Lawmakers seek DHS records in probe of US response to Chinese cyber campaigns

The House Homeland Security Committee will ask DHS Secretary Kristi Noem on Monday to provide the panel with all agency documents since the start of the Biden administration that refer to or reference a pair of prolific Chinese government-backed cyberespionage units and their hacking activities, according to a letter first seen by Nextgov/FCW.

The requested documents include files like emails, internal memoranda and other guidance about Volt Typhoon and Salt Typhoon, two hacking groups that sit among a syndicate of Beijing-backed cyber collectives that have made headlines for their intrusions into U.S. critical infrastructure and telecommunications systems over the past several years.

Panel Chairman Mark Green, R-Tenn. — alongside cybersecurity subcommittee leader Andrew Garbarino, R-N.Y., and oversight subcommittee leader Josh Brecheen, R-Okla. — write that the committee is “conducting oversight of the federal response to the malicious cyber campaigns against U.S. critical infrastructure conducted by Volt and Salt Typhoon” and add that “we still know very little about them.”

Volt Typhoon was raised in a high-profile hearing with intelligence and cybersecurity officials around a year ago. Over at least the past five years, the group has burrowed its way into various sets of civilian critical infrastructure around the nation, including ports and power grids. Officials have warned that the unit is surreptitiously embedding malware into infrastructure to enable future disruptions and trigger societal panic, likely to distract the American public if China moves to invade Taiwan.

Salt Typhoon’s operations, which likely occurred for around two years, were discovered around last summer and publicly brought to light in September. The group has infiltrated at least nine American telecom operators and dozens of other communications providers around the world. The hackers have still not been fully eradicated from the telecom systems, according to a person familiar with the matter. It’s likely that mechanisms were put in place by Salt Typhoon to grant the hackers persistent access to systems it targeted, and it’s difficult to determine if those access paths have been mitigated, a second person said. 

In the U.S., Salt Typhoon also ensnared systems that facilitate court-authorized wiretap requests, giving the hackers an enriched view into the conversations of top officials and politicians, including President Donald Trump and Vice President JD Vance. Several hundred organizations — both telecommunications companies and others — were notified last year that they may be at risk of compromise, Nextgov/FCW previously reported.

The missive contends the Biden administration was not transparent enough in its response to the hacking groups. In December, at least one congressional committee was assessing legislative options in response to the telecom intrusions, but near-term recourse was limited because staff often learned new information about the hacks only through news headlines, Nextgov/FCW reported at the time.

“It is the committee’s hope that the Trump Administration will provide the American people with confidence that their government is taking every step possible to mitigate the impact of Volt and Salt Typhoon on government entities and businesses,” they write.

DHS’s Cyber Safety Review Board was actively probing the Salt Typhoon hacks during the Biden administration. The board was disbanded just after Trump’s inauguration in January. The status of that investigation is not entirely clear.

“As the indicators for this campaign remain tightly under wraps, the entire cybersecurity community remains deeply concerned about our ability to determine which systems and networks remain compromised,” said Marc Rogers, a famed hacker and telecommunications cybersecurity expert who has been investigating the Salt Typhoon incident.

The lawmakers in their letter will also ask Noem to provide documentation that explains when DHS and its Cybersecurity and Infrastructure Security Agency became aware of both cyberespionage units and a timeline of events the U.S. cyber agency took in response to their intrusions. The missive will also direct DHS to provide all relevant documentation to the panel by March 31.

CISA declined to comment for this story. A DHS spokesperson did not immediately return a request for comment.

A coalition of Senate Republicans asked the Trump administration last week to launch offensive cyber operations against China in response to Beijing-aligned hacks targeting U.S. systems. China’s embassy in Washington, D.C., has frequently lambasted the U.S. for Beijing’s hacking activities and recently argued the U.S. should stop “using cybersecurity issues as a tool to smear China.”