China-linked hackers targeting key sectors of the U.S. economy appear to have been hiding in key computer systems and networks for at least five years, according to a new warning from the United States and key allies, who urge companies to take urgent action to mitigate the risk.
The cybersecurity advisory issued Wednesday by multiple U.S. agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), states that a cyberthreat group known as Volt Typhoon has been "positioning itself to launch destructive cyberattacks that would jeopardize the physical safety of Americans."
In particular, the advisory warns that China-linked Volt Typhoon hackers have successfully infiltrated the computer networks of private companies linked to critical sectors of the U.S. economy, including communications, energy, water and wastewater, and transportation.
The advisory further warns that Volt Typhoon hackers have been "maintaining access and footholds within some victim IT environments for at least five years." And CISA acknowledged the penetrations may be more extensive than is currently known.
Officials said other industries, including construction, information technology and education are also being targeted.
"What we've found to date is likely the tip of the iceberg," CISA Director Jen Easterly said in a statement. "CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors."
In addition to the FBI and CISA, the advisory — and its findings — were endorsed by the U.S. National Security Agency, as well as cyber officials from Canada, Australia and New Zealand, who said that their own critical infrastructure could also be at risk.
One CISA official called the advisory "a stark warning to critical infrastructure organizations."
"The information that we are releasing with this advisory is reflecting a strategic shift in PRC [People's Republic of China] malicious cyber activity from a focus on espionage and IT theft," said Eric Goldstein, CISA executive assistant director for cybersecurity.
"Our evidence strongly suggests that these PRC actors are positioning to launch future disruptive or destructive cyberattacks that could cause impact to national security, economic security or public health and safety," he told reporters, adding he expects the number of victims to grow.
Goldstein and other U.S. officials said that so far, there are no indications that hackers with Volt Typhoon have attempted to launch any sort of disruptive attacks on critical infrastructure. But they also said the way the Chinese-linked cyber actors infiltrated critical networks means it is likely just a matter of time.
"This stealthy access increases our concern that they are lurking, waiting for the right moment to cause devastating impacts," said FBI Deputy Assistant Director Cynthia Kaiser.
Kaiser also warned that Volt Typhoon "is certainly not the only Chinese group conducting this type of activity."
She said the FBI has identified additional threats by using surveillance capabilities authorized under Section 702 of the Foreign Intelligence Surveillance Act, or FISA, a controversial law that allows the FBI and U.S. intelligence agencies to gather electronic data of non-Americans without first obtaining a warrant.
"In fact, we only know about many critical infrastructure entities compromised by the Chinese because of FBI FISA 702 collection," she said.
The latest warning comes just a week after top U.S. law enforcement and cyber officials told lawmakers that they are bracing for a "cyber onslaught" from China.
"The risk that poses to every American requires our attention — now," FBI Director Christopher Wray told the Select Committee on the Chinese Communist Party last Wednesday. "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike."
China has repeatedly denied such allegations.
"The Chinese government has been categorical in opposing hacking attacks and the abuse of information technology," Liu Pengyu, spokesperson for the Chinese Embassy in Washington, told VOA via email after last week's hearing. "We urge the U.S. side to stop making irresponsible criticism against other countries on the issue of cyber-security."
But officials in Washington have been steadfast in their warnings, saying they believe Beijing would have few reservations about carrying out an attack on U.S. critical infrastructure in the event of a conflict.
Specifically, they cite the possibility of such attacks in the event China decides to invade Taiwan as a way to damage Washington's ability to provide military assistance.
The just-released U.S. cybersecurity advisory urges companies to fix security vulnerabilities that could allow hackers, like those with Volt Typhoon, to infiltrate and hide — a tactic known as "living off the land."
It also encourages companies to search their systems in case hackers have already broken through.
But officials admit there are significant challenges, pointing to a just-disrupted Volt Typhoon malware campaign, which targeted common computer routers used by homes and small businesses across the United States to access critical infrastructure.
"These devices were no longer patched by the manufacturers, making them vulnerable," said the FBI's Kaiser. "That's why the FBI recommends that network owners remove and replace any end-of-life devices to minimize the risk of the device being compromised again by Volt Typhoon or other malicious cyber actors."