The new front in China’s cyber campaign against America
Big powers are preparing for wartime sabotage
THE ISLAND of Guam, a tiny American territory that lies more than 6,000km west of Hawaii, has long known that it would take a battering in any Sino-American war. The island’s expanding airfields and ports serve as springboards for American ships, subs and bombers. In the opening hours of a conflict, these would be subject to wave after wave of Chinese missiles. But an advance party of attackers seems to have lurked quietly within Guam’s infrastructure for years. In mid-2021 a Chinese hacking group—later dubbed Volt Typhoon—burrowed deep inside the island’s communication systems. The intrusions had no obvious utility for espionage. They were intended, as America’s government would later conclude, for “disruptive or destructive cyber-attacks against…critical infrastructure in the event of a major crisis or conflict”. Sabotage, in short.
For many years, Sino-American skirmishing in the cyber domain was largely about stealing secrets. In 2013 Edward Snowden, a contractor, revealed that the National Security Agency (nsa), America’s signals-intelligence agency, had targeted Chinese mobile-phone firms, universities and undersea cables. China, in turn, has spent decades stealing vast quantities of intellectual property from American firms, a process that Keith Alexander, then head of the NSA, once called the “greatest transfer of wealth in history”. In recent years this dynamic has changed. Chinese cyber-espionage has continued, but its operations have also grown more ambitious and aggressive. Russia, too, has intensified its cyber-activities in Ukraine, with Russia-linked groups also targeting water facilities in Europe. These campaigns hint at a new era of wartime cyber-sabotage.
The Volt Typhoon intrusions that came to light last year, initially thanks to reporting by Microsoft, a tech giant, were not confined to Guam. Around three years ago, says an American official, “we just started finding odd things across critical infrastructure in the United States”. It turned out, as America’s Cybersecurity and Infrastructure Security Agency (CISA) would announce in February, that the Chinese attackers had compromised critical national assets across the “continental and non-continental United States”. That included communications and energy installations, as well as transport and water facilities. Notably, the targets were not the largest and most prominent pieces of infrastructure, but a “broad swathe” of small and medium-sized companies whose disruption would have outsized effects.
Some targets, like airports, had potential value for spying—it can be useful to track people in transit—but others did not. “We couldn’t see any espionage value in a water system or pipeline,” says the official. The point, CISA concluded, was rather to move within those networks to find “operational technology”, the interface between a computer network and a physical system—think of the software which controls a water pump or an electrical substation—and then to disrupt it.
Blazing keyboards
China would have a “pretty high bar” for taking down such things, noted Rob Joyce, then a senior NSA official, when reflecting on the intrusions in March. Crippling American power, water and transport in peacetime would be an obvious act of war. But imagine that a war had already started, or was about to do so. “It is Chinese military doctrine to attempt to induce societal panic in their adversary,” argued Jen Easterly, CISA’s director, in January. She pointed to unrest in May 2021 after Russian criminal hackers attacked an American pipeline operator, disrupting gas flows to the east coast for several days.
“Now imagine that on a massive scale,” warned Ms Easterly. “Imagine not one pipeline, but many pipelines disrupted. Telecommunications going down so people can’t use their cell phone. People start getting sick from polluted water, trains get derailed, air-traffic control [and] port control systems are malfunctioning.” China, she added, believed that such attacks would “crush American will” to defend Taiwan. Other American officials say that the aim is also to disrupt the movement of American troops and supplies to Asia.
The idea of penetrating critical infrastructure by cyber-means with a view to sabotaging it in wartime is not new. The American-Israeli “Stuxnet” attack which disrupted an Iranian nuclear facility in the late 2000s showed what was possible, as did Russian sabotage of Ukraine’s power grid in 2015 and 2016. China poked around American oil and gas companies as early as 2011. In 2012 researchers warned that Russian hackers had targeted over 1,000 organisations in more than 84 countries, including the industrial control systems of wind turbines and gas plants.
Stormy weather
Volt Typhoon appears to be different. For one thing it is broader in scope. “[It] appears to be the first systematic preparatory campaign that would lay the foundations for widespread disruption,” says Ciaran Martin, who once ran Britain’s cyber-security agency. But it has also unfolded at a moment when war between America and China feels closer, and war in Europe is palpable. The GRU, Russia’s military intelligence agency, has conducted relentless cyber-attacks on Ukraine’s infrastructure. Only a huge defensive effort, enabled by Western companies and allies, has protected Ukraine from the worst of that.
