as fair game in its bid to dominate on the world stage.”
Wray said China’s plan is to “land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.”
The FBI director was speaking at security conference called “Summit on Modern Conflict and Emerging Threats,” hosted by Vanderbilt University in Nashville. The 2024 edition of the summit was focused on “challenges China poses to the United States,” ranging from China’s dominance of critical supply chains to the fentanyl epidemic and cyberwar.
Wray called the audience’s attention to Volt Typhoon, the massive hacking operation linked to the People’s Republic of China (PRC) that penetrated an alarming number of critical infrastructure systems in the U.S., including water, power, oil, and transportation.
Volt Typhoon was detected and exposed by Microsoft cybersecurity technicians in May 2023. Microsoft said China’s state-sponsored hackers sought to develop “capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
Wray noted that China-sponsored hackers were “pre-positioned for potential cyberattacks against U.S. oil and natural gas companies way back in 2011.”
Federal Bureau of Investigation Director Christopher Wray (OLIVIER DOULIERY/POOL/AFP via Getty Images)
“When one victim company set up a honeypot – essentially, a trap designed to look like a legitimate part of a computer network with decoy documents – it took the hackers all of 15 minutes to steal data related to the control and monitoring systems,” he recalled.
Wray pointed out that in that incident, the hackers ignored “financial and business-related information,” which suggests “their goals were even more sinister than stealing a leg up economically.”
Honeypot systems are usually hardened to make cracking their core software extremely difficult, but the designers then camouflage the system to look much more vulnerable than it really is. A honeypot is a setup, and its administrators know they will be invaded, so for the invaders to quickly defeat the trap and penetrate the security of the rigged system is a remarkable achievement.
Volt Typhoon was a menacing example of a hacking technique known as “living off the land,” in which the hackers penetrate systems, deposit malware payloads, and then conceal their presence by exploiting and imitating normal system functions. The approach could be compared to a thief who takes a job as a bank teller and quietly works there for years before finally deciding to rob the bank.
“Living off the land” is an alarming tactic because most private hacker groups would not bother to hide for years after penetrating a system. Hackers are usually motivated to steal, vandalize, or hijack a system fairly soon after they gain entry, worried that their presence could be detected or their access to the system might be cut. They are typically eager to steal data for fun or profit.
As Wray explained at the Vanderbilt seminar, the major reason a group of highly skilled and coordinated hackers would lurk in a system for years is because they are planning massive acts of sabotage and waiting for their government handlers to tell them when the time is right to strike.
Wray said the Chinese Communist Party is driven by “aspirations to wealth and power,” which it hopes to realize by seizing control of “economic development in the areas most critical to tomorrow’s economy.”
Other speakers at the seminar highlighted Volt Typhoon as a new and dangerous type of cyberwar menace, including Gen. Timothy Haugh, head of the National Security Agency (NSA) and U.S. Cyber Command.
“What you see in Volt Typhoon is an example of how China has approached establishing access to put things under threat. There is not a valid intelligence reason to be looking at a water treatment plant from a cyber perspective,” he pointed out.
Haugh warned that Volt Typhoon sent “a pretty loud signal” about how China plans to “use cyberspace in a crisis,” such as a confrontation with the U.S. over Taiwan. He strongly recommended listening to that signal.
“China is pursuing deliberate campaigns to gain advantage in every aspect of national power. The threat posed by China is real – the PRC has the desire and ability to make themselves our peer on the world stage,” Haugh said.
Wray pointed to a “crisis between China and Taiwan” as the kind of scenario where China would activate its lurking cyberwar assets. He predicted the crisis could arrive by 2027, a timetable that would explain why China is stepping up its “cyber intrusions and criminal activity,” seemingly without much concern that its hackers might get caught.
“The fact is, the PRC’s targeting of our critical infrastructure is both broad and unrelenting,” he said.
RELATED — Cyber Official: ‘Great’ Blinken Will Have ‘Discussion’ with China on Their Ability to Attack Critical Infrastructure Because It’s Hard to Prevent
Wray said that “joint, sequenced operations” with partner agencies and corporations were the key to thwarting the new breed of cyberwar. He cited several recent examples of hacker attacks in which the damage was quickly contained by coordinating with partner agencies and companies such as Microsoft.
For example, when Microsoft Exchange was hacked in 2021, Wray said the FBI and Microsoft worked together to create “a first-of-its-kind surgical, court-authorized operation, copying and removing the harmful code from hundreds of vulnerable computers.”
The FBI likewise coordinated with private companies on the Volt Typhoon operation to “not only remove Volt Typhoon’s malware from the routers it had infected throughout the U.S., but also to sever their connection to that network of routers and prevent their reinfection.”
Wray suggested private companies should maintain their own cybersecurity operations, develop response plans for intrusions, follow good system practices such as regularly installing software updates, and notify the FBI quickly when they suspect a cyberattack is underway.
In an interview with the Vanderbilt Hustler after the security conference, Haugh said China has some advantages in cyberwarfare as a closed, authoritarian society with a massive security and censorship apparatus, but the U.S. has the tremendous advantage of being able to work with allies on projects like AUKUS Pillar II, which includes the development of cutting-edge cybersecurity.
Haugh suggested free societies should improve their combined ability to detect and respond to cyber threats, such as TikTok, the Chinese Communist-controlled social media platform that has been prohibited in government agencies – and could soon be banned outright in the United States – because it aggressively harvests data on its users.
The TikTok logo is displayed outside a TikTok office on December 20, 2022, in Culver City, California. (Mario Tama/Getty Images) // Chinese President Xi Jinping waves at an event to introduce new members of the Politburo Standing Committee at the Great Hall of the People in Beijing, Sunday, Oct. 23, 2022 (AP Photo/Andy Wong).
“Is an individual concerned about their data being accessible by another nation, on command? I don’t know that we’ve been able to completely communicate that in a way that allows everybody to really understand what that risk means,” Haugh mused.