U.S. uncovers hacking campaign targeting Guam's critical infrastructure — suspected Chinese Volt Typhoon hacks could disrupt the defense of Taiwan

News
By
published

Guam's infrastructure is essential to U.S. Navy operations in the Pacific.

Guam harbor
(Image credit: United States Navy)

The U.S. government has uncovered a Chinese hacking campaign targeting Guam's critical infrastructure, according to Bloomberg. Guam is a key U.S. military outpost, a foothold on one of the remote Mariana Islands in the Pacific. China's operation is reportedly called Volt Typhoon and it is meant to disrupt military and civilian operations in the event of conflict over Taiwan. The purported campaign focuses on infiltrating operational systems to prepare for potential sabotage, creating widespread vulnerabilities in Guam.

Volt Typhoon infiltrates systems by mimicking legitimate users and unlike attacks that exfiltrate data, this program seeks control over critical infrastructure such as water systems, power grids, and communication networks. Volt Typhoon is said to operate so discreetly that detection relies on identifying anomalies, like irregular login patterns. This is where it got detected, as the Guam Power Authority (GPA), the only provider of electricity on the island, became a point of interest when U.S. investigators approached its cybersecurity head — Melvyn Kwek — to assess unusual network activity back in 2022.

GPA supplies about 20% of its energy to the U.S. Navy, so it is a crucial military node for both civilian and military operations and of course a focal point of the investigation. Guam is geographically reasonably close to China and its role in hosting major U.S. military bases in the region - in proximity with Japan, Taiwan, and the Philipines, amplifies its strategic importance. This creates a potential vulnerability for cyberattacks to paralyze utilities and disrupt military operations in the Pacific for the U.S. military.

The source report says that some big-name victims, such as Docomo Pacific, a subsidiary of Japan's NTT Docomo, continue to recover from breaches. Microsoft researchers first detected traces of Volt Typhoon in 2021 during an investigation into a Houston port cyberattack. Further investigations revealed multiple intrusions, including into federal networks that were previously believed to be secure.

Federal agencies such as the FBI, NSA, and Coast Guard have since deployed teams to Guam, installing monitoring systems across energy grids, ports, and telecom networks. Despite these efforts, the decentralized nature of Guam's infrastructure, managed largely by private entities, complicates coordinated defenses. This makes things challenging, as do local resistance and mistrust delaying comprehensive security measures.

In one example of mistrust, GPA declined offers from Google-owned Mandiant for network monitoring, citing concerns about external oversight. Furthermore, rival telecom companies in Guam are wary of publicizing their vulnerabilities, so they resisted collaboration during a 2024 congressional visit, according to the Bloomberg report.

TOPICS
Anton Shilov
Anton Shilov
Contributing Writer

Anton Shilov is a contributing writer at Tom’s Hardware. Over the past couple of decades, he has covered everything from CPUs and GPUs to supercomputers and from modern process technologies and latest fab tools to high-tech industry trends.

8 Comments Comment from the forums
  • bit_user
    The article said:
    the decentralized nature of Guam's infrastructure, managed largely by private entities, complicates coordinated defenses. This makes things challenging, as do local resistance and mistrust delaying comprehensive security measures.

    In one example of mistrust, GPA declined offers from Google-owned Mandiant for network monitoring, citing concerns about external oversight. Furthermore, rival telecom companies in Guam are wary of publicizing their vulnerabilities, so they resisted collaboration during a 2024 congressional visit, according to the Bloomberg report.
    In broad terms, the solution seems reasonably straight-forward. To win or renew a contract as a service provider for the military, require they subject themselves to monitoring and auditing by an approved partner. If they refuse and no alternate providers exist (or also refuse), then the military needs to build its own power generation and communications infrastructure at that location. It'd be an expensive way to go, but better than the alternative. 9 times out of 10, I'll bet the private sector supplier would agree, especially if they're convinced they'd lose the business otherwise.
    Reply
  • Hooda Thunkett
    bit_user said:
    In broad terms, the solution seems reasonably straight-forward. To win or renew a contract as a service provider for the military, require they subject themselves to monitoring and auditing by an approved partner. If they refuse and no alternate providers exist (or also refuse), then the military needs to build its own power generation and communications infrastructure at that location. It'd be an expensive way to go, but better than the alternative. 9 times out of 10, I'll bet the private sector supplier would agree, especially if they're convinced they'd lose the business otherwise.
    I would call this the bare minimum. Personally, I feel that not reporting a breach, not cooperating in the investigation, and not allowing security monitoring, should not be legal even for companies that only serve civilians, and should be punishable with a prison sentence of 1-5 years for the CEO and Security Officer of the company. Why? Because shutting down the power, water, or communications in civilian areas that don't directly affect the military can cause problems they have to address, like being able to contact the troops that aren't on the base, or if there's an infrastructure failure during a natural disaster the military will be expected to be the first responders, keeping them from responding to a military threat at the same time.
    Even if there isn't a direct threat to base infrastructure, such as cutting off base power or water, having an adversary controlling infrastructure could still be a huge threat to a military base. Imagine an adversary opening the flood gates on a dam above a base during a flood.
    Corporations do not take security nearly seriously enough, and it's well past time they started to. If they won't until there's a threat of prison, so be it.
    Reply
  • time_lord
    The US education system is so full of BS. The general population is so badly lacking in knowledge of science, it is scary. Through lax security, the USA has given away all its secrets to China, Russia etc.
    Reply
  • derekullo
    time_lord said:
    The US education system is so full of BS. The general population is so badly lacking in knowledge of science, it is scary. Through lax security, the USA has given away all its secrets to China, Russia etc.
    If the US education system is so full of BS then why is China/Russia trying to steal their secrets?

    That's like knowingly cheating off the failing kid in class?
    Reply
  • rluker5
    Cheaper and more effective to support Intel instead of it's beleaguered overseas competitor if what you are looking for is a secure source for chip fabs. That is what Taiwan would do if they were in our situation.
    Reply
  • ThatMouse
    I wish they would provide more info and evidence of "hacking" because the US calls just trying to guess a password "hacking" but considering how bad most security is that's usually all it takes.
    Reply
  • Ktbpylon
    "The U.S. government has uncovered a Chinese hacking campaign targeting Guam's critical infrastructure"

    If I'm wrong, please correct me - it wouldn't be the first time. But wouldn't this be considered an act of war? State sponsored cyber attacks on US infrastructure? Or is it not state sponsored/more muddy than that?
    Reply
  • bit_user
    ThatMouse said:
    I wish they would provide more info and evidence of "hacking" because the US calls just trying to guess a password "hacking" but considering how bad most security is that's usually all it takes.
    If you read the article, they're talking about finding malware that's already resident on systems used for the infrastructure in question. Not only that, but they name the specific malware.

    Ktbpylon said:
    If I'm wrong, please correct me - it wouldn't be the first time. But wouldn't this be considered an act of war?
    The most tricky thing about cyber warfare is the matter of attribution. Combined with the lack of any real damage that has so far been done, it'd be hard to call this an act of war. Perhaps it better fits the category of espionage, at least for the time being.

    Treating it as an act of war could lead to an escalatory spiral that can easily get out of hand, so a measured response seems prudent.
    Reply