Overview
U.S. national security and cybersecurity agencies have leveled cyber espionage accusations against the People’s Republic of China (PRC) for much of 2024, accusing the PRC of infiltrating U.S. critical infrastructure and telecom networks – possibly in preparation for a potential cyber war between the two global powers.
China has pushed back, calling such charges misinformation and accusing the U.S. of its own espionage campaigns. While the PRC’s claims merit skepticism – most notably that alleged Volt Typhoon activities have been U.S. misinformation or “false flag” operations – new claims by China that two recent sophisticated cyberattacks were carried out by the U.S. are worth examining if only for the details and security insights they provide.
We’ll examine those claims – along with an overview of the depth and breadth of PRC activities in 2024, U.S. responses, and recommendations for telecom and critical infrastructure security.
China Claims Two U.S. Cyber Espionage Attacks
China’s counter charges to U.S. cyber espionage claims have largely been based on decade-old NSA leaks, so the PRC’s latest claims are notable for their focus on two recent specific incidents while avoiding those larger claims.
In a December 18 bulletin, China’s National Internet Emergency Center (CNCERT) claims it “discovered and handled two cases in which the United States launched cyber attacks on large Chinese technology companies and institutions to steal commercial secrets” [translated].
Beginning in August 2024, an “advanced material design and research unit … has been attacked by a suspected US intelligence agency,” CNCERT claims. The attackers “exploited a vulnerability in a certain electronic document security management system in China to invade the software upgrade management server deployed by the company, and delivered control Trojans to more than 270 hosts of the company through the software upgrade service, stealing a large amount of commercial secrets and intellectual property of the company.”
The second alleged attack was against “a large-scale high-tech enterprise in … smart energy and digital information.” The attackers in that case “used multiple overseas springboards to exploit Microsoft Exchange vulnerabilities, invaded and controlled the company’s mail server and implanted backdoor programs to continuously steal mail data. At the same time, the attackers used the mail server as a springboard to attack and control more than 30 devices of the company and its subsidiaries, stealing a large amount of the company’s commercial secrets.”
While it is impossible to determine the veracity of China’s latest claims, given the extent of PRC campaigns against U.S. targets, it would not be surprising if the U.S. were engaged in counter efforts. Whether those efforts would include what may be industrial espionage in these cases is perhaps less likely, unless the targets could provide important strategic information – which may be possible in the case of the smart energy company, for example. Nonetheless, there is no shortage of nation-state or financially motivated threat actors (TAs) capable of carrying out such attacks, so without technical specifics that could link the attacks to a TA, the claims are unsupported.
A Timeline of PRC Campaigns Targeting the U.S.
2024 has seen a notable increase in cyber tensions between the two countries. Here are some of the key developments.
PRC Positioning in U.S. Critical Infrastructure
In February, the U.S. and the other “Five Eyes” countries warned that “People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
U.S. national security and cybersecurity agencies have repeated those claims a number of times since then – including speculation that China may be preparing for cyber conflict as part of its goal of having the capability to invade Taiwan by 2027.
U.S. Government Breaches
A July 2023 breach of U.S. government email accounts received a thorough accounting in 2024 in reports and hearings, including pledges from Microsoft that it would address the security failings that led to the breaches as well as make security a top priority for the company going forward.
Wiretap System and Telecom Breaches
The revelation in early October that the PRC-linked Salt Typhoon group had breached the U.S. court wiretap system was followed a few weeks later by news that the telecom network breaches behind that attack also led to attacks targeting the phone communications of U.S. officials at the highest levels.
What followed was a stark reassessment of telecom network security – some of which may not be as risk-focused as perhaps would be ideal.
Focus on Chinese Network Equipment May Overlook Other Risks
The U.S. is engaged in a $5 billion “rip and replace” effort to remove Chinese equipment from U.S. telecom networks in an effort to address those security issues.
While government intervention may well be necessary to shore up the significant gaps in telecom and critical infrastructure security, focusing narrowly on only equipment from China ignores gaps from other vulnerabilities that may be just as critical.
While not revealing details, Senator Mark Warner – a former telecom venture capitalist – recently told the Washington Post that “thousands and thousands and thousands” of vulnerable telecom network devices might need to be replaced. “The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable,” Warner said.
Vulnerable legacy devices, whether in telecom or operational technology (OT) networks, are at the heart of the cybersecurity crisis confronting telecom and critical infrastructure. Replacing just one source of those issues likely won’t provide a comprehensive solution.
A much broader program that emphasizes replacing legacy devices wherever possible, along with essential security practices like network segmentation and access control, will likely be required to solve persistent security vulnerabilities and threats in telecom and other critical infrastructure.
