FBI Director Warns Chinese Hackers Aim To 'Wreak Havoc' On US Critical Infrastructure

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," said FBI Director Christopher Wray in a prepared testimony before the House Select Committee on the Chinese Communist Party. NBC News reports: Wray also argued that "there has been far too little public focus" that Chinese hackers are targeting critical infrastructure in the U.S. such as water treatment plants, electrical grids, oil and natural gas pipelines, and transportation systems, according to the prepared remarks. "And the risk that poses to every American requires our attention -- now," his prepared testimony said.

As Wray testified, the Justice Department and FBI announced they had disabled a Chinese hacking operation that had infected hundreds of small office and home routers with botnet malware that targeted critical infrastructure. The DOJ said the hackers, known to the private sector as "Volt Typhoon," used privately owned small routers that were infected with "KV botnet" malware to conceal further Chinese hacking activities against U.S. and foreign victims. Wray addressed the malware in his testimony, emphasizing that it targets critical infrastructure in the U.S. [...]

At Wednesday's hearing, the director of the federal Cybersecurity and Infrastructure Security Agency, Jen Easterly, testified that Americans should expect efforts by China to wage influence campaigns online relating to the 2024 election. However, Easterly added that she was confident that voting systems and other election infrastructure are well-defended. "To be very clear, Americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that's been done by state and local election officials, by the federal government, by vendors, by the private sector since 2016," Easterly said in her testimony.

Wray emphasized in the remarks that the "cyber onslaught" of Chinese hackers "goes way beyond prepositioning for future conflict," saying in the prepared remarks that every day the hackers are "actively attacking" U.S. economic security, engaging in "wholesale theft of our innovation, and our personal and corporate data." "And they don't just hit our security and economy. They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents," the excerpts said.

The hackers hacked turtles all the way down

[Tablizer]

I'm pretty sure US & Taiwan have done similar hacks into China's infrastructure. If Taiwan gets invaded, we can probably kiss modern conveniences goodbye for several weeks at least.

Re:

[timeOday]

Kissing goodbye to banking and electronic payments for a few weeks would be inconvenient indeed.

As in, nationalize all foodstuffs and roll out the National Guard to the distribution centers inconvenient.

Re:

[conorjh]

ah the incomprehensible word-salad and console font, someone get hold of this man before he jumps in front of a train fleeing glowies

Re:

[wyHunter]

How can us manufacturers take up slack in two to three months? What factories? The equipment isn't just sitting there. And given that most of the country seems to think being an 'internet influencer' is a job , well, who is going to work in them?

Re:The hackers hacked turtles all the way down

[cusco]

Actually they probably don't, most of their infrastructure is rather new and fairly homogeneous and standardized and penalties for leaving them available to be attacked. Security is an achievable goal in that situation. They don't have the patchwork crazy-quilt of antique analog systems with digital adapters kluged on, the slapped together low-bid SCADA installs illegally connected to the corporate network, or the corporate executives too lazy to VPN into the network who insist on infrastructure connected directly to the Internet so they can review it while sitting in the coffee shop downstairs, or the regulators unable/unwilling to control the companies they're supposed to oversee.

Re:

[rilister]

Isn't a bit like MAD theory with nuclear weapons? If both sides have a weapon so powerful, neither side can use it?
I suspect the US has penetrated every bit as deeply as China has, and they both have their hands all over the critical infrastructure (energy, finance, telecoms, IT, etc). There doesn't seem to be much that either side can keep secret if they try (eg. the Shadowbrokers taking out the elite NSA TAO group).
I imagine that we'd see much more strategic disruptions, ones that causes maximum embarrass

Re:

[cayenne8]

I suspect the US has penetrated every bit as deeply as China has, and they both have their hands all over the critical infrastructure (energy, finance, telecoms, IT, etc).

I doubt we (US) are in as deeply as China is to our country.

Its much easier for them to actually physically come over here (spies) in our open society and not stand out, than it is for us to go inside China.

I fear they have much better and nastier capabilities against our society than we do against theirs at this point.

