Ep 8: Living Off The Land - To Catch a Thief: China’s Rise to Cyber Supremacy

Summary4 min read

Summary of Podcast Episode 8: "Living Off The Land"

To Catch a Thief: China’s Rise to Cyber Supremacy
Host: Nicole Perlroth
Produced by: Rubrik in partnership with Pod People
Release Date: May 5, 2025

Introduction to "Living Off The Land"

In the eighth episode of To Catch a Thief, host Nicole Perlroth delves into the sophisticated cyber strategies employed by China to infiltrate and dominate American critical infrastructure. The term "living off the land" refers to Chinese hackers' method of stealthily embedding themselves within U.S. networks without deploying malicious code, making detection exceedingly difficult.

Nicole Perlroth (00:01): "These hacks are far from harmless. They're sleeper cells waiting for marching orders."

Kevin Mandia, a cybersecurity expert, explains the subtlety of these intrusions:

Kevin Mandia (00:32): "There's no malicious code, there's no backdoor. They've got good operational security."

Compromised Home Routers as Conduits

The podcast highlights a critical vulnerability: compromised home routers. Chinese threat groups like Volt Typhoon exploit these devices to gain unfettered access to essential infrastructure such as power grids, water supply systems, and transportation networks.

John Holquist (05:51): "They're running out of Soho routers. Your home office, your small office router, they are literally going out."

Nicole Perlroth underscores the ease with which these routers are compromised, often through default passwords or unpatched vulnerabilities.

The Role of TP Link in Cyber Attacks

A significant focus is placed on TP Link, a dominant player in the U.S. router market. Initially a Chinese company, TP Link split its operations in 2023, establishing a U.S.-based branch. Despite this, cybersecurity officials remain skeptical about the company's allegiance and security integrity.

Rob Joyce (13:52): "TP Link is selling their routers at a loss to flood the US market, building a PRC platform."

Bloomberg's investigation revealed that only a minuscule portion of TP Link's components are manufactured outside China, casting doubt on the company's claims of independence.

Nicole Perlroth (15:06): "Microsoft determined it was comprised of 8,000 compromised devices, the vast majority of them TP Link."

Challenges in Detection and Monitoring

Detecting these sophisticated intrusions is exceptionally challenging. Since the compromised routers operate covertly, often lying dormant for extended periods, traditional monitoring methods fail to identify their presence.

Kevin Mandia (18:03): "They look like they're part of your network. And that's really hard to investigate."

The lack of robust logging and security features in many routers exacerbates the issue, leaving critical infrastructure "flying blind."

Government Response and Realizations

The episode transitions to the U.S. government's growing awareness of the scale and severity of the cyber threat posed by Chinese hackers. Andrew Scott, Associate Director for China Operations at the Cybersecurity and Infrastructure Security Agency (CISA), provides an insider perspective on the government's response.

Andrew Scott (21:25): "We've verified that the PRC's compromised various pieces of critical infrastructure."

He emphasizes the strategic nature of these cyber infiltrations, which go beyond intellectual property theft to encompass extensive reconnaissance and pre-positioning within vital sectors.

Testimonies from Officials

High-ranking officials, including former FBI Director Chris Wray and General Paul Nakasone, testify before Congress about the dire implications of these cyber threats.

Jim Lewis (29:44): "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm."

Rob Joyce underscores the exponential threat posed by companies like TP Link, which serve as potential gateways for large-scale cyberattacks.

Rob Joyce (15:06): "China's push into the US isn't just smart business, it's strategic."

Potential Consequences of Cyber Conflict

The conversation shifts to the potential real-world impacts of a full-scale cyber conflict between the U.S. and China. Experts express uncertainty about the extent of disruption, highlighting the interconnectedness of modern infrastructure systems.

Kevin Mandia (33:07): "Nobody really knows if the gloves came off in cyberspace between China and the U.S. what would really happen."

The fear is that simultaneous disruptions across multiple sectors could lead to unprecedented chaos and endanger lives.

Conclusion and Future Implications

Nicole Perlroth concludes the episode by reflecting on the precarious balance between preparedness and vulnerability. While Chinese hackers have meticulously prepared the battlefield by embedding themselves deeply within U.S. infrastructure, the question remains: is America prepared to defend against such pervasive threats?

