What Is Volt Typhoon, the Hacking Group the FBI Warns Could Deal a ‘Devastating Blow’?

China is developing the “ability to physically wreak havoc” on U.S. critical infrastructure and its hackers are waiting “for just the right moment to deal a devastating blow,” FBI Director Christopher Wray said on Thursday.

The comments were in relation to a Chinese government-linked hacking campaign dubbed Volt Typhoon. The campaign was disclosed by the U.S. and its key allies in May 2023, when analysts at Microsoft found it had targeted everything from U.S. telecommunication networks to transportation hubs.

On Thursday, Wray said Volt Typhoon had successfully gained access to American targets across the telecommunications, energy, water and other critical sectors.

Related: FBI Says Chinese Hackers Preparing to Attack US Infrastructure

Here is what is known about Volt Typhoon and its potential threat:

‘Future Crises’

Nearly every country in the world uses hackers to gather intelligence. Major powers like the United States and Russia have large stables of such groups—many of which have been given colorful nicknames by cybersecurity experts, such as “Equation Group” or “Fancy Bear.”

Experts begin to worry when such groups turn their attention from intelligence gathering to digital sabotage. So when Microsoft Corp said in a blog post in May last year that Volt Typhoon was “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” it immediately brought to mind escalating tensions between China and the United States over Taiwan.

Any conflict between those two countries would almost certainly involve cyberattacks across the Pacific.

Taiwan Botnet

Does this mean a group of destructive hackers is preparing to sabotage U.S. infrastructure in the event of a conflict over Taiwan?

Microsoft qualified its assessment last year as “moderate confidence,” intelligence jargon that typically means a theory is plausible and credibly sourced but has yet to be fully corroborated. Different researchers have identified various aspects of the group.

It is now clear that Volt Typhoon has functioned by taking control of swathes of vulnerable digital devices around the world – such as routers, modems, and even internet-connected security cameras – to hide later, downstream attacks into more sensitive targets. This constellation of remotely controlled systems, known as a botnet, is of primary concern to security officials because they limit the visibility of cyber defenders that monitor for foreign footprints in their computer networks.

In a report earlier this month, cybersecurity ratings firm SecurityScorecard said Cisco Systems devices were particularly vulnerable to Volt Typhoon’s activity. The firm said it had identified a “network of covert infrastructure operating in Europe, North America, and Asia Pacific that appears to be composed of compromised routers and other network edge devices.”

Stealthy Storm

Nearly all cyber spies work to cover their tracks. The use of so-called botnets by both government and criminal hackers to launder their cyber operations is not new. The approach is often used when an attacker wants to quickly target numerous victims simultaneously or seeks to hide their origins.

China routinely denies hacking and has done so in the case of Volt Typhoon. But documentation of Beijing’s cyberespionage campaigns has been building for more than two decades. The spying has come into sharp focus over the past 10 years as Western researchers tied breaches to specific units within the People’s Liberation Army, and U.S. law enforcement charged a string of Chinese officers with stealing American secrets.

Secureworks, an arm of Dell Technologies, said in a blog post last year that Volt Typhoon’s interest in operational security likely stemmed from embarrassment over the drumbeat of U.S. indictments and “increased pressure from (Chinese) leadership to avoid public scrutiny of its cyberespionage activity.”

The Biden administration has increasingly focused on hacking, not only for fear nation states may try to disrupt the U.S. election in November, but because ransomware wreaked havoc on Corporate America in 2023.