I HOPE that's no

Re:

[LazarusQLong]

why would you think that the USA has done exactly what Diector Wray suggests that the Chinese have done? I mean, for every 1 really smart hacker in the USA, the chinese have 4. In the USA it is the culture to piss on the government and to consider the government to be evil. In China, this MAY be true as well (to piss on the Chinese government) but I am betting very few ()compared with the size of their population) do so publicly, rather instead there are huge numbers of 'patriotic organizations' of hackers

Re:

[rilister]

> why would you think that the USA has done exactly what Diector Wray suggests that the Chinese have done?
For one example, stuff like this:
https://www.risidata.com/index... [risidata.com]

All you cynics!

[VeryFluffyBunny]

The poor innocent White House & NSA are beside themselves with shock & grief at this news. They're totally unprepared because Al Gore invented the internet to make the world a better place. And now, here come those evil Chinese, weaponising it! I reckon some people in the White House & NSA are going to need counselling & maybe some compassionate leave to get over this.

More like, decades.

[stooo]

>> I'm pretty sure US & Taiwan have done similar hacks into China's infrastructure. If Taiwan gets invaded, we can probably kiss modern conveniences goodbye for several weeks at least.

HAHA Weeks.
Nope.
It's more like, decades.

well its not like

[Growlley]

politicians, ceo's and accountants havent already/

Re:

[korgitser]

I mean look at all of those trains the Chinese have been derailing!

Hacking Pianos

[stooo]

In the UK, it is Pianos getting Hacked.

Voting systems are "well-defended"?

[ObliviousGnat]

That reminds me of a quote:

"The Navy is ready. It is not going to be caught napping." --US Secretary of the Navy Frank Knox, December 4, 1941

Re:

[wyHunter]

As opposed to killing millions invading the islands. Fewer people died due to the bomb. Now go back and have your nap-nap.

Re:

[ObliviousGnat]

Fewer people died due to the bomb.

At most, the bomb shortened the war by a couple of weeks. Remember, the U.S. military was already very proficient at wiping cities off the map overnight.

The USA could have shortened the war by years if they had offered to the Japanese what they wanted all along and got in the end anyway: a guarantee that the Emperor would not be harmed.

Re:

[GoGoGadgetWhiskey]

At most? That bomb saved millions of American lives, and I'm one of them. You may be too. But oh, if we only gave the feudal emperor what he wanted.... I hope you're never in charge of anything. Read a book.

Re:

[conorjh]

remember when US generals said Japan would never surrender.... then told you the US needs to nuke them until they surrender lol.

if you follow that kind of reasoning i cant help you

Re:

[wyHunter]

And some of the Japanese military still didn't want to surrender even after the Hiroshima bomb. I suspect they were right, they would not have surrendered.

Re:

[conorjh]

except they literally did surrender, so that was bullshit as well

Re:

[ObliviousGnat]

That bomb saved millions of American lives

Truman said "thousands and thousands" of young American lives. [millercenter.org] It was only after public sentiment turned against the USA that he changed it to "millions".

Re:Voting systems are "well-defended"?

[oogoliegoogolie]

You are picking the nicest fairy-tale solution instead of being objective and realistic to how difficulty it would have been to take Japan via ground assault. It still took a whole year for Germany to surrender after D-day. Japan's population was 'fanatically hostile' and wouldn't just surrender as soon as the first American soldier landed.

Japan was beaten. It had little naval ships, no carriers, small airforce, few big weapons, and very importantly, no oil source to fuel their remaining military. Basically no military except poorly equipped infantry vs American's might, but still were not surrendering. Japanese civilians, especially women and young boys-the ones who had the best chance of causing American solders to let their guard down-were being trained to be kamikaze suicide bombers "For Emperor Hirohito's honor" in preparation for the inevitable invasion of Japan. Japanese men were taught how to Banzai attack in huge numbers.

The atomic bombs shorted the War in the Pacific by years, not months. It saved millions of lives-American, allied, and Japanese. The invasion of Japan could take years and the estimated casualties were 1M to 10M. A very grim prospect.

Re:

[ObliviousGnat]

The atomic bombs shorted the War in the Pacific by years, not months.