Nicole Perlroth (34:06): "All we know for certain is they've prepared the battlefield. But have we?"

The episode serves as a stark reminder of the invisible but potent cyber threats lurking within everyday technology, urging listeners to recognize the gravity of the situation and the urgent need for enhanced cybersecurity measures.

Notable Quotes

Kevin Mandia (00:32): "There's no malicious code, there's no backdoor. They've got good operational security."
Rob Joyce (13:52): "TP Link is selling their routers at a loss to flood the US market, building a PRC platform."
Jim Lewis (29:44): "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm."

Final Thoughts

Episode 8, "Living Off The Land," offers a comprehensive exploration of China's advanced cyber strategies aimed at undermining U.S. infrastructure. Through expert interviews and insider accounts, the podcast paints a vivid picture of a looming cyber crisis, emphasizing the need for heightened awareness and proactive defense mechanisms.

Produced by: Rubrik | Nicole Perlroth | Pod People
Written and Produced by: Nicole Perlroth and Rebecca Chasson
Special Thanks to: Julia Lee, Hannah Petterson, Sam Debauer, and Amy Machado
Editing and Sound Design by: Morgan Foose and Carter Wogan

Loading summary

Transcript53 lines

[00:02]
Nicole Perlroth
It's 2020. We start spotting Chinese hackers tucked deep inside our infrastructure. Quiet, patient, just waiting. The industry calls this living off the land. But don't let that rustic name fool you. These hacks are far from harmless. They're sleeper cells waiting for marching orders. We just didn't know what exactly. Here's Kevin Man.
[00:33]
Kevin Mandia
And all of a sudden we see Chinese threat groups, since about late 2020, at least from my observables, hack in. And we don't know why, because they're not the tank through the cornfield. They're hacking in. And just that's it. There's no other activity. And then you're like, why are they there? You know, and it's, maybe they have access later. Maybe it's to mine user IDs and passphrases. You know, there's no better way to compromise any organization. Then you can just log in, period. It's the best way to breach an organization is log into it the same way the employees do. There's just no evidence. And that's what living off the land means. There's no malicious code, there's no backdoor. There's good operational security. If they created a log file that's suspicious, they would edit it when they wanted to go surreptitious. They were good at it. And that's the thing about digital evidence. You can edit it or delete it, you can change it. You know, it's different than the physical world. You can do some wonderful things if you're on offense and you have the patience and time and skill to do it.
[01:37]
Nicole Perlroth
By this point, you almost certainly understand that the CCP absolutely has the patience, time and skill. But in theory, so do we. So how did we let it get this far? How did we allow China's hackers to sort intimately invade our most critical infrastructure? I'm Nicole Prolorath, and this is to catch a Thief. The answer to that question of how we let things get this out of hand is where a number of trends converge. I've walked you through China's hacking advancements and the creeping emergency of global supply chains. But what made this the perfect storm was our uniquely American American blind spots. For one, despite the impression left by Snowden, the NSA and other US intelligence agencies aren't actually in your private networks watching what you do. Or in this case, what Chinese hackers are doing. Not without running straight into the Fourth Amendment. The NSA is a foreign intelligence agency. It hunts for threats abroad. Its charter doesn't allow it to hunt for hackers. On private American networks, not without a warrant or a special court order. What you need to understand is that the vast majority of us critical infrastructure, pipelines, the power grid, water, hospitals, more than 80% of it is in private sector hands, meaning the government has no visibility into it. They can't deflect attacks on those private systems or even hunt there unless they've got a court order or they're invited in. To a large degree, when it comes to these living off the land attacks, we're flying blind. Our second big gaping vulnerability is that the United States is among the most digitally dependent nations on earth. We've been baking technology code into everything, with security as little more than an afterthought. We let software eat the world and we did it with this quote, unquote, move fast and break things, approach. As Mark Zuckerberg coined Facebook's motto in its early days, the idea was just get the application, get the code, get the router to market and we can worry about the bugs and security issues later. What this means, in effect, is that we've been plugging vulnerable software and hardware into our infrastructure with little if any security baked in by default. And then we leave it to these businesses and critical infrastructure operators like Nick Lawler and Littleton to figure out the