CHINA WATCHRecent Chinese Cyber Intrusions Signal a Strategic Shift
On 25 May, Australia and its partners in the Five Eyes intelligence-sharing network—Canada, New Zealand, the UK and the US—made a coordinated disclosure on a state-sponsored cyber hacking group dubbed ‘Volt Typhoon’. The group has been detected intruding on critical infrastructure since 2021, but the nature of recent intelligence on its behavior hints at worrying developments in the Chinese cyber establishment.
On 25 May, Australia and its partners in the Five Eyes intelligence-sharing network—Canada, New Zealand, the UK and the US—made a coordinated disclosure on a state-sponsored cyber hacking group dubbed ‘Volt Typhoon’. The group has been detected intruding on critical infrastructure since 2021, but the nature of recent intelligence on its behavior hints at worrying developments in the Chinese cyber establishment. While the Five Eyes’ disclosure is direct in its attribution of Volt Typhoon to the Chinese government, there are many layers that need to be peeled away to reveal the true nature, and implications, of the threat.
State-aligned or state-sponsored cyber threats emerging from China can be grouped under two broad government structures: the Ministry of State Security and the Strategic Support Force. The MSS is China’s peak foreign intelligence, counterintelligence and political security agency, and the SSF is the joint information warfare command of the People’s Liberation Army’s, akin to US Cyber Command. While its US counterpart focuses solely on military cyber operations, the SSF has a broader mandate covering electronic warfare, strategic military cyber operations and political warfare. The SSF was founded in 2015 as part of structural reforms to the PLA spearheaded by Chinese President Xi Jinping.
The most recent intrusion highlighted by the Five Eyes isn’t the type of espionage that is the veritable background noise of enduring competition among states. Chinese cyber operators have become notorious for intellectual property theft, but their cyber espionage activity has gradually shifted to meeting other strategic imperatives, as the Volt Typhoon case shows.
Offensive cyber intrusions for specific strategic effects usually require the preplacement of technical implants and long-term access to the adversary’s network well in advance of the operation. Former White House cybersecurity adviser Chris Inglis has called these implants intelligence, surveillance and reconnaissance platforms that are ‘ubiquitous, real-time and persistent’. Volt Typhoon appears to have been performing just such a preplacement operation.