China's onslaught of cyberattacks on critical infrastructure is likely a contingency move designed to gain a strategic advantage in the event of kinetic warfare, according to the US Department of Defense (DoD).
The agency's 2023 Cyber Strategy released this week flagged an uptick in state-sponsored cybercrime from the People's Republic of China (PRC), specifically against sensitive targets that could have an effect on military response, in order "to counter US conventional military power and degrade the combat capability of the Joint Force."
The DoD alleged in the report that the PRC "poses a broad and pervasive cyberespionage threat," surveilling individuals beyond its borders, stealing technology secrets, and undermining military-industrial complex capabilities. But the activity goes beyond run-of-the-mill intelligence-gathering, the agency warned.
"This malicious cyber activity informs the PRC's preparations for war," according to the report. "In the event of conflict, the PRC likely intends to launch destructive cyberattacks against the US Homeland in order to hinder military mobilization, sow chaos, and divert attention and resources. It will also likely seek to disrupt key networks which enable Joint Force power projection in combat."
An Increasing Chinese Focus on Military Degradation
The idea that cyber activity could presage military action echoes assessments by Microsoft and others, made earlier this year around the Volt Typhoon attacks. The Beijing-supported advanced persistent threat (APT) made national headlines in the US in May, June, and July with a series of compromises that targeted telecom networks; power and water controls; US military bases at home and abroad; and other infrastructure whose disruption would hamper real-world military operations.
So far, those compromises have not affected the operational technology (OT) used by the victims, but speaking at Black Hat USA in August, CISA Director Jen Easterly warned that the Chinese government is likely getting itself into the position to conduct disruptive attacks on American pipelines, railroads, and other critical infrastructure if the US gets involved during a potential invasion of Taiwan.
"This APT moves laterally into environments, gaining access to areas in which it wouldn't traditionally reside," says Blake Benson, cyber lead at ABS Group Consulting. "Additionally, this threat actor worked hard to cover their tracks by meticulously dumping all extracted memory and artifacts, making it difficult for security teams to pinpoint the level of infiltration."
There could be a sort of anti-halo effect at work too, given that military-focused attacks are likely to cause collateral damage to bystander businesses, according to John Gallagher, vice president of Viakoo Labs at Viakoo.
"Virtually all exploits launched by nation-states 'leak' over to non-nation-state threat actors," he warns. "That means organizations who depend on IoT/OT systems will be direct targets at some point to the same threats being launched against national critical infrastructure."
Defending the Cyberwarfare Space
To combat the activity of Volt Typhoon and other threats to physical safety in the critical infrastructure space, the DoD laid out a "whole-of-government" effort in its report, designed to "increase resilience and make it more difficult for adversaries to disrupt essential services."
Dovetailing with the 2023 National Cybersecurity Strategy, the DoD said that it will leverage "all legally available contractual mechanisms, resources, and operational arrangements to improve the cybersecurity of US critical infrastructure systems" and expand public-private partnerships. To that end, it laid out several pages of hardening and readiness actions in its report.
An example of a simple way that the government can swing into preemptive action is the move by CISA to offer free network security and vulnerability scanning to water utilities (PDF) to help identify avenues of exploitation and protect them against cyberattacks.
"In terms of national defense there has been a decades-long evolution in the volume, velocity, and persistence of cyber threats, which is tied to both the increased computational capabilities of IoT/OT and critical infrastructure, as well as increased sophistication by nation-state threat actors," Gallagher warns. "From Stuxnet through Volt Typhoon to the current war between Ukraine and Russia (where both sides have exploited vulnerable IoT/OT systems for battlefield advantage), this will continue for the foreseeable future."
He adds, "That's why it is critical to keep improving cyber defenses and (as highlighted in the DoD Cyber Strategy highlights) disrupt adversaries' efforts."