security piece on the back end. The people who designed routers never thought that one day they'd be the linchpin for advanced nation state attacks. And China has been using all of this to its advantage because by 2020, most Americans had grown somewhat wise to China's ways. If an IT operator picked up some unnerving traffic coming from a Chinese server, they knew to look into it. But Volt Typhoon, these Chinese infrastructure hackers, they weren't breaking in from Chinese servers anymore. They're coming in from routers inside the country, precisely where our intelligence agencies can't look. Remember way back in Episode three Tate Machine and Welding, when China's hackers broke in and used the Wisconsin Welding Shop server to hack major American businesses? Well, China's living off the land. Hackers are running the same playbook, only now they're using American's home routers. Here's John Holquist, Mandiant's chief intelligence analyst.
[05:52]
John Hulqvist
They're coming out of Soho routers. So your home office, your small office router, they are literally going out. A lot of them have vulnerabilities.
[06:01]
Nicole Perlroth
That last bit, it's an understatement. Volt Typhoon made a habit out of targeting home routers that, as I was saying earlier, were sold without Security baked in. To break into these routers, hackers only need to type in the default password, usually admin. And even if the user has bothered to change the password, these routers are riddled with vulnerabilities. And in too many cases, they've reached quote, unquote, end of life. Which basically means that even when we detect a vulnerability, there is no patch to install, no technical support. They're just sitting ducks. And by 2020, China's volt typhoon hackers started capturing these home routers en masse and using them as a launch pad to infiltrate US critical infrastructure.
[06:56]
John Hulqvist
They go out, they capture these routers and they build them into a botnet.
[07:01]
Nicole Perlroth
Think of a botnet like the iconic Spider man villain Doc Ock, that evil mastermind who wields his robotic tentacle like arms, only in this case, his tentacles are hooked into hundreds, thousands of these vulnerable home routers, commanding them to infiltrate America's critical infrastructure. And these zombie routers, they're just dusty, ordinary looking devices in living rooms and small offices, quietly moving packets. For Chinese state hackers halfway across the world, cyber experts have a marvel esque name for these compromised routers. They call them orbs, short for operational relay boxes. So literally, you could be home right now baking apple pie and have zero idea that your home router is being used by China as a conduit to hack the US power grid. From China's point of view, this approach is elegant. From ours, it's dangerous. For one, it's the perfect disguise.
[08:16]
John Hulqvist
What they're doing is instead of traversing through systems that they have to buy and set up, they're traversing through these stolen compromised systems. And that means instead of coming from China, like they can look like they're coming right from down the street.
[08:30]
Nicole Perlroth
It's like the Wisconsin welding shop leveled up.
[08:34]
John Hulqvist
Same idea. Just imagine that scaled up. So instead of just coming through that one, you know, or a handful of those compromised systems, imagine just going out and getting hundreds of them.
[08:46]
Nicole Perlroth
And it's not just one botnet using these orbs to hack us. China has employed nearly a dozen that we know about. They're managed by mid level Chinese contractors like Isoon and Chengdu404 who lease them out to Volt Typhoon and these other Chinese apts. It's layers on layers, like a hall of mirrors, each one giving Beijing just enough distance to shrug and say, wasn't us.
[09:16]
John Hulqvist
There's just a ton of operations where they're setting this stuff up and different teams are sharing it and it makes it really hard to tell what's what right and figure out what you're looking at. But it's the same exact idea. These compromised system is a great way to sort of hide your tracks. And unfortunately this sort of router focused game is a really good way to do do that.
[09:40]
Nicole Perlroth
Second, routers are easily replaceable. If one gets burned, hackers can just hop to the one next door.
[09:48]
John Hulqvist
They can pick a router that's right next to you and looks completely natural for your network. And the great thing about also is that tomorrow they can burn it and go to a new one. And so from my perspective, somebody who tries to track this stuff, it makes it really hard.
[10:03]
Nicole Perlroth
