Volt Typhoon: Chinese Hacking Effort Reveals “Stealthy and Targeted Malicious Activity”

Volt Typhoon

Welcome to this week’s installment of The Intelligence Brief… yesterday, U.S. intelligence officials and industry leaders issued a warning about a new state-sponsored Chinese hacking threat. In our analysis, we’ll be looking at 1) Volt Typhoon and what intelligence officials know about it so far, 2) what the hacking effort is aiming to do and what areas of U.S. industry and government may have been affected, and 3) how this and other developments in recent days relates to lingering concerns over China’s ambitions regarding Taiwan.

Quote of the Week

“No technology that’s connected to the Internet is unhackable.”

– Abhijit Naskar

Latest Stories: Some of the stories we’re covering this week at The Debrief include how the United States Air Force is looking to award a contract in 2024 to replace the F-22 with a Next Generation Air Dominance (NGAD) fighter. Elsewhere, DARPA has announced a new program aimed at developing unique electrode materials that can be used to produce a magnetohydrodynamic (MHD) drive for the U.S. military. And for those interested, tomorrow (Friday) is the deadline for applicants who may want to sign on to work with the All-Domain Anomaly Resolution Office (AARO). As always, you can get links to all our latest stories at the end of this week’s newsletter.

Podcasts: This week in podcasts from The Debrief, MJ Banias and Stephanie Gerk discuss robots, human aging, and directed energy weapons in the latest installment of The Debrief Weekly ReportMeanwhile, this week on The Micah Hanks Program, I caught up with Dr. Colm Kelleher, the former deputy administrator of Bigelow Aerospace Advanced Space Studies (BAASS) and a key figure in the DIA’s controversial Advanced Aerospace Weapons Systems Application Program (AAWSAP). You can subscribe to all of The Debrief’s podcasts, including audio editions of Rebelliously Curious, by heading over to our Podcasts Page. 

Video News: Recently on Rebelliously Curious, Chrissy Newton talked with Daniel Sheehan, a lawyer specializing in constitutional and public interest matters who discusses the activities of alleged UAP whistleblowers and shares his insights on Sean Kirkpatrick’s recent hearing and involvement within AARO. Also, if you missed the first installment of our all-new series “Ask Dr. Chance,” be sure to check out the first episode, and episode two airing in the weeks ahead. You can also watch past episodes and other great content from The Debrief on our official YouTube Channel.

That all out of the way, it’s time to examine what we’ve learned this week about the latest hacking efforts by China against U.S. industries and government agencies and what it all could mean regarding the building tensions between Washington and Beijing.

Volt Typhoon Makes Landfall

This week, it was learned that Chinese state-sponsored hackers were involved in a widespread hacking effort that targeted several U.S. industries, resulting in significant compromises from the apparent intelligence-gathering effort.

Attributed to a Chinese hacking group dubbed “Volt Typhoon,” a warning was issued by Microsoft on Wednesday that the efforts had partly aimed to impact “critical communications infrastructure between the United States and Asia,” in addition to the collection of intelligence about U.S. assets.

Volt Typhoon

In an advisory issued by the company, Microsoft indicated that the attack appears to be ongoing. U.S. intelligence agencies provided additional information on the hacking effort, along with guidance for cybersecurity experts on mitigating the impact of the attack.

“The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI),” and several security agencies from other nations published a Joint Cybersecurity Advisory on Wednesday, which shared “technical details regarding malicious activity by a People’s Republic of China (PRC) state-sponsored cyber actor.”

According to the CISA statement, “new insights into the specific tactics, techniques, and procedures used by PRC cyber actors to gain and maintain persistent access into critical infrastructure networks” were made available in the advisory.

Meanwhile, as news of the hacking effort has become widespread, we are beginning to learn the full scope of the operation, how long it has been underway, and how it relates to concerns over the looming potential of an eventual Taiwanese invasion.

Timeline and Scope

According to data released this week, the U.S. intelligence community learned of the attack as early as February, amidst the overflight of a Chinese surveillance balloon that transited the United States before being shot down off the South Carolina coast.

Volt Typhoon reportedly exploits vulnerabilities in a cybersecurity suite known as FortiGuard, after which the hackers utilize stolen user credentials once they have entered a corporate network to attempt to gain access to other systems.

NSA Cybersecurity Director Rob Joyce said in a statement that hackers like those involved with the Volt Typhoon effort “find it easier and more effective to use capabilities already built into critical infrastructure environments.”

“A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” Joyce added. “That makes it imperative for us to work together to find and remove the actor from our critical networks.”

According to Microsoft’s statement this week, China’s hacking effort currently “intends to perform espionage and maintain access without being detected for as long as possible,” slowly collecting information rather than engaging in an overt attack. However, critical infrastructure across a range of sectors, from transport and communications to government organizations, were all among those believed to have been targeted.


Targets of Strategic Significance

Primarily targeting communications infrastructure, the hack initially focused on Guam, a critical strategic location for the U.S. military in relation to China, given that it is the location of the responding American military units in the event of an invasion of Taiwan.

It was also learned this week that a report published online by the Chinese government conveyed the country’s belief that the Navy’s newest aircraft carrier, the USS Gerald R. Ford, could be destroyed by China’s hypersonic weapons arsenal, based on wargame simulations conducted by Chinese military planners.

This isn’t the first time a hack of this kind has taken place. In 2020, a cybersecurity breach believed to have involved China targeted the law firm Covington & Burling in a similar suspected government-backed hacking effort.


Bryan Vorndran, Cyber Division Assistant Director with the Federal Bureau of Investigation (FBI), said his agency and its federal and international partners “will not allow the PRC to continue to use these unacceptable tactics.”

“CISA, NSA, FBI and international partners urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommended mitigations to strengthen their defenses and reduce threat of compromise from PRC state-sponsored malicious cyber actors,” read a statement issued by CISA this week.

Those looking for additional information on potential hacking efforts that may include the current PRC cyber threat are advised to review the China Cyber Threat Overview and Advisories made available online by CISA and to report any suspected anomalous activity to the FBI or its international law enforcement partners.

That concludes this week’s installment of The Intelligence Brief. You can read past editions of The Intelligence Brief at our website, or if you found this installment online, don’t forget to subscribe and get future email editions from us here. Also, if you have a tip or other information you’d like to send along directly to me, you can email me at micah [@] thedebrief [dot] org, or Tweet at me @MicahHanks.

Here are the top stories we’re covering right now…