Russia was about to invade Japan, but the USA didn't want to share Japan with Russia as they did with Germany. So they dropped the bombs, and when Japan still wouldn't unconditionally surrender, the USA out of desperation finally offered the #1 condition that the Japanese wanted all along: a guarantee that the Emperor would not be harmed.

The Japanese quickly accepted the offer because they knew they wouldn't get the same terms from the Ru

Re:

[conorjh]

women and kids my man, women and kids. might be your bag but most other people call that scumfuckery of the lowest degree. justify it however you like.

Re:

[wyHunter]

You don't think women and kids don't get killed an invasion? You also don't realize that the kids were being told they needed to sacrifice themselves for the emporer throughout the islands. No, far more would have been killed. But hey, you Yank hating person, go right ahead. And if you live in the US, please feel free to leave.

Re:

[conorjh]

and america has the nerve to cry over 2000 dead bankers on 9/11

Wrecking havoc on X, Facebook and Instagram

[thesjaakspoiler]

What other critical infrastructure is there?

Re:

[Powercntrl]

What other critical infrastructure is there?

Shit which never should've been connected to the internet in the first place. It's like someone watched that late 90s "Hackers" flick and thought it was actually a good idea to implement all the net-connected things Hollywood took artistic license with, for real.

Re:

[cmseagle]

Stuxnet demonstrated that a sufficiently motivated attacker can wreak havoc on an air-gapped system.

Re:

[Frederic54]

Power grid... thousands of small devices monitoring/interacting with power grids are on the net. Remember the 2003 blackout? It could be way worst with the push of a button, to disrupt all of those devices.

Paper ballots

[penguinoid]

Where I am we have paper ballots, which are machine counted, and there's occasional hand recounts. Paper of course is notoriously difficult to hack, they'd also have to get physical access to both the ballots and the electronic record, also the final count is printed out and reported when the polls close, messing with all this would be absurdly difficult, and the several tons of paper they'd need to create and swaparoo won't fit in the pocket and is immune to the internet.

Re:

[Powercntrl]

I think the hackers would pretty much just need to alter the results of the ballot counting in such a way that it isn't likely to trigger any hand recounts. Florida would be an easy state to manipulate because the elections are normally pretty close anyway, so you could easily get whatever result you wanted without it looking too suspicious. Although, for the Chinese there's not much point to messing with our democracy - both of our two major parties have jumped on the China BAD bandwagon.

Re:

[penguinoid]

They ought to be doing a few hand recounts randomly, and they probably are, that's just basic quality assurance.

Re:

[Anonymous Coward]

There isn't really any reason to need to electronically count. There just isn't.

People did hand counts for decades, using paper ballots. It's not confusing, it's not hard to do, and at least where I am -- members of all parties that wish it, can have a representative watch the count real-time. It's so immensely simple and non-complex. EG, you break them into groups of 10, or 100, or whatever, and then form bricks of votes in those groups. Again, super simple.

But people want to sell new machines, and bl

Re:

[penguinoid]

how confusing a pencil and an X are

That's actually the one thing the machine does that hand-counting cannot, for about 1-5% of ballots the machine says "Hey dumbass, you put too many Xs, if you like you can void this ballot and try again, instead of guessing maybe use our giant magnifying glass". So fewer spoiled/ambiguous ballots. The machine also provides the various vote counts right when polls close, so probably a very slight increase in security.

Conversely there's the possibility that the machine might be able to tell who voted for who,

How to do it

[Okian Warrior]

I think the hackers would pretty much just need to alter the results of the ballot counting in such a way that it isn't likely to trigger any hand recounts.

The way to do this is to slowly add fake voter registrations in the weeks leading up to the election, then enter create ballots for all the fake voters. Some of these can be absentee ballots.

The focus on ballot counting machines and process problems during the election night are completely misdirected - you need a way to cheat that would be undiscovered during a hand recount.

Live up-to-the-minute reporting is a big help here. You keep track of which candidate is winning, estimate how much your candidate will lose by, then drop off boxes containing only enough ballots for your candidate to win by a small margin. This minimizes the number of fake ballots entered into the system, and reduces your chance of getting caught.