Third, these routers are really hard to monitor. Rarely do they have logs or any kind of security. Volt Typhoon has used routers from US companies like Cisco, Fortinet, Netgear and others, many of them unpatched, still running those default passwords or others that have reached end of life and been abandoned by their vendors. But these days, American brands are getting squeezed out by a Chinese giant. The world's largest network and communication equipment manufacturers. TP Link maintains building production bases all over the world. TP Link is committed to creating reliable products and technologies to link global users to a better life. While the White House dithers back and forth on TikTok, few Americans have ever even heard of TP Link. And I get it. When you buy a home router, you don't care what brand you get, you just want it to work. TP Link's routers are ubiquitous and easily forgotten. If you've bought a home or small office router recently, chances are your data is flowing through TP Link. In fact, go on Amazon right now. Search the words home router and Amazon's overall pick is a TP Link router. It's by far the cheapest option, as in less than half the cost of its next closest competitor. TP Link's share of the US router market has exploded from 10% in 2019 to over 60% today. That's according to the Wall Street Journal, which found that TP Link's share of next gen Wi fi Systems is even higher, 80%. And as early as October 2023, China's Volt Typhoon hackers started using TP Link routers to burrow into US infrastructure. Now to be clear, TP Link isn't the only brand they've used. But what makes TP Link different is this. It's a Chinese company. It was started by two Chinese brothers and for three decades operated from Shenzhen. But last year, TP Link split in two. One based stayed in China while the other moved its new official headquarters to Irvine, California to serve the US market. TP Link wants you to believe this split means it's no longer Chinese. And as this episode was coming together, TP Link's general counsel sent me a tersely worded message saying any claim TP Link is a Chinese company is unlawful and legally actionable. According to this lawyer, quote, TP Link is a U.S. based company that manufactures routers for the U.S. market in Vietnam. But a week after TP Link's lawyers put me on notice, Bloomberg published its own investigation which found that Vietnam is effectively just a final assembly point. Their words that only half a percent of TP Link's components come from Vietnam, the rest are still imported from China. And then there's what Rob Joyce, the NSA's former cybersecurity chief, testified to Congress and told our live panel podcast in March. He testified that TP Link's push into the US isn't just smart business, it's strategic. Rob told us the company is selling its routers at a loss. A deliberate move to flood the US with cheap routers and build what he called a PRC platform.
[13:52]
Rob Joyce
How have they achieved this miraculous growth? They appear to be selling at price points below profitability to drive out our western competition. TP Link routers were among the various brands exploited by Chinese state sponsored hackers and the massive Volt, Flax and Salt typhoon attacks. Imagine these routers in the homes and businesses across America as a PRC platform to launch society panicking cyber attacks. This is a threat we cannot ignore. The company is selling them at unprofitable levels and they're driving out the western and US manufacturers. It's exponential growth and now they have these routers in all of our homes that the software is maintained and updated out of China. Whether TP Link is complicit in these hacks or not, today, at any point the Chinese government can go under their intel laws and direct that company to support them and issue an update that either bricks a massive amount of our critical infrastructure, people's ability to get on the Internet if they want to attack, or makes them even better bounces and redirectors for them to do their operations through. It's a huge problem Nicole.
[15:06]
Nicole Perlroth
It reminded me of that line from Huawei's founder. A country without its own program controlled switches is like one without an army. TP Link disputes all of this and emphasizes that its security is on par, if not better than leading Routers. That said, a recent Microsoft assessment took a careful look at one of these Chinese botnets. They call IT Covert Network 1658 and it's used by multiple Chinese APTs. Microsoft determined it was comprised of 8,000 compromised devices, the vast majority of them TP link. Now that could just come back to the fact that more Americans are using TP Link routers than ever before. Or it could not. U.S. investigators are now probing just how closely TP Link Systems Inc. The new American incarnation of the company, is tied to China. And if they find it presents a, quote, unacceptable risk, Washington could use new authorities to ban TP Link from the US Politicians across the aisle are now zeroing in on the issue. Here's Democratic Congressman Raja Krishnamoorthy at a hearing on cyber threats in March. For context, he's holding up a TP link router. You can actually buy one of these things for $20 online, but don't use this, okay? Don't put it in your critical infrastructure. I don't have one at home either.
[16:42]
Jim Lewis
It's not a good idea.
[16:44]
Nicole Perlroth
