Chinese hackers are positioning to strike U.S. critical infrastructure with ‘disruptive or destructive cyberattacks’ if conflict breaks out

If you’re unfamiliar with Volt Typhoon, you should probably get up to speed.

It’s been a while since cybersecurity researchers and U.S. security agencies shined a light on the activities of the Chinese state-sponsored hacking group. Microsoft said in May that Volt Typhoon has been active since mid-2021, stealthily finding and maintaining access in the networks of critical infrastructure providers, with the likely aim of disrupting U.S.-Asia communications in future crisis situations.

Last week, the Five Eyes intelligence alliance—that’s the U.S., Canada, Australia, New Zealand, and the U.K.—jointly warned that Volt Typhoon had been doing its thing for at least five years. And it’s not just positioning itself to disrupt communications, but preparing for “disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” Communications, energy, transportation, water, and waste treatment systems have all been compromised.

The FBI said several days previously that it had managed to disrupt a Volt Typhoon botnet, but noted that this was only part of the hacking group’s operation, and didn’t say how much disruption they’d caused. “The [Chinese Communist Party’s] dangerous actions—China's multi-pronged assault on our national and economic security—make it the defining threat of our generation,” FBI Director Christopher Wray told U.S. lawmakers at a House select committee hearing on Jan. 31.

Then, on Tuesday this week, the industrial cybersecurity firm Dragos released a report about the group it calls Voltzite, which it says “shares overlaps” with Volt Typhoon (different research teams like to come up with their own names for what are essentially the same hacking operations, amorphous as those groups can be). It backed up earlier findings such as the group’s targeting of sites in the U.S. territory of Guam—notable for its importance to both the U.S. military and U.S.-Asian telecommunications links.

But Dragos also said that it had last month found evidence of Voltzite compromising an unspecified large U.S. city’s emergency services network, apparently to steal geographical information (it didn’t manage to get into the organization’s operational network). Dragos also spotted Voltzite targeting African electric transmission and distribution providers last August.

Volt Typhoon/Voltzite/Vanguard Panda/Bronze Silhouette/Dev-0391/UNC3236/Insidious Taurus (told you about the blurred-identity thing) uses so-called “living-off-the-land” techniques—modifying legitimate admin tools in the network after gaining access through buggy routers and the like, rather than attacking the network with traditional malware files—to stay low. It still hasn’t played its hand, but there’s every reason to be afraid of that eventuality.

"The concern is the targets they pick across telecommunications, and electric power generation and distribution—these are very strategic targets. It's not a spray and pray," Dragos CEO Robert Lee told reporters, according to The Register. “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” Wray told lawmakers.

So remember the name(s). More news below.

David Meyer

Want to send thoughts or suggestions to Data Sheet? Drop a line here.

This story was originally featured on Fortune.com