Mandiant Intelligence Chief Raises Alarm Over China's 'Volt Typhoon' Hackers in US Critical Infrastructure

ATLANTA - SECURITYWEEK 2023 ICS CYBERSECURITY CONFERENCE - Chief analyst at Mandiant Intelligence John Hultquist says defenders in the critical infrastructure trenches should urgently work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in a series of eyebrow-raising attacks against targets in Guam and the United States. Speaking at a keynote fireside chat at SecurityWeek's 2023 ICS Cybersecurity Conference in Atlanta on Tuesday, Hultquist said the Volt Typhoon campaign included "Very deliberate targeting of critical infrastructure" installations and represents a major shift by Chinese hacking teams known mostly for economic espionage and IP theft. "This Volt Typhoon activity is a brand-new thing for them. We have not seen a lot of deliberate targeting in the critical infrastructure space from China," Hultquist said. The Volt Typhoon campaign was first flagged by Microsoft with deliberate targeting of critical infrastructure in Guam, a discovery that raised eyebrows because the tiny island is considered an important part of a future China/Taiwan military conflict. "The NSA indicated that their theory behind this is that they are digging in for the possibility of creating a disruptive event in the event of a wartime scenario. While I don't have the intelligence to confirm that, the deliberate targeting of critical infrastructure makes it a priority for us. This is especially concerning given how hard they're working on their operational security, using botnets and zero-days to stay below the radar," Hultquist added. Volt Typhoon has been publicly documented as "Stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery." "You should really be keeping your eye on two things right now. One is the Volt Typhoon situation; it's all over the United States. They are clearly dug in, and we're going to have to root them out. The second one is the current situation in the Middle East. The United States is heavily involved, and because of that, the likelihood of some sort of response, possibly from Iran, is legitimate. We have to keep that in mind as well. You're starting to see some telemetry; they are at play without a doubt."