TP Link's routers, I should note here, aren't just sold on Amazon. They're everywhere. In fact, if you go to any US military base and head to the commissary, you'll find TP link routers featured prominently on the shelves. But the routers are just the first step in breaking into US infrastructure. It's what these hackers do or don't do once they're in that makes these attacks really difficult to detect. Once they're in, they often don't act immediately. In some cases they lie completely dormant on a Victim's networks for 60, sometimes 90 days, which puts them well outside the period. Most companies even keep logs or can flag anything unusual. Here's John Hulqvist again.
[17:34]
John Hulqvist
We lose half the IOCs to this battle, right? We lose all the network related IOCs, particularly in relation to vault Typhoon activity. They're living off the land.
[17:44]
Nicole Perlroth
IOC indicators of compromise. That's tech speak for the digital crumbs, artifacts and other clues that indicate you've been breached. And Volt Typhoon has figured out how to leave as few crumbs or IOCs as possible. Here's Kevin Mandia.
[18:04]
Kevin Mandia
I think that's what's happening here and that's why there's been additional concern. It's way harder to investigate. So when Mandian folks go out to figure out what happened and you're up against a group like Old Typhoon, you know they're there. You see these terrible little scraps of, yeah, they looked at this one file, but, you know, they looked at 10,000 files and the evidence has only given you the one. And you're like, oh, my God, I'm getting less than 1% visibility into what they're doing here. And unless you have great identity security, great identity monitoring, you're not going to catch these folks that look live off the land. And that phrase, I'm going to explain it again, it means the attackers are accessing a organization's network the same way the organization does, period. Same user IDs, same passphrases, same programs. There's nothing special. They've learned your network so well that they look like they're part of your network. And that's really hard to investigate. It's not impossible, but it does change how we look at things. We have to do forensics a little differently.
[19:05]
Nicole Perlroth
After Tel Avent, China's infrastructure hackers started coming for other pipeline operations across the country. But in 2020, they started hacking US infrastructure with an unnerving frequency. Something had changed. Something set them off. Have waged a fierce battle against the invisible enemy, the China virus against the Chinese virus.
[19:33]
Rob Joyce
It's a disease without question, has more.
[19:36]
Nicole Perlroth
Names than any disease in history.
[19:40]
Rob Joyce
I can name.
[19:42]
Nicole Perlroth
Kung Flu, you might recall from episode one. The CCP is obsessive about image control. It's why they hacked Google. It's why she agreed to the 2015 cyber detente. The CCP weren't willing to risk the embarrassment of the White House canceling Xi's first official trip or risk being greeted with sanctions. It's impossible to say what set them off in 2020. You'd have to be a fly on the CCP's wall. Maybe they were set off by the mocking. Maybe it was the isolation and undercurrents of suspicion that dominated Covid. If we were already looking at each other through straws, then after Covid, we were now looking through needles, as Tom Friedman, the Times columnist, puts it. Whatever it was. In 2020, China's volt typhoon became the broadest, most active, most persistent cyber threat to US infrastructure that American intelligence officials have ever seen.
[20:46]
Jim Lewis
The scale of the Chinese cyber threat is unparalleled. They've got a bigger hacking program than that of every other major nation combined. And they have stolen more of Americans personal and corporate data than every nation, big or small, combined.
[21:05]
Nicole Perlroth
To fully understand just what it was like to reckon with the scale and severity of this problem, you have to go beyond the news clips. You have to go beyond the public statements. It's time I bring in someone from inside the classified tent, someone who's been tracking the Chinese cyber threat more than anyone. Meet Andrew Scott.
[21:26]
Andrew Scott
My name is Andrew Scott. I'm the Associate Director for China Operations here at the Cybersecurity and Infrastructure Security Agency. It's a relatively new role that was created in mid 2023 to bring together a coordinated approach to CISO's efforts to defend critical infrastructure from POC cyber threats.
[21:45]
Nicole Perlroth