For extra safety, cook up some reason to pause counting until the next day, then drop the boxes off late at night when everyone's asleep.

Bayesian prior: if this practice were widespread, we should see a large number of elections where candidates win by a thin margin, and not several percentage points.

Bayesian prior: if this practice were widespread, we should see boxes of ballots dropped off late in the process (ie - late at night, after counting has stopped, or after polls close generally).

Re:How to do it

[edi_guy]

That's actually a very good point. The whole voter registration process does seem like a weak spot. Just looking at a few state's Voter Registration sites, basically they are asking for your name, address, and drivers license / state id number. So the real vector could be the DMV.

Though I think (hope) with this new Federal 'RealID' there is less opportunity to screw around with the DMV databases.

And the debates about people who don't have official id not being able to vote...I'm ok with that. Same with people who forgot to register, or waited until after midnight to register...lots of things require you to prove your identity and do stuff on time. Voting is one of them.

Re:

[penguinoid]

Oh you mean you can lose your right to free speech, or to not be warrantlessly searched, etc if you don't register on time and show ID? Or just voting? You know, we have an affidavit process that allows for filling out a ballot despite having no ID, then proving your ID later. So this nonsense about ID is not about election security, it introduces a security flaw into the election process. Same with registration, if someone deletes the registration of all Rep voters for example should that invalidate them f

Re:

[penguinoid]

then drop off boxes containing only enough ballots for

Right, you just drop them off, how easy.

For extra safety, cook up some reason to pause counting until the next day, then drop the boxes off late at night when everyone's asleep.

Right, because that will somehow be less suspicious.

Bayesian prior: if this practice were widespread, we should see a large number of elections where candidates win by a thin margin, and not several percentage points.

Bayesian prior: if this practice were only happening in the imaginations of deranged idiots, we should see a large number of elections where candidates win by a thin margin, and not several percentage points.

Bayesian prior: if this practice were widespread, we should see boxes of ballots dropped off late in the process (ie - late at night, after counting has stopped, or after polls close generally).

Bayesian prior: there's idiots who think boxes of ballots can just be "dropped off" and for some reason people would be stupid enough to count them, plus be even less suspicious if there were a break-in, plus thi

Re:

[Baron_Yam]

Americans don't want paper ballots, because they can't manipulate them easily.

Their parties play politics like it's a game rather than a duty... and even then not seeming to care about doing it honestly so long as they can get away with it.

Re:

[conorjh]

baroam yamski over here

Re:

[Anonymous Coward]

Ah. A whataboutism, great!

That's a different issue. Yes, elections can be monkeyed with when paper ballots are used. But that's having corrupt elections officials, bribing voters, or disrupting the count process, and on and on, which democracies typically strive to prevent, and has *NOTHING* to do with the ballot type.

However moving from paper -> electronic, means you introduce NEW issues. You cause ADDITIONAL issues, which are well known by everyone.

Re:

[edi_guy]

I confess that way back in the day I was a proponent of electronic voting. In the way that a younger person cringes at any small amount of friction or inconvenience in their life. But maybe sometime after 2000 election but way before all the last 10-12 years of insanity I've done a 180.

Paper ballots, with machine counting is the way to go. It's the correct mix of tamper-resistant and relative expediency. If something looks fishy, or even if it doesn't fire up the hand recount. In the past I would h

Re:Paper ballots

[Seahawk]

In Denmark we have paper ballots and hand counting. Voting places closes at 8 pm and we have a result of how many seats different parties have around midnight.

The day after it is recounted and split into which candidates are actually elected - does it really have to be any faster than that?

Re:

[necro81]

I confess that way back in the day I was a proponent of electronic voting.

You are probably referring to the process of casting your vote 100% on a computer system, with no paper ballot.

