Marine General Issues 'Call to Action' Against China Hackers Lurking in US Computer Systems

U.S. Marine Corps Maj. Gen. Michael Borgschulte, middle left, and Maj. Gen. Lorna Mahlock, middle right, engage with Marines with Marine Air Control Group 38, 3rd MAW, on Marine Corps Air Station Miramar, California.
U.S. Marine Corps Maj. Gen. Michael Borgschulte, middle left, commanding general of 3rd Marine Aircraft Wing (MAW), and Maj. Gen. Lorna Mahlock, middle right, deputy director of Cybersecurity for Combat Support, National Security Agency, engage with Marines with Marine Air Control Group 38, 3rd MAW, on Marine Corps Air Station Miramar, California, July 31, 2023. (Lance Cpl. Nikolas Mascroft/U.S. Marine Corps photo)

A Chinese, state-sponsored hacking group has embedded itself in critical U.S. infrastructure and is waiting to "foment terror" and "societal panic" through cyberattacks -- an effort that military leaders said Tuesday persists undeterred.

Volt Typhoon, according to U.S. law enforcement and military officials, is a Chinese-backed campaign designed to infiltrate software systems, lurking undetected in them to conduct attacks on communications, energy, transportation and emergency services at a "time and place" of its choosing.

The threat has been publicly recognized by U.S. government officials in recent years, but a new urgency about thwarting the campaign has come to the forefront, including a warning this week from the Marine Corps general who heads the U.S. Cyber Command unit tracking the Chinese incursions.

Read Next: Marine Corps Says Half of Barracks Had Issues, Though Only 118 Marines Moved, After Worldwide Inspection

"We've seen this actor -- China -- grow in scope, scale and sophistication," Maj. Gen. Lorna Mahlock, the commander of the Cyber National Mission Force, a joint unit that deploys globally to track and "neuter" -- as she put it -- enemy capabilities, said Tuesday.

"We've also seen that they're undeterred," she said.

Two weeks ago, FBI Director Chris Wray said that Volt Typhoon is waiting "for just the right moment to deal a devastating blow" to the U.S. He also said that it has successfully infiltrated American infrastructure.

Recent reports from the Cybersecurity and Infrastructure Security Agency, or CISA, said that the infiltrations have affected information technology, or IT, systems in the U.S. and its territories, including Guam.

"Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations," a CISA report from February said. "And the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement" into operational technology systems.

This week, Mahlock echoed those concerns, adding that the greater cyber community should take these threats seriously and consider her warnings as a "call to action" to better defend against this threat.

She and experts have warned that Volt Typhoon is tied to the Chinese government, something that the Chinese Communist Party has denied. An expert that spoke to said that, while the exact nature of the relationship is not publicly known, China's government would likely have a "firm grip" on the group's activities, to include providing Volt Typhoon resources to help it lurk in American systems.

"They've been able to launch themselves in dated routers and ... comparatively low-tech tools and instruments," Bill Drexel, a fellow for the technology and national security program at the Center for a New American Security think tank, told on Wednesday.

"Those are like sleeper cell attacks," he said, adding that the shadowy and nascent aspect of that infiltration might act as a "beachhead to be able to launch larger attacks when the time comes," which could also affect emergency communication systems and interrupt a response in the event of an attack.

The time frame for Volt Typhoon becoming active appears unclear, which is part of the challenge in thwarting it.

Officials and reports have said the campaign has already infiltrated infrastructure, but when an attack would occur -- or if it would be in conjunction with a larger, conventional campaign -- is publicly unknown.

Officials such as Mahlock said that this threat not only could attack infrastructure, but individuals as well -- a prescient reminder of the need for individual cybersecurity in the military. Drexel said that defenses against attacks like that are largely "unsexy."

"Many of the vulnerabilities come from data and systems or an updated software," he said. So-called "living off the land" techniques allow hackers to nest themselves in legitimate software but exploit it for what officials called "illegitimate" purposes, such as attacks on infrastructure.

Mahlock's team employs a combination of what she called "blocking and tackling" -- offensive and defensive techniques, many of which are classified -- as ways to thwart a threat such as Volt Typhoon.

"We find the adversaries doing work forward deployed, and we neuter their capabilities before they can detonate those payloads inside the United States," she said.

Related: Troops Are Getting Cyber Training and Then Rapidly Leaving the Military, Report Finds

Story Continues