Frankly, it's a miracle we're hearing from Andrew et al, because over that same decade I was stumbling around in the dark trying to shine a spotlight on these breaches. Andrew was also tracing these assaults, only he was doing it from classified skiffs with the benefit of a giant intelligence apparatus at his back. And man, would I wouldn't have given to speak to him over that decade. I was at the Times. If you happen to be watching C SPAN during any major congressional testimony on Chinese cyber espionage, you may have glimpsed Andrew in the audience, sitting just beyond the agency heads. He tracked Chinese cyber threats at the CIA, at the National Security Council, and most recently at cisa, the Cyber Defense Agency. And here I should disclose that as this threat began metastasizing in 2021, I left the New York Times after writing about this threat for more than a decade, I could see pretty clearly where things were headed and it wasn't good. I reckoned I could keep writing about these cyber attacks or I could do something about it. So in 2021, I put down my pen and picked up a shovel. I joined CISA's advisory committee and I served there through its disbanding in January 2025. And that is how I came to know Andrew, tell us how long you have been working on the threat of cyber espionage cyber campaigns from the People's Republic of China.
[23:15]
Andrew Scott
So it's been about almost 15 years in total. So before CISA, I spent nearly 15 years in the intelligence community working on foreign cyber threat issues to include East Asia, China, North Korea and others. Intermixed with that, spent about four and a half years working on the National Security Council, both in the Obama and Biden administrations, where I worked on everything from the APT1 report and responses to that in the 20122013 timeframe to the Hafnium attributions in 2021, being involved in the US China Cyber Commitment negotiations and a whole range of things. So I've worked at pretty much every aspect of this issue, from intel to national policy to home insecurity.
[24:05]
Nicole Perlroth
Now, I should note here that Andrew left CISA after I interviewed him for this episode. What he describes here is what he witnessed while he was there.
[24:15]
Andrew Scott
Through multiple incident response efforts that we've had, we verified that the PRCs compromised various pieces of critical infrastructure. And what we're seeing is that these actors are persistent and patient against their target, that they are compromising the same entity multiple times over a number of years. We are seeing them gain access into environment, steal credentials, lay dormant on the network because all they're looking to do is maintain that access, come back a period of time later, test their credentials, see if they work. If they don't steal credentials again, maintain access in the environment. It is an act of maintaining access, testing that access and validating that access, which is exactly what you would do if you were looking to just maintain access and pre position on a network.
[25:10]
Nicole Perlroth
Pre position on a network, that means get in and stay in. Jim Lewis puts it more succinctly.
[25:18]
Jim Lewis
My usual line is you don't hack.
[25:21]
Rob Joyce
Infrastructure for fun, right?
[25:24]
Jim Lewis
It's reconnaissance, it's target reconnaissance. For the event of a conflict between.
[25:30]
Nicole Perlroth
The United States and China, a sinking realization started to creep in. China was and is making strategic inroads into America's most critical infrastructure. They're not just sightseeing, they're strategically positioning themselves. And big picture, what Andrew and his colleagues were seeing with each new living off the land attack, with the access, Chinese hackers were gaining to us power and water supplies, our ports, our supply chains, our gas pipelines, our railways, aviation, all of it makes for a big red button, one CCP leadership can push in the event of a conflict. And so I'm curious what it was like inside government when you all made this realization that, oh, this is not just IP theft anymore. What did it take for the intelligence community to make that determination that, wait a minute, this looks like it could be the beginnings of something far more aggressive. Was it the victims?
[26:43]
Andrew Scott
So I'd answer that in a couple different ways. The first is to say it was an eye opening experience when we sort of came collectively to that realization of a shift in the kinds of targets that we were seeing. And over the course of a number of years, sort of, my colleagues elsewhere in government and the IC here at CISA and dod, our international partners, all sort of really focused on this question of as we looked at a bunch of different factors right outside of the cyber domain, Xi Jinping coming in and stating that reunification is a goal with Taiwan.
[27:31]
Nicole Perlroth
William Lai from Taiwan's ruling party wins the presidential election and vows to defend the island from China's intimidation. But China said reunification with Taiwan is.
[27:41]
Andrew Scott
Still inevitable, a sort of shift and reorganization of the People's Liberation army in 2015 around blunting and deterring US intervention in a conflict in the Indo Pacific.
[27:55]
Chris Wray
A Chinese defense official has said that the United States is trying to build an Asia Pacific version of NATO to maintain its hegemony in the region. The remarks were made at the Shangri La dialogue in Singapore. Lieutenant General Jiang Xiangfen warned that if regional countries were to sign up for the US Indo Pacific strategy, they would be lured into taking bullets for the United States.
[28:16]
Andrew Scott
