House Committee On Homeland Security Warns Of Chinese Espionage Threat

 At a recent meeting of the House Committee on Homeland Security, evidence was presented of how China is posing a grave cybersecurity threat to the United States.

“Over the last year, the U.S. government has discovered a number of PRC [People’s Republic of China] state-sponsored threat actors deeply embedded in and across the nation’s critical networks: Volt Typhoon, Salt Typhoon, Flax Typhoon, and most recently Silk Typhoon, have compromised our critical infrastructure, hacked sensitive communications, breached federal workstations …” Chairman Mark E. Green (R-TN) stated.

“The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam,” the Cybersecurity & Infrastructure Security Agency (CISA) reported in February 2024.

“Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage,” Microsoft noted in August 2023.

“Salt Typhoon refers to a sophisticated cyber espionage operation orchestrated by a Chinese Advanced Persistent Threat (APT) group, commonly known as Earth Estries, Ghost Emperor, or UNC2286,” Armisreported. “This state-sponsored actor has been linked to high-profile breaches targeting critical U.S. infrastructure, including major telecommunications providers such as Verizon, AT&T, T-Mobile, and Lumen Technologies.”

“China has engaged in … maturation in how they conduct these operations,” Adam Meyers, senior vice president of Counter Adversary Operations at CrowdStrike, testified at the House committee hearing. “Today, they’re using exploits that target external facing devices that are connected directly to the internet that effectively bridge enterprises to the internet. These devices are often unmanaged. In many cases, they may be legacy or have proprietary capabilities – that means that they don’t run modern security tools … like a router or a VPN concentrator. Things that are meant to connect the enterprise to the network or allow remote users to authenticate in.”

“The nodes, so to speak, between silos,” Green suggested.

“Yes, sir, and these are highly prioritized and highly valuable targets with these threat actors,” Meyers replied. “They’ve nationalized their vulnerability research program in 2018. For example, they changed the national security law in China, and all vulnerability research has to be submitted through the Chinese government. Whereas, here in the United States, we follow something we call responsible disclosure, where if I find a vulnerability in a product, I notify that product vendor in order to try to get it fixed. They’re effectively nationalizing that resource so they can use that for exploits against American technology and American companies. Once they gain that access, they attempt to remain stealthy and either conduct espionage in order to inform political and military decision-making, or in the case of ‘Vanguard Panda,’ also known as ‘Volt Typhoon,’ the prepositioning that we’ve discussed here, which would be potentially useful to bring down some of these networks that Mr. Montgomery mentioned in time of conflict.”

Retired Rear Admiral Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, pointed out, “This operational preparation of the battlefield, it is a war-making action, and we have to take it much more seriously. I think the idea that they’ve pre-positioned malware or that they have capabilities that lie in wait that can come out at the right time, as we’re making a decision to respond to a crisis in Taiwan or crisis in the Baltic States. TRANSCOM operates on these unclassified networks with civilian systems. This is why I think former Representative [Now National Security Advisor] Waltz is right, in the sense that we have to go on the offensive. We now have to actually publicly execute operations against Chinese cyber infrastructure to say: ‘We know you did this; we know you use this infrastructure to do this, and we’re going to remove that infrastructure from your capability.’ … Otherwise, the Chinese are going to keep doing what they’re doing.”

“These incidents are not over,” Meyers continued. “‘Salt Typhoon’ is an ongoing activity by an adversary, as is ‘Volt Typhoon,’ or what we call ‘Vanguard Panda.’ So this is something we need to continuously engage; we need to continuously identify, root them out, and put a stop to them––cut off their access.”