Major Chinese hacking group ‘active to this day’ despite US efforts to stop them

LAS VEGAS — The Biden administration has gone all out this year to warn China to back off its hacking campaigns on U.S. computer networks. China doesn’t appear to be listening.

While the U.S. usually is reticent to discuss cyberattacks or even directly assign blame to nation-states for hacks, it has been notably public in its censure of China since a Chinese-government-linked hacking group called Volt Typhoon was disclosed to be inside U.S. networks last year.

At the same time, U.S. federal agencies and critical infrastructure companies have been racing to seal off key computer networks — like those undergirding power grids and transportation hubs — from the Volt Typhoon hackers.

Cybersecurity experts working in the trenches, who are gathered in Las Vegas this week for the two largest hacking conferences of the year, say this massive effort to curb the attacks hasn’t made a dent.

“Volt Typhoon is active to this day,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said on the sidelines of the BlackHat conference. “Have they stopped? Absolutely not. Will they stop? Doubt it.”

That’s particularly worrying to the Biden administration given indications that China is readying itself to use cyberattacks against the U.S. if it ever decides to invade Taiwan, goes to war with the Philippines or if China feels the U.S. is sharply ramping up its military assistance to the self-governing island.

Over the past year, federal agencies including the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the FBI and cyber agencies in allied nations have been increasingly vocal about the threat the Chinese group poses. This has included putting out security alerts, allowing top agency officials to speak openly about where the hackers have been found, bringing up the issue with China directly during recent visits and declassifying targeting details in a way that is rare for the typically tight-lipped security agencies.

Microsoft was among the first to flag the group publicly last year and put out a report detailing how the Volt Typhoon hackers had burrowed into the networks of critical organizations in the U.S. territory of Guam, key for deploying troops in the event of a war with China. This was on top of compromises found in organizations involved in everything from construction to maritime operations.

“Generally, there has not been a change in the targeting at all,” DeGrippo said. “I would say we’re about the same volume, but what the story is there to me … is actually the consistency and the persistence. We don’t see big changes there.”

Alex Stamos, chief information security officer of cyber group SentinelOne and former chief security officer at Meta, agreed with this take, noting this week that the Biden administration’s efforts have not moved the needle on deterring China.

“The fact that it does not deter them does scare me,” Stamos said.

Cybersecurity officials are keeping up the pressure campaign.

“I don’t think we have seen material changes yet, but as I’ve said, what we’ve found to date across multiple sectors is likely just the tip of the iceberg, and there is we believe much we are not seeing,” CISA Director Jen Easterly told reporters at the BlackHat conference Wednesday.

“We are really clear that we are not comfortable with the direction of travel of the Chinese state in cyber,” Felicity Oswald, CEO of the United Kingdom’s National Cyber Security Centre, said at the same event. “That’s a significant worry for us.”

One reason U.S. officials are betting on being able to shame or threaten China into backing off: It’s all that they’ve got.

It has been very difficult — and expensive — for companies targeted by Volt Typhoon hackers to spot the intrusion. The group’s goal is to infiltrate a network and maintain access to impact operations in the case of a conflict, not to steal data or other types of attacks that are easier to spot.

“This is an access operation. … They are intentionally being very quiet, it is very hard to catch them,” Stamos said. “It means you have to turn your sensitivity way up, because what is considered malicious here is something that is much more subtle.”

Still, the U.S. effort has put China on notice that the U.S. is aware of its activities, and experts say that the private sector is far more aware of the problem and is upping security as a result.

“We all know, they know we know, they know we know they know, everybody knows what’s going on,” Stamos said. “For those of us in the cyber world, it means that it is our responsibility to be ready for them.”

The U.S. does, however, have other tools. It is viewed by experts as being the most advanced nation in cyberspace, and the U.S. regularly conducts offensive cyber operations against other countries. While few such efforts are public, examples include the Stuxnet computer worm used by the U.S. and Israel to disable Iran’s nuclear program around 15 years ago, and a U.S. operation to stymy Russia’s Internet Research Agency troll farm from spreading disinformation to interfere in the 2018 U.S. midterm elections.

Chinese officials have repeatedly accused the U.S. of carrying out cyberattacks itself and of “smearing” China. Liu Pengyu, spokesperson for the Chinese Embassy in Washington, D.C., told POLITICO earlier this year that Volt Typhoon is a “ransomware cybercriminal group” — i.e. not affiliated with the Chinese government.

It’s not a claim that sits well with top industry experts, even as they acknowledge that the U.S. is not innocent in the cyber arena.

“Do I think our foreign-nation adversaries have access to our critical infrastructure? Yeah. But I think we have it on theirs as well,” Etay Maor, chief security strategist at Cato Networks, said during a break from panels at BlackHat. “I kind of look at it as like nukes, you don’t want one side to use it and then get the other one to use it because there will be complete chaos.”

China’s just playing the “great game” involved in espionage operations, argued Mick Baccio, former chief information security officer of the 2020 presidential campaign of Transportation Secretary Pete Buttigieg and current global security adviser at Splunk.

“The problem is you're trying to evict someone from your house that is using all the same things you use to evict them,” Baccio said.

If China ever decides to put Volt Typhoon’s access to key networks into action, the impact would be devastating. A recent massive global outage due to a flawed update from CrowdStrike to customers using Microsoft Windows software caused flights to be grounded across the U.S., and delayed care at hospitals.

While the CrowdStrike outage was due to a technical error and not a cyberattack, officials and experts alike say it was a chilling look at what Volt Typhoon and other Chinese hacking groups are capable of undertaking.

“The Chinese would love to be that successful on day one — of the invasion of Taiwan, of disrupting the ability of the United States to respond to an invasion,” Stamos said. “I think we got a bit of a dress rehearsal on what the start of World War III would look like.”