However, I still believe there are still use cases for voting with a compute: using the computer to assist folks in filling out a ballot. This makes support for multiple languages and accommodations for the disabled easier and more flexible.*

I only advocate such a system if the output is a prepared paper ballot (inc

Re:

[BigZee]

I do find it bizarre that a country like the USA has so much automation in use for elections. It's not as if it's really that difficult to do using more traditional methods. I'm in the UK. Voting is by paper ballot. When it comes to counting, it's done by hand with appropriate oversight. None of this stops the result from being announced the day after the election. Indeed, for some constituencies, they've made the counting into something of a race to be the first to complete the count. Now, I can understand

Re:

[RoccamOccam]

Paper ballots were effectively destroyed with the "hanging chads" Gore vs Bush suit.

Re:

[Striek]

Obligatory XKCD [xkcd.com]

Re:

[nehumanuscrede]

We could only dream of such a setup in the US.

It's far more difficult to cheat if the data isn't in digital form and / or has a hardcopy receipt to back the digital data up.
( Kinda like trying to steal a few billion dollars when the target has stored the entire thing in $1 bills )

I'll go ahead and make this prediction right now:

If the 2024 election in the US isn't the most honest, transparent and cleanly run election in the history of this country,
mass violence and chaos is going to be the end result. Folk

biggest threat to US Critical Infrastructure

[ClueHammer]

Will be the bombs that china drop on it, for the continuous relentless anti china propaganda coming form the US that seem hell bent to start a war.

Re: biggest threat to US Critical Infrastructure

[Aristos Mazer]

There is similar rhetoric from China about US if you read Chinese-language media. Nothing overt, but slowly ratcheting the threat level. Hard to tell which side is driving it. At this point, probably both.

Re:

[AmiMoJo]

It would be surprising if one or the other came out and said they didn't think there was any significant threat. The default assumption here is that in the event of an escalation, pretty much everyone is ready to start hacking. We have seen it in Russia and Ukraine, and from North Korea, and of course for profit from numerous outfits all around the world.

Re:

[noshellswill]

Tyrannous Maoist  China/CCP is an existential threat to libertarian (re)publician  America. The USA should use all available power to weaken the grasp of CCP influence on world affairs ... and on their own enslaved peoples. A good 1st step is to  forbid all business arrangements  & Chinese imports . Use-ir-here ... make-it-here. Can be done with rigid tariff and tax laws and really fuck-over U. Chicago slaver-types.   

Re:

[skam240]

Sure, China claiming incredibly important international waters that facilitate massive amounts of international shipping along with the territorial waters of many neighboring countries all while not ruling out armed conflict over the claims isnt causing problems that could potentially lead to war at all. It's all the words the US is saying obviously!

Never mind Chinas appalling human rights record that makes us look like saints in comparison.

Don’t look here! Look there!

[geekmux]

”If or when” China decides? I’ve heard more valid threats from a fucking 6-year old on the playground. Sounds more like Wray is desperate to put the spotlight on anyone but him right now. Don’t fall for that standard shit to dispel incompetence and/or corruption.

Re:

[geekmux]

Is it that time of the year again when the spook agencies are asking for more money again? Maybe they should stop constantly purchasing American private data.

Yeah, or maybe cheap-ass citizens should stop trading their digital soul for a "free" price tag. Root cause, is root cause. They weren't buying data like this 20 years ago, that's for damn sure.

And funding has little to do with being corruptly guilty of bending a political knee and weaponizing the FBI against American citizens. Wray is desperate to point at anything to set on proverbial fire in order to take the heat off him right now. Kind of reminds me when I was sitting on a Military tarmac at 4AM pr

Re:Don’t look here! Look there!

[thrasher thetic]

The FBI is a totally trustworthy organization with our best interests at heart. It would never have ulterior motives for releasing statements like this.

For a real world reference

[echo123]

China has been attributed [csoonline.com] by the US government of hacking the OPM database in 2015. That database has every HR detail you can image and then some, on every US Federal government employee with exception to the CIA and military, (if I am not mistaken on that last detail).

Attacking US critical infrastructure via hacks is one of China's best options against the US, and is aimed to make the US think twice about defending Taiwan. Unlike bombs, many levels of hacks don't face reciprocity, like the OPM database theft. By the way, that database OPM used was part of Adobe Coldfusion [arstechnica.com]. Coldfusion got hacked.

