The 'Volt Typhoon' cyber campaign, which is suspected to be backed by China, has been targeting critical infrastructure organizations in Guam, bringing to light the possibility of America's geopolitical adversaries launching disruptive cyberattacks against key communications and operational technologies. The campaign, reported by Microsoft, focuses on organizations in various critical sectors such as communications, government, utility, manufacturing, and maritime. Initially, the main objective of Volt Typhoon appears to be cyber espionage. However, the targeting of Guam, a strategic base for defending Taiwan against potential Chinese annexation, and other evidence examined by Microsoft, suggests that the threat actor is also preparing for attacks that could disrupt US-Asia communications in a kinetic conflict.
According to Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter Team, there has been an increase in Chinese cyber activity directed against US targets over the past 12 months, likely due to geopolitical tensions surrounding the Taiwan issue. He notes, "We think the one named US location (Guam) is significant as Chinese actors are very heavily focused on Taiwan right now, and Guam may be part of that focus." The preparations for disruptive attacks observed by Microsoft mark a significant departure from most cyberattacks by Chinese groups over the past two decades, which have mainly focused on stealing trade secrets and intellectual property from the US and other countries to support China's strategic goals around self-reliance.
A survey by the Center for Strategic and International Studies found 224 reported instances of Chinese espionage targeting US organizations, with 46% involving cyber-enabled espionage. Notable examples include the April 2005 campaign targeting NASA's Space Shuttle Discovery program, the 2005 Titan Rain operation aimed at stealing US military and defense secrets, and the 2010 Aurora campaign that affected Google and other major technology companies. More recently, Chinese hackers stole data on a US supersonic anti-ship missile in 2018, targeted General Electric jet engine turbines in 2019, and attempted to steal US research related to the coronavirus vaccine in May 2020. In 49% of these instances, the CSIS identified the actor and intent as involving Chinese government and military operatives.
Although China has not yet demonstrated the ability to disrupt critical infrastructure, many experts believe they are capable of doing so. John Hultquist, chief analyst at Mandiant Intelligence – Google Cloud, states, "Critical infrastructure can be disrupted with capabilities such as ransomware, though some countries, like China, are likely to have access to the ability to attack operational technology (OT) systems." China-backed threat actors are currently the most active among nation-state groups, particularly in conducting cyber espionage. Data from Mandiant shows that in 2022, Chinese cyber espionage groups exploited seven zero-day flaws in various campaigns, including CVE-2022-30190 (aka Follina) and CVE-2022-42475 against FortiOS systems. These groups have also targeted network and edge devices from companies such as Fortinet, Pulse, Netgear, Citrix, and Cisco.
In recent campaigns like Volt Typhoon, China-backed groups have demonstrated a preference for using legitimate and dual use tools to conduct post-compromise reconnaissance, lateral movement, and maintain persistence. Craig Jones, vice president of security operations at Ontinue, says, "One of their favorite mediums is launching and staging attacks from network edge devices." These groups are proficient in infiltrating targeted networks, maintaining persistent access, and operating covertly within compromised systems.