cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

FBI director says Volt Typhoon positioning for US critical infrastructure attack

The FBI has warned that allegedly Chinese hackers are preparing to strike US critical infrastructure operators after injecting themselves into their systems.

user icon Daniel Croft
Fri, 19 Apr 2024
FBI director says Volt Typhoon positioning for US critical infrastructure attack
expand image

Speaking at Nashville’s Vanderbilt University, FBI director Christopher Wray discussed the looming threat presented by the Volt Typhoon hacking campaign, a group that is believed to be Chinese-state sponsored and was observed secretly breaching and hiding itself within the systems of a number of US critical infrastructure companies.

Volt Typhoon has been under the FBI’s microscope for months now after it and the Five Eyes alliance revealed back in February in an advisory that the threat campaign had resulted in access to a number of critical infrastructure providers for over five years.

It is known for using what are called “living-off-the-land techniques”, which involve exploitation of legitimate programs to access victim systems rather than using aggressive malware. This makes attackers much harder to detect, allowing them to remain on a victim’s network for a long period.


Prior to this, the US had launched a campaign against Volt Typhoon and its allies, destroying the group’s KV botnet that it used to probe critical infrastructure. The group was reportedly unable to rebuild it.

Australia and Five Eyes issued a new advisory on the group last month, stating that the group was an “urgent risk” and encouraged executive leaders to “empower cyber security teams to make informed resourcing decisions to better detect and defend against Volt Typhoon and other malicious cyber activity”.

Now, Wray said Volt Typhoon is waiting “for just the right moment to deal a devastating blow” and that China is currently developing the “ability to physically wreak havoc on our critical infrastructure at a time of its choosing”.

“Its plan is to land low blows against civilian infrastructure to try to induce panic,” he said.

Volt Typhoon’s campaign is believed to be connected to Taiwan’s independence and the US’ pledge to defend it.

China believes that Taiwan is a Chinese territory and has never ruled out the use of force to regain its control. Taiwan and its people believe that the island is independent from China.

Volt Typhoon has a history of targeting Taiwan and was observed doing so recently prior to the Taiwanese elections.

According to US cyber security firm Trellix, attacks on Taiwanese organisations more than doubled within the 24 hours preceding the Taiwan election on 13 January, with the majority of the attacks targeting government offices and agencies, law enforcement departments and financial organisations, with bank statements, police reports, internal communications and insurance information all of particular interest.

“Malicious cyber activity rose significantly from 1,758 detections on January 11 to over 4,300 on January 12, 2024, the highest detection since the prior month of December 2023,” wrote Trellix.

“Interestingly, Trellix telemetry shows that threat activity dropped dramatically on election day, with a little over 1,000 detections on January 13, 2024.”

Trellix attributes the drop in cyber activity on the day of the election to the nature of Taiwan’s polling system, which is done “manually and in person” with paper ballots, ballot boxes and tallying ballots.

Responding to US claims that Volt Typhoon is a Chinese-sponsored threat actor, a spokesperson for the Chinese embassy in Washington said the group had no connection to China but that it was part of a criminal ransomware gang.

“Some in the US have been using origin-tracing of cyber attacks as a tool to hit and frame China, claiming the US to be the victim while it’s the other way round, and politicising cyber security issues,” the spokesperson said.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.