FWIW, who knew people still use Coldfusion [adobe.com], or that there's still Coldfusion conferences [adobeevents.com]? Who is using Coldfusion in 2024?

Re:

[techmage]

Having worked in water infrastructure for several years, I wholeheartedly agree. Old computers, old software, and weak security are rampant. Combine that with underfunded municipalities and you get a recipe for easy disruption - and not in a good way.

Re:

[ZipNada]

Did you hear about the recent Infrastructure Investment and Jobs Act, a $1 trillion infrastructure bill? That seemed like a pretty significant investment to me.

Liar.

[zenlessyank]

Fear mongering Incorporated.

ohh nooo! how did this happen???

[oumuamua]

CNN tells it best, https://www.cnn.com/2024/01/31... [cnn.com]

“Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of decades of software developers not being held liable for defective technology. That has led to incentives where features and speed to market have been prioritized against security, leading our nation vulnerable to cyber invasion. That has to stop,” Easterly said.

But if you don't prioritize features and speed to market your company loses ou

US elections are won

[NotEmmanuelGoldstein]

... the risk that poses to every American ...

Once, the US government labelled comic-books a risk "to every American".

Nowadays, internal risks are more likely to collapse the USA than international threats: The need to sacrifice specific demographics has spread past US racism and anti-immigration. The US is choosing ideological fanaticism which breeds authoritarianism. The normal result is civil war and a dictator but both are near-impossible in the USA. Instead, the USA will suffer paranoia and mistrust until the normal regulation of society is impossible: That doesn't mean destruction and apocalypse, it means the cost of operating and protecting government will rise exponentially. We're already seeing the first step with the massive spending, propaganda campaigns and partisanship in US elections.

As long as US elections are won by people willing to label some demographics as second-class citizens, this downward spiral will continue.

Re:

[wyHunter]

Then stop doing so.

So this week it is China again

[Synonymous Homonym]

Next week it will be Russia or North Korea or Iran again.

Or it could be some bored teenagers with an off-the-shelf ransomware package in a bedroom in California like it actually was the last few times, but that doesn't unlock the big budgets.

Re:

[mjwx]

Next week it will be Russia or North Korea or Iran again.

Or it could be some bored teenagers with an off-the-shelf ransomware package in a bedroom in California like it actually was the last few times, but that doesn't unlock the big budgets.

At this point I'm convinced that the FBI is just putting Christopher Wray on PR duties to keep him off of real duties where he could be doing serious harm. Given his past announcements (ironically, about China too) he's not got a good history.

Voting Systems

[endus]

I appreciate the need to increase confidence in our election systems after the 2020 debacle, but, "confident that voting systems and other election infrastructure are well-defended"? What in the entire history of electronic voting machines would lead someone to say something like that?

I'll take "No shit, Sherlock" for $100 please, Art

[KiltedKnight]

I would have thought this to be obvious.

Our stuffs insecure, so blame China?

[Murdoch5]

I'm in Canada, not the US, but maybe if the problem is security, then invest into improving security. Making a call-out that "Everything except voting / election infrastructure is a dumpster fire waiting to combust", is absolutely nonsense.

Easy Fix.. Block all Chinese CDNs!

[jerryjnormandin]

If it's a real problem people should just learn how to manage a firewall. My Ubiquiti Unifi Secure gateway blacklists the entire world. I whitelist what I deem safe and I limit the hop count to prevent access from crafty script kiddies that took over computers with a chatbot virus. Granted this is not foolproof but it mitigates the possibility of an attack. The most common attack vector is through email. You need to be vigilant. I have Thunderbird configured to view mail headers all the time.

Ask Oregon

[byronivs]

She pays out fairly regularly for Intel to fuck her with its dirty corporate cock.

Yawn

[Kerry Boehm]

I'm 52. Been around way too long to get my panties in a whirl here. Remember how everyone was all wound up over Russian election hacking? Turned out that was a big nothing burger and that's just the latest in a long line. We'll probably find out in a year or two wasn't much to this either. We always have to have boogeymen. Remember those couple years between the fall of the Berlin wall and Desert Storm. I miss that.