Start your day with intelligence. Get The OODA Daily Pulse.

Chinese Cyber Activities Against Critical Infrastructure Raises the Stakes in U.S.-China Relations

On May 24, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), as well as the Five Eyes, issued advisories on a “cluster of activity” linked to China that has been targeting networks across U.S. critical infrastructures and Guam.  Dubbed VOLT TYPHOON, the activity has been occurring since at least 2021 according to Microsoft, who appears to have been on the forefront of reporting this activity to the U.S. government, and per its May 24 release, and has since notified private sector organizations of the threat.  Activity exhibited during the campaign indicated that the actors focused on sustained cyber espionage as opposed to more disruptive attacks, and targeted organizations in the communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors.  Once gaining initial access, these actors stole credentials in order to try to gain entry into other systems.  

While there is nothing new about Chinese cyber espionage, how the actors went about this particular campaign bears noting due to the surreptitious manner in which it has been executed.  Referred to as “living off the land,” these actors relied on hands-on-keyboard activity and use of legitimate tools to maintain a stealthy presence on compromised machines.  This fileless attack technique is considered the next progression of attack, where hostile actors manually perpetrate their activities in order to increase their stealth and avoid detection, as many security solutions have become adept at detecting malicious executables and identifying file activity during post-intrusion analysis.  Instead, these actors used the command line to collect data, prepare data for exfiltration, and use stolen credentials to keep presence on the network.  To further obfuscate operations, these attackers tried to blend their work into normal network activity such as routing traffic through compromised network equipment to stay under the defenders’ radars.

The timing of this release comes when China-United States relations are at worrisome lows.  At the G7 in Japan, the United States and other leaders cited China’s “economic coercion” and suggested that they would “de-risk” from China as much as possible, a term Beijing has interpreted as economic “containment.”  Shortly after the G7, Beijing banned U.S. chip maker Micron’s products for sale to China’s critical information infrastructure operators due to cybersecurity concerns.  The ban could impact Micron’s sales revenue by 10 percent if the company loses Chinese customers that use its advanced memory chip.  The move is the latest escalation in the tech war festering between the world’s two largest economies.  Beijing and Washington commerce officials will meet at the end of May in an effort to soften economic and trade concerns before they spike any further.

Running parallel to tech rivalries is the ongoing public disclosure of one another’s cyber malfeasances.  The United States continues to assert China’s position as global pervasive cyber threat, and has leveraged private sector IT company and cybersecurity vendor reporting, as well as the DHS, to publicly provide alerts and warning of activities the U.S. government has attributed to Chinese state actors.  Beijing, in turn, has fought back, exposing similar cyber spying campaigns that Chinese private sector companies have attributed to U.S. intelligence activities and capitalizing on leakedclassified documents revealing U.S. spying to portray Washington as an unreliable ally.  In an almost mirror of the United States, China recently released a joint report from China’s National Computer Virus Emergency Response Centre (CVERC) and cybersecurity firm 360, that accused the Central Intelligence Agency of “aggressively” hacking China and other countries with the intent of sowing internal discord for the purposes of affecting political change and installing “more friendly” governments.

Still, the timing of the DHS and Five Eyes advisory is curious.  Ostensibly, Microsoft uncovered the activity and reported it to the DHS, though the report does not say when this might have transpired.  Given the close public-private cooperation between Microsoft and the government, it would make sense that this information was shared as soon as Microsoft detected it, considering it was targeting critical infrastructure organizations, and specifically, the communicationsinfrastructure in Guam and other parts of the United States.  Stakeholders could be notified directly while U.S. intelligence could still monitor the activity of an operation reminiscent of the sophistication of the SolarWinds compromise for collection purposes and studying this new tactic, technique, and procedure.  This would sidestep the need to burn the monitoring while still providing proper notice of the activity to private sector stakeholders and any relevant defense practices and indicators of compromise to mitigate the threat.  Beijing has since criticized the reporting citing the lack of attribution evidence tying the activity to any Chinese state entity or individual, and citing the Five Eyes advisory being a collective disinformation campaign.

Of course, there are several reasonable explanations why the advisory went out when it did.  One reason might be that all relevant intelligence that could be collected was collected, thereby allowing the activity to be disclosed as wide as possible.  Another is that the potential threat of the activity was too extensive and potentially severe that it made immediate public exposure necessary.  A third explanation is that the U.S. is attempting to continue to rally global pressure against China’s ongoing cyber infractions, with the added benefit of retaliating for Beijing’s Micron chip ban.  Why all could be possible, the latter seems to be the tactic that makes most sense in trying to engage China from a position of strength and trying to get them back to the negotiating table in an effort to thaw relations.

While the United States continues to make public accusations of China’s cyber malpractice, and rally countries to condemn Chinese cyber spying, that seems to be the line Washington stops short of crossing.  Despite all of the government and vendor reports, there doesn’t appear to be an appetite for levying strict sanctions for decades of intellectual property theft and other alleged Chinese cyber transgressions.  Despite Biden blaming China for hacking Microsoft resulting in the compromise of thousands of computers worldwide and charging four individuals, the White House held off on sanctioning Beijing, a curious move given that cyber sanctions had been levied against governments by prior Administrations for similar activities.  While Washington has imposed sanctions on Chinese companies and individuals for a variety of other reasons (e.g., human rights, PRC military modernization programs, currency manipulation, supporting Russia’s activities in Ukraine, on China’s semiconductor industry), the United States has preferred to indict Chinese cyber actors rather than sanction them or the affiliated organizations.  According to one U.S. think tank, between 2011-2021, the Department of Justice indicted more than 25 Chinese nationals, including state actors, for various cyber-enabled activities, while the Department of Treasury hadn’t sanctioned any Chinese national or entity for similar activities on behalf of Beijing.

Therefore, in this context, it seems that the Microsoft report and government advisories are attempts to apply pressure on China, not to curb their activities or alter its cyber behavior, as much as a means to bring Beijing back to the negotiating table, only from a position of strength.  Recently, the commander of U.S. Cyber Command announced that he would be stepping down from his role, but not before he articulated the strategic priorities of CYBERCOM, which included improving readiness and strengthening warfighting advantages.  On top of that, the United States just updated its Department of Defense cyber strategy, which operationalize the objectives for cyberspace as set forth in the 2022 National Defense Strategy.  The message is clear: hunt forward operations against any state and/or nonstate adversary is an option for the United States should it deem it in its security interests to do so, and the type of critical infrastructure compromise attributed to China would certainly fit within that criterion.

The United States hasn’t retaliated as of yet, an indication of Washington’s desire to improve relations with China and avoid conflict.  And this is what is likely keeping a response to VOLT TYPHOON on the backburner for now, particularly with Beijing recently rejecting offers of a meeting between the U.S. and China defense officials.  The situation is exacerbated by the recent departure of senior U.S. government China officials, including the State Department’s top China policy official who stepped down days before China’s new U.S. ambassador takes up his post in Washington.  Any retribution could further set back hopes of stabilizing the fragile relationship, particularly as new bodies fill the vacant roles to carry out Biden’s China policy, making it unlikely that Washington will implement a defense-forward type of punishment against China for VOLT TYPHOON.  This certainly works in China’s favor as the longer it takes Washington for a diplomatic and economic reset, the more Beijing is able avoid meaningful concession and negotiate terms in its favor.

Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.