Cyber Sessions: Chinese groups pre-positioning for infrastructure disruption

To read this article and get more critically important news and information, check out our other security-focused posts  and subscribe to Providence Business News on their website, www.pbn.com

China is a global superpower that is refining its digital warfare strategy with terrifying precision. And the threats are getting worse given the geopolitical climate. 

Traditionally, Chinese state actors conduct cyber espionage with a heavy focus on intellectual property theft. The most advanced Chinese threat groups now are pivoting, moving past just data exfiltration. The Chinese threat actors are waging a quiet, methodical infiltration and pre-positioning within our critical infrastructure – cyber activities meant for disruption.

Consider operations such as energy grids, water treatment facilities, communication systems, transportation networks and more – core functions that keep society humming along. This is about locking in the ability to “flip a switch” and hit society where it hurts the most, potentially during a geopolitical crisis or conflict. It’s a quiet, deceptive preparation for a potential cyber storm.

The leading example is the group dubbed Volt Typhoon. Multiple federal agencies and international partners have sounded the alarm over the past year. U.S. agencies and their “Five Eyes” partners (Australia, Canada, New Zealand, and the United Kingdom) have warned that Volt Typhoon threat actors have successfully compromised information technology environments across multiple critical infrastructure sectors in the U.S., including communications, energy, transportation systems and water/wastewater systems. The warnings have stressed that the group’s choice of targets and behaviors are not consistent with traditional tactics. Early this year, the FBI reiterated its assessment of China’s pre-positioning for disruptive attacks. The sheer scale of the Chinese hacking program dwarfs that of other major nations combined.

The Wall Street Journal reported that a meeting between U.S. and Chinese officials took place in December, which involved members of the outgoing administration. It was reported that remarks made by Chinese officials were “indirect and somewhat ambiguous” but were interpreted as cyberattacks thought to be Volt Typhoon were conducted in response to the U.S. supporting Taiwan.

From my perspective, it is concerning how these cyber threat actors operate. Instead of deploying custom software or ransomware and malware, Volt Typhoon is leveraging legitimate, built-in network administration tools and credentials within their target IT environment. These are tools that your own IT staff or support providers use daily.  

These threat actors gain access, often by exploiting vulnerabilities in public-facing technologies – particularly targeting devices at the network edge, including home office environments that might be less diligently managed but still connect to larger corporate systems. Once inside, they use valid credentials, often stolen or cracked, to move around the network seamlessly.

Again, many business leaders are thinking they just run a manufacturing plant, a retail chain or a financial services firm and not a power company. But while critical infrastructure is a primary focus, the techniques used are equally effective against any organization. Businesses that are third-party and fourth-party suppliers to critical infrastructure are extremely attractive targets, serving as a stepping stone into the target network.

The motivation behind the Chinese cyberthreats is ultimately economic destabilization. Widespread disruption of essential services would certainly lead to significant turmoil, impacting markets, consumer confidence and business stability.

Let’s not forget that every business relies on critical infrastructure. What happens to your operations if the power grid goes down? How do you process payments or communicate with customers if communication networks fail?

These bad actors employ cutting-edge stealthy intrusion tactics. Understanding and defending against these tactics is vital.

I am not trying to unnecessarily promote fear. By writing about Chinese state-sponsored cyber activity – and about Russian cyber activity in the previous column – I want to highlight the importance of organizational preparedness. This isn’t just an IT problem; it’s a fundamental business continuity and risk management challenge. These threats are sophisticated, stealthy, opportunistic and patient. Our defense must be vigilant, layered and proactive.