China-based hacking groups: Keeping critical infrastructure cyber-safe

Cyberattacks on critical infrastructure (CI) have become more common, insidious and sophisticated in the past few years. Some of these attacks have had devastating effects on states big and small. Just earlier this month, the port of Nagoya was hit by a cyberattack from attackers from Russia, disrupting the shipment of parts needed for car assembly.

In such times, states and CI owners and operators need to manage threats in a responsible manner and work together to ensure that CI remains available and operational at all times.

The aims of malicious actors conducting cyberattacks on CI vary.

Groups that use ransomware - the threat to release or withhold data or access to systems hostage in exchange for payment - have been particularly active. In May 2022, Costa Rica declared a state of emergency after a spate of ransomware attacks from malicious actors based in Russia. Salary payments to state workers were delayed, and tax and custom collection systems were also disrupted in the cyberattack. The ransomware attack on the Colonial Pipeline in the US in May 2021 showed how attacks can shut down a vital operating pipeline and disrupt transportation and economic activity. And this is just activity done by groups whose aim is profit.

The Solarwinds attack in late 2020 showed how malicious code can be silently slipped into the supply chain at its source and compromise the clients of the company. The attackers used multiple techniques to evade detection and obscure activity. Thousands of government agencies and private companies were breached in that incident, in what was thought to be an act of espionage, something that all states do in some form or other. The recent disclosure of a China-based hacking group dubbed Storm-0558 allegedly accessing emails of top US officials like Commerce Secretary Gina Raimondo should be seen as espionage activity rather than having the potential to destroy CI.

Another form of cyberattacks on CI is more serious and done to influence the behaviour of another state. Right before the invasion of Ukraine, Russia conducted a series of cyberattacks to disrupt the communications networks of Ukraine. Ukrainian CI has been significantly affected by Russian malicious cyber activity in the past, with its power grid suffering from major disruption in the throes of the Ukrainian winter in 2016.

It was therefore a cause for concern when reports of a China-based state-sponsored actor being discovered in CI organisations in Guam and other parts of the US surfaced in late-May 2023. The malicious actor was codenamed "Volt Typhoon" and utilised techniques to gain information while remaining undetected in the system but could cause wider-ranging implications such as the disruption in the functions of CI.

While there is no definitive link that the act was ordered by the Chinese government, the lack of a financial motive in this incident points towards a level of support from a well-financed actor that has the incentive to conduct espionage activity. The concern over Volt Typhoon was exacerbated by the fact that Guam is a sensitive and strategically located military base of the US, and its significance vis-à-vis China and its potential power ambitions.

Another factor contributing to the tension caused by this report is the poor state of China-US relations. Had relationships been better, a detection of such activity may be viewed as an intelligence gathering exercise and any notification could have been done via diplomatic backchannels.

But relations between the two powers in recent times have been dire. The existing mistrust that each side has of each other, and the public disclosure of the incident is probably related. By publicly disclosing Volt Typhoon, the US could signal its displeasure to the Chinese government and at the same time notify CI owners and operators of malicious activity with little left to lose.

In addition, the lack of dialogue and trust means that the motivations behind this incident could be viewed more severely, and as a worst-case scenario, as a precursor to armed conflict, like the Russian malicious activity in Ukraine. The building of trust of China with the US and its partners is therefore more critical than ever, so that the reactions to malicious cyberattacks on CI do not spiral out of control.

The response to the Volt Typhoon disclosure also shows the different philosophies present in dealing with malicious activity in cyberspace.

While most states with cyber capabilities chafe against the uncovering of their wrongdoing in cyberspace, it does not make cyberattacks on CI right. The Chinese response to the report was an exercise in whataboutism, refuting the claims with China calling the US "the empire of hacking" and pointing out the lack of evidence provided by the report, suggesting that the US did not have the right to attribute the act to China and the US was denying the conduct of its own cyber operations. This belligerent and strident approach seems to be the standard response by China, with China reacting in the same way when US Secretary of State Antony Blinken raised the issue of email hacking last week with Chinese State Councilor Wang Yi on the sidelines of the ASEAN Foreign Ministers Meeting in Jakarta.

But this approach misses the point about protecting CI from cyberattacks. The US and Microsoft were justified in publicising a report on the uncovered malicious activity. Microsoft, as a computer services vendor, has done well in sharing information. It is justified in keeping its clients safe with timely and targeted remediation measures. Information over how the Volt Typhoon group carries out its exploits is also shared with the general public, so all users are more secure.

The US government has a duty to notify its CI managers and owners, as well as partners in the region, of potential and current threats from all threat actors. The objective of such a disclosure is not necessarily an attempt to demonise China and highlight state-sponsored cyber activity but could be read as a means to strengthen domestic understandings of threats to CI.

Perhaps China could be clearer on their objectives and be more accountable over its use of cyber capabilities. One way of ensuring accountability is for countries to be clear about how such their cyber capabilities are used. The UK in particular has identified three major principles in how it carries out its offensive cyber operations, which are to be accountable, precise and calibrated in its impact. This is underpinned by a robust legal framework of domestic and international law with additional independent oversight over such activity.

China has thus far been less than forthcoming about its capabilities and how these are being utilised. So far, the picture of Chinese activity that has been painted is through these public disclosures and reads like a charge sheet, which damages its reputation.

The cost of defending networks from state-sponsored cyber actors who are well-resourced in both personnel and equipment is immense and privately owned CI may not have the resources to defend against such actors. A mix of cooperation from both private sector CI owners and their governments and among governments to ensure that CI remains safe, secure and always operational is therefore needed.

The norms of responsible state behaviour recommended by the United Nations Group of Governmental Experts in 2015 and agreed to by all states addresses the issue of CI protection quite clearly. While the norms place responsibility on states to take appropriate measures to protect their CI from ICT threats, this does not preclude governments from cooperating with other states and their private sector to ensure that their CI remains secure. This includes sharing threat information and the vectors that malicious actors use to compromise CI.

Additionally, states should be curtailed; the norms also call on states to "not conduct or knowingly support ICT activity that intentionally damages critical infrastructure". While espionage activity by states does not damage CI, the potential of the exploit destroys the confidence among states to keep to the rules.

States, especially those that have the capacity to do so, should keep out of CI networks to ensure that all states including small and developing states can harness the benefits of information and communications technologies and function with minimal threats to the system.

Time and opinion are however not on China's side, and it should consider complying with and implementing the rules of responsible state behaviour. The confidence that China is a responsible state actor and leader in cyberspace slips every time a disclosure is made, and there is room for it to make clear its stance on conducting cyberattacks on CI.

China, with its ambitions of setting norms in international relations and with its accompanying rhetoric of behaving responsibly, should take a leadership role and move towards the prohibition of attacking CI and work together with the international community to strengthen rules around such attacks. It can also start by being transparent in its use of such capabilities and develop effective communication channels and cooperating with states all around the world as a confidence building measure to safeguard CI. Doing so may engender and build trust in Chinese leadership in making the rules for cyberspace.

Related: How China is tightening controls over cross-border data transfers | Web3 with Chinese characteristics: Finding China's solution for regulators, developers and users | Southeast Asia should confront the threat of economic espionage from China and elsewhere | US digital regulation dilemma: How to censor in a free society?