The Chinese and Russian campaigns also break with the past in another way. Traditional cyber-attacks would be associated with a distinctive signature, such as a particular sort of malware or a suspect server. These could be spotted by a diligent defender. Both Volt Typhoon and the GRU have used stealthier methods. By directing attacks through ordinary routers, firewalls and other equipment used in homes and offices, they have made the connection look legitimate. One Chinese network alone used 60,000 compromised routers, says a person familiar with the episode. It was one of dozens of such networks. Both groups have also used “living-off-the-land” techniques in which attackers repurpose the standard features of software, making them harder to spot. In some cases, the GRU has maintained access to Ukrainian networks for years, waiting patiently for the right moment to strike.
All of this has made Volt Typhoon “incredibly challenging” to hunt down, says John Hultquist of Mandiant, a cyber-security company that is part of Google. In response, America has gone after the hackers’ tools and infrastructure. In December the FBI disrupted hundreds of ageing routers built by Cisco and Netgear, a pair of American firms, which were being used by Volt Typhoon to stage attacks. The following month it did the same to hundreds of routers that were being used by the GRU.
America and its allies also want better defences in critical sectors. That would be important enough without Chinese skulduggery. In recent years, Russia-based cyber-criminals have wrought havoc with ransomware attacks against vital sectors in Western countries. An attack on hospitals in London this month has left Britain’s National Health Service reeling. Meanwhile, America has now imposed cyber-security standards on pipelines, aviation and railways. But similar measures for the water sector were rescinded in October after Republican states sued the government. Three months were also lost squabbling over whether railway signalling should count as critical infrastructure. The result is chronic cyber-insecurity.
The larger question is whether hostile cyber-operations can be deterred—and, if so, which ones. In recent years the term “cyber-attack” has come to encompass virtually all manner of hostile activity inside computer networks. The problem is that this conflates routine intelligence-gathering, industrial espionage, information operations and disinformation campaigns, pre-war manoeuvring inside critical infrastructure (like Volt Typhoon) and peacetime destruction such as Stuxnet.
Western governments have long sought to create international norms of behaviour that would put some of these activities off limits. But that effort has been unsuccessful and mired in confusion. American officials, for instance, tend to distinguish political espionage from the commercial sort. Stealing secrets to aid policy is fine; doing so to boost profits of local companies is not. In practice, not even America’s own allies all agree on this; French spies have been notorious for commercial espionage.
In 2019 Paul Nakasone, then head of the NSA, offered another red line: “Nations should not seek to exploit the personally identifiable information of other nations.” This referred to China’s theft of large datasets with information on government employees and ordinary citizens. But this, too, is a grey area. When Chinese hackers stole a huge trove of American security-clearance records, Michael Hayden, a former NSA and CIA chief, was phlegmatic. “To grab the equivalent in the Chinese system, I would not have thought twice,” he declared. It was “honourable espionage work,” he added. “All countries do it, including our own.”
A taboo against sabotage would appear to be more straightforward. It is not. “Pre-positioning is not counter to norms,” acknowledges the American official, “until you do something.” Even then, many types of sabotage are permissible under the laws that govern armed conflict. America bombed Iraq’s power grid in 1991 and 2003 and Serbia’s in 1999; delivering the same effects via code is neither inherently better nor worse. Unsurprisingly, there are indications that America has poked around its enemies’ infrastructure. Under the Obama administration the NSA prepared to disable Iran’s communication and electrical systems in the event of a clash. And in 2019 the New York Times reported that America had been placing “implants” in Russia’s power grid since 2012.
Cyber norms remain blurry. The laws of war forbid attacks—physical or digital—intended solely to cause panic. But there can be legitimate military reasons, once a conflict begins, to disrupt civilian phone networks and ports that serve American troops. The Pentagon’s hackers would retort that their own forays into Russian and Chinese infrastructure are more judicious than the sprawling intrusions by Volt Typhoon and more responsible than the GRU’s reckless attacks on water plants. Much depends on how a country chooses to use its access to a network. The point is that both good and bad sabotage may require peacetime intrusions. “The reality is that we have to fight the next cyber war now,” says Mr Hultquist. “When the actual war comes along, it’s too late to do that. This is the initial skirmish.” ■
This article appeared in the International section of the print edition under the headline “Ghosts in the machines”