FBI chief Christopher Wray has told a US House subcommittee that his agency has disrupted a Chinese state-backed hacker group targeting US infrastructure.
The group’s strategy is simple:going by the name Volt Typhoon, the hackers infiltrate old software in small businesses, contractors, or local government networks and plant ‘sleeper’ malware. They then activate that malware at the opportune time to infect adjacent infrastructure networks.
What kind of infrastructure? We’re talking everything from US naval bases to energy utilities and internet providers.
And why? Wray said the hackers are lying low “in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike [ie, to take Taiwan]”.
This is all commonly referred to as a ‘grey zone challenge’ – ie, playing in the space between war and peace, to do harm without crossing into armed conflict.
It can include sabotage, espionage, political influence, shadow wars, and using civilian functions (like the coast guard, customs, or courts) for strategic aims (like controlling a waterway, coercing a rival, or extracting a concession).
But the FBI’s announcement above is an example of how much tech is now radically expanding the grey zone into the cybersphere.
And of course, China isn’t the only player that dabbles in the cyber-grey:
- The US has reportedly implanted 50,000 sleeper cells in routers around the world
- The UK has accused Russia of carrying out a sustained ‘hack and release’ campaign to undermine social trust and cohesion
- Microsoft also identified Iran last year as “a significant threat actor”, targeting mainly Israel, the US, Saudi Arabia, and the UAE
- And Israel dishes it out too, infamously using a virus to destroy Iranian centrifuges (and a remote robot to assassinate a nuclear scientist)
But… why? As the above examples suggest, greyzone tactics in the cybersphere can have several objectives:
- Military advantage:China reportedly sought here to disrupt America’s state of readiness (to aid Taiwan), like Russia did to Ukraine
- Intel: Any information advantage can help shape and pre-empt adversaries’ decisions
- Testing: It’s a relatively cost-free way to test when and how states react, to better map their trigger points, redlines, and responses
- Weakening: Done ‘right’, you can diminish an enemy by halting their technological progress or fomenting confusion, mistrust, and conflict
- Cash: Some (like North Korea) just make hundreds of millions from cybercrime to bankroll government and elite spending (check out our ‘passport of the day’ below for one memorable example)
So, to close… cyber greyzone tactics are a bit like checking yourself out in a shopfront reflection: everyone does it, nobody admits it, it’s embarrassing if you get sprung, but there are few real consequences. At least, not yet.
The dark genius of the cyber greyzone tactic is just how hard it is for the target to calibrate a response. First, attribution is still tough, as hackers use all kinds of evolving techniques to mask their activity, identity, and location.
And second, even if you figure out who’s behind it, you then have to figure out how to respond. This presents a constant risk of under-reacting (emboldening the hackers) or over-reacting (triggering something worse).
You can see in the public domain how governments propose rules of the road, like ‘no hacking for commercial gain’, or ‘no attacking the health sector’, or ‘let’s all follow these UN norms for responsible behaviour’.
But really, it’s still the law of the jungle – or as international relations folks call it, reciprocity and deterrence. Don’t do unto me, or I’ll do unto you right back.