Keyboard with China flag key (Getty images)
WASHINGTON — For decades, Chinese hackers focused on wholesale and often ham-handed theft of Western trade secrets, what then-NSA director Gen. Keith Alexander called in 2012 “the greatest transfer of wealth in history.” But in recent years, the NSA and independent experts agree, the Chinese have gotten a lot subtler — and some of their best hackers have changed tactics, moving from using cyberspace for theft to using it to prepare the battlefield of a future conflict.
This shift, years in the making, became unmistakable last month, when news broke of a widespread security breach of US critical infrastructure, particularly around the strategically crucial island of Guam. While it’s not not a harbinger of impending apocalypse or a major breakdown in an increasingly fraught relationship, experts told Breaking Defense that the activity serves as a scary sign of a kind of new normal, where both superpowers are using cyber capabilities to prepare for a potential open war.
“Chinese tradecraft has improved,” said an independent cyber expert, James Lewis of the Center for Strategic & International Studies, “[and] the Chinese doing aggressive reconnaissance shows the reality of the bilateral relationship, versus all the [conciliatory] stuff from NVIDIA et al.”
The hack was first announced May 24 by Microsoft, which attributed it to a Chinese group it codenamed “Volt Typhoon.” (Another company, SecureWorks, uses the codename “Bronze Silhouette” for the same hackers.) “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the company said bluntly.
A little later that same day, an extraordinary multinational warning was issued not only by the America NSA, FBI, and Department of Homeland Security, but also by Australia, Britain, Canada, and New Zealand, the other members of the “Five Eyes” intelligence sharing network.
A day later, Navy Secretary Carlos Del Toro acknowledged — in vague, guarded terms — that Navy networks had been “impacted.” (A Navy spokesman declined Breaking Defense’s requests for further details, saying, “As a matter of policy and for reasons of operations security, we do not discuss the status of our networks.”) The Coast Guard also emphasized the threat in a warning to the maritime transport industry.
The NSA and its partners warned “this activity affects networks across U.S. critical infrastructure sector,” emphasized the difficulty of detecting the attackers’ low-profile “living off the land” techniques, and issued 24 pages [PDF] of often highly technical advice on how to expunge the infection. The next day, after showing caution in the initial release, NSA cybersecurity director Rob Joyce told CNN he concurred with Microsoft’s assessment that this was, as he put it, “prepositioning against critical infrastructure,“ not just espionage.
In a statement to Breaking Defense, Joyce elaborated, saying “NSA agrees with Microsoft’s assessment that the PRC’s goal is developing capabilities to disrupt critical infrastructure in the event of a future conflict. This is a serious set of events. We all understand that intelligence collection happens by nation states and we watch commercial espionage happen, but it is clear that some of this latest activity yields no intelligence value.
“The idea that these actors are attempting to evade common detection techniques, get persistent access, and preposition themselves to exploit our critical infrastructure is a significant concern,” Joyce said. “The fact that malicious actors from the PRC are on any critical infrastructure is unacceptable.”
No ‘Cyber Pearl Harbor’
And yet, despite the alarming statements from NSA and Microsoft, analysts are largely in agreement: yes, this is a concern, but it hardly presages that an attack is imminent.
“There’s very good reason to believe this hacker is trying to burrow into critical infrastructure for potential destructive and disruptive purposes,” John Hultquist, chief analyst at Mandiant Intelligence (now part of Google) told Breaking Defense. “You need to take this very seriously.”
At the same time, Hultquist cautioned, there’s no need to panic. “This kind of probing of critical infrastructure actually happens fairly regularly, and it does not mean an incident is imminent — or ever going to happen, in fact,” he said. “We have seen China do this … before. It doesn’t mean they’re planning the attack, so much so much as preparing for one.”
CSIS’s Lewis was still more sanguine. “This kind of thing happens frequently, and it’s never been an indication of imminent attack,” he told Breaking Defense in an email. “It’s not ‘a new wave of Chinese threat groups’” — as a SecureWorks analysis put it — “but the same Chinese who have been in the business for years.”
Lewis feels this particular threat is overhyped. “I think the story is more about why Microsoft decided to put out a press release. It’s cybersecurity as performance art,” he said. “It’s definitely more in the realm of PR than military analysis.
“This was known to government agencies for some time, and that China would be targeting Guam is not surprising,” he continued. “It’s not a nothingburger … Serious, yes. Imminent, no. Novel, also no. The Chinese target us and have for years.
“The real question is whether there is anything we can do back other than improve defenses. I suspect not, since it’s a two-way street,” he said, with both countries hacking each other. “The US could make a fuss, like with the balloon, but I think both sides want to lower the temperature.”
Increased Tensions, New Techniques
Tensions between the two superpowers have certainly been rising over time, with recent close calls in the air and at sea. Less obviously, Chinese cyber skills have been getting steadily sharper — and subtler.
When it comes to Volt Typhoon, Mandiant’s Hultquist said, “a lot of the techniques these guys are employing are things we are seeing increasingly from Chinese actors that have really upped their game [just in] the last two, three years.”
In particular, Volt Typhoon employed a technique known as “living off the land” that takes more time and effort for the hacker but is also much harder to detect. Instead of gaining access to a target network and swiftly uploading malware, such as dedicated hacking tools, to make it easier to steal data or sabotage operations, Volt Typhoon lurked on the network, using only the existing software tools already installed by the legitimate users.
“They’re using these tools that are already built in to propagate across the network, without having to deploy anything that could either identify them or potentially trip a detection or identify them as a specific threat actor,” Hultquist explained.
“By avoiding custom malware in these operations, the intruders are able to keep their signature down and increase their ability to evade detection,” agreed NSA’s Joyce. “The goal here is a quiet, long-lasting intrusion that allows these perpetrators to maintain access over the long term.”
“The PRC works to gain unauthorized access to systems and wait for the best time to exploit these networks. This attack is no different,” he said. ”The actors quietly gained access and used specific tactics, techniques and procedures to evade detection, blending in with normal network and system activities. Both industry and government analysts that work on PRC intrusions recognize PRC tradecraft improvements over time. This is the primary reason we continue to issue public periodic Cybersecurity Advisories, as well as work daily with industry to empower them with NSA SIGINT insights from our foreign intelligence mission.”
“We issued this guidance to help the owners and operators of some of this critical infrastructure detect and evict these actors,” he continued. “We have worked with more than a dozen companies, FBI, CISA, and our Five Eyes partners to come together to chase and eradicate this treat. In doing so, we have motivated and empowered governments to take more action against this activity across a number of different countries.”