And then you bring together this piece of what do we see being targeted? And one of the realizations was exactly what you highlighted was some of the things that we saw being targeted were entities that even if you stretch the boundaries of your imagination to say, could they be an espionage? They very clearly weren't. And one thing that I really wanted to emphasize here is I've even gotten questions recently of what's fundamentally different now. And the answer really is we've now confirmed they're there. The PRC is inside the house.
[28:59]
Nicole Perlroth
The PRC was inside the house. Not just a fear, a fact. U.S. officials watched as Chinese hackers crept through dozens, then hundreds of critical systems across the country. Smaller utilities in Littleton, Massachusetts, major infrastructure hubs. Power, water, transportation. This wasn't spycraft as usual. This was sabotage in slow motion, a silent crawl through the machinery that keeps America running. They weren't gathering secrets. They were laying tripwires. And that was enough to drag US Officials out of the shadows and into the open.
[29:45]
Jim Lewis
There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure. Our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems. And the risk that poses to every American requires our attention. Now China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real world harm to American citizens and communities if and when China decides the time has come to strike. They're not focused just on political and military targets. We can see from where they position themselves across civilian infrastructure that low blows aren't just a possibility in the event of a conflict. Low blows against civilians are part of China's plan.
[30:43]
Nicole Perlroth
That was former FBI Director Chris Wray. In January of 2024, he, along with Jenny Stirley and General Paul Nakasone, the now former director of NSA and US Cyber Command, testified before the House Select Committee on China.
[30:59]
Jim Lewis
We and our partners identified hundreds of routers that had been taken over by the PRC state sponsored hacking group known as Volt Typhoon. The Volt Typhoon malware enabled China to hide, among other things, pre operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation and water sectors. Steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous. And let's be clear, cyber threats to our critical infrastructure represent real world threats to our physical safety. PRC cyber actors are pre positioning in our US critical infrastructure and it is not acceptable. Defending against this activity is our top priority.
[31:56]
Nicole Perlroth
This is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home. Three top officials speaking plainly before Congress. That should give you a sense of the severity of the situation.
[32:13]
Andrew Scott
That's about as stark a warning as you ever get from the intelligence community in public. What has us particularly concerned at CISA and across government is the breadth of the pre positioning that we see. We see it in the transportation sector, we see it in the water sector, we see it in the communications sector sector, we see it in the energy sector. The worst day is an everything everywhere all at once scenario that all of a sudden we see disruption in multiple sectors simultaneously with services to the American public going out.
[32:48]
Nicole Perlroth
Most Americans can't even fathom the everything everywhere all at once cyber attack. We've only caught one off glimpse like flashes in the dark. But the full scope, the full capability, we haven't seen it, not yet.
[33:07]
Kevin Mandia
Nobody really knows if the gloves came off in cyberspace between China and the U.S. what would really happen? Like is it pandemonium? I've had the privilege of lecturing on modern warfare and even I'm not so sure of the collateral damage. But I do know that a lot of things would get less predictable and it would be eerie like if the gloves came off in cyberspace, the impact of it, you know, some companies can make phone calls, some can't. Some companies, the gate rises when you go to park and sometimes you can't. Services might shut down. We don't really know the impact just yet and how widespread it would be because we don't understand all the complex dependencies. So it's really hard to even know what to fear. What I'm hopeful about is the gloves just don't come off. I don't think they do till they come off kinetically. I really don't think people are just going to unleash everything they've got in cyber. I don't think we've seen China's total a game.
[34:07]
Nicole Perlroth
All we know for certain is they've prepared the battlefield. But have we? That's next on To Catch A Thief. Follow To Catch a Thief to make sure you don't miss the next episode. And if you like what you hear, rate and review the show. To Catch a Thief is produced by Rubric in partnership with Pod People, with special thanks to Julia Lee. It was written and produced by me, Nicole Perleroth and Rebecca Chasson. Additional thanks to Hannah Petterson, Sam Debauer and Amy Machado. Editing and sound design by Morgan Foose and Carter Wogan.