Chinese-backed hackers Volt Typhoon are targeting Australia’s critical infrastructure

A Chinese state-sponsored hacking group is targeting Australia’s critical infrastructure and may have already accessed some systems, after infiltrating essential services in the US.

Chris Uhlmann and Rosie Lewis

4 min read

10:00PMApril 26, 2024.

Updated 9:24AMApril 27, 2024

Chinese-sponsored Volt Typhoon hackers are highly sophisticated and hard to detect, becoming part of an organisation’s network.

A Chinese state-sponsored hacking group called Volt Typhoon is targeting Australia’s critical infrastructure and may have already accessed some systems, after infiltrating essential services in the US.

Confirmation by The Weekend Australian that the group is active in Australia has triggered fresh calls from cyber security experts for the Albanese government to be transparent about the risks to business and the community, while critical infrastructure entities have been told to “harden their systems”.

Australian Security Intelligence Organisation director-general Mike Burgess referenced the attacks in his latest threat assessment, saying one nation state was conducting “multiple attempts to scan critical infrastructure”.

Government sources confirmed that the aggressor was China and that its hacking group called Volt Typhoon – which has successfully compromised American companies in telecommunications, energy, water and other critical sectors – was the culprit.

One source said the cyber attack had accessed some critical systems, while another said it was likely but not certain that essential utilities had been breached.

Another insider labelled the attempts to control critical infrastructure as the “electronic equivalent” of Chinese commando groups putting bombs underneath bridges or on high-voltage pylons for the purposes of blowing them up during a war.

Home Affairs Minister Clare O’Neil declined to say if she was aware of any Australian critical infrastructure being compromised, but her spokesman said: “We’re monitoring Volt Typhoon and other state-backed groups very closely.”

Cyber Security Cooperative Research Centre chief executive Rachael Falk said the group was especially pernicious because it “sits in wait ready to attack in the event of a major conflict” after gaining access to critical infrastructure networks.

FBI director Christopher Wray denounced China’s offensive cyber activities in congressional testimony earlier this year, accusing Beijing of prepositioning on US infrastructure in preparation “to wreak havoc and cause real-world harm to American citizens and communities, if and when China decides the time has come to strike”.

Last week, Mr Wray admitted that Volt Typhoon had gained illicit access to networks within America’s critical telecommunications, energy, water, and other infrastructure sectors.

Volt Typhoon uses malware to exploit vulnerabilities in thousands of home and business routers and harnesses the computational muscle to attack a company’s public-facing computer system.

Once inside, the hallmark of this group is “living off the land”: recruiting legitimate system tools and functions to evade detection. It then engages in “privilege escalation” to ascend the network command chain until it gets the powers of a network administrator and its parasite commands look identical to those of the host victim. It can lie dormant for years, clandestinely monitoring the company’s activities and poised for a future strike.

The intention is not to steal information but to control critical systems.

The Australian Signals Directorate joined with Five Eyes partners earlier this year to advise of US infrastructure being compromised by Russian and Chinese state-sponsored actors, including Volt Typhoon.

The advisory said Australian and New Zealand assets could be vulnerable to similar activity and explained how Volt Typhoon actors exhibited “minimal activity within the compromised environment … suggesting that their objective is to maintain persistence rather than immediate exploitation”.

CyberCX chief strategy officer Alastair MacGibbon, the former head of the ASD’s Australian Cyber Security Centre, said it should be assumed foreign governments were attempting to access our critical infrastructure and businesses.

Amid industry concerns that businesses have been told to identify activity by groups such as Volt Typhoon without the skills or knowledge, Mr MacGibbon called for transparency.

“A mature, open conversation with business and the broader community about these risks and what can be done to mitigate them is increasingly necessary as the threat landscape continues to evolve,” he said.

“Australia operates the same types of systems, technologies, and critical infrastructure China indicates it will look to disrupt or destroy if it suits their strategic interests in times of increased tension or conflict. The Australian government issued an advisory notice on the internet, but industry and the broader community need and deserve more insight and guidance than this.”

Ms Falk said industry must step up and take responsibility for their cyber security, urging critical-infrastructure entities to actively scan for anomalous user and device behaviour in addition to their standard cyber security practices.

“Australia’s critical infrastructure regime is world-leading and requires the owners and operators of designated critical infrastructure assets to take an ‘all hazards’ risk approach,” Ms Falk said.

“Given Volt Typhoon clearly presents a threat, critical-infrastructure entities should take proactive steps to harden their systems and build it into risk-management plans.

“This is especially the case for communications, energy, transport and water infrastructure, as we know these have been targeted by Volt Typhoon in the US.”

Government sources, who wouldn’t confirm if Volt Typhoon had compromised Australian critical infrastructure, said Mr Burgess had spoken extensively about the potential use of cyber attacks as a form of sabotage by foreign governments.

“With our agencies and allies we will continue to call that out where we see it, and work to strengthen our defences,” one source said.

The Security of Critical Infrastructure Act outlines the legal obligations entities have across 11 sectors – including defence, energy, communication and healthcare – if they own, operate or have direct interests in critical infrastructure assets.