Ep 8: Living Off The Land

We start spotting Chinese hackers to deep inside our infrastructure, quiet, patient, just

waiting. The industry calls this "living off the land," but don't let that rustic name fool you. These hacks are far from harmless. They're sleeper cells, waiting for marching orders. We just didn't know what exactly here's Kevin Mantheah.

And all of a sudden, we see Chinese threat groups since about late 2020, at least from my observables. Hack in and we don't know why because they're not the tank through the cornfield. They're hacking in and just that's it. There's no other activity, and then you're like, "Why are they there?"

You know, and it's maybe they have access later, maybe it's the mine, user IDs, and past phrases, you know, there's no better way to compromise any organization than you can just log in. Period.

“It's the best way to breach an organization is log in to it the same way the employees”

do. There's just no evidence. And that's what "living off the land" means. There's no malicious code, there's no backdoor. There's good operations security.

If they created a log for that suspicious, they would edit it, and they wanted to go to their services, they would go to edit, and that's the thing about digital evidence, you can edit it, or delete it, you can change it, it's different than the physical world. You can do some wonderful things if you're on offense and you have to patience and time and skill to do it.

By this point, you almost certainly understand the CCP absolutely has the patience time and skill, but in theory, so do we. So how did we let it get this far?

“How did we allow China's hackers to so intimately invade our most critical infrastructure?”

I'm Nicole Polarath, and this is to catch a beat. The answer to that question of how we let things get this out of hand is where a number of trends converge. I've walked you through China's hacking advancements, and the creeping emergency of global supply chains, but what made this the perfect storm was our uniquely American blind spots.

For one, despite the impression left by Snowden, the NSA and other US intelligence agencies aren't actually in your private networks, watching what you do, or in this case, which Chinese hackers are doing, not without running straight into the fourth amendment. The NSA is a foreign intelligence agency. It hunts for threats abroad.

Its charter doesn't allow it to hunt for hackers on private American networks, not without a warrant or a special court order.

“What you need to understand is that the vast majority of US critical infrastructure, pipelines,”

the power grid, water, hospitals, more than 80% of it is in private sector hands. Meaning, the government has no visibility into it. They can't deflect attacks on those private systems or even hunt there, unless they've got a court order or they're invited in. To a large degree, when it comes to these living off the land attacks, we're flying blind.

Our second big gaping vulnerability is that the United States is among the most digitally

dependent nations on Earth. We've been baking technology, code, into everything, with security as little more than an afterthought. We let software eat the world. And we did it with this quote unquote "move fast and break things" approaches, Mark Zuckerberg

coined Facebook's motto in its early days. The idea was just get the application, get the code, get the router to market, and we can worry about the bugs and security issues later. What this means, in effect, is that we've been plugging vulnerable software and hardware into our infrastructure with little, if any, security baked in by default.

And then we leave it to these businesses and critical infrastructure operators like Nik Lawler

and Little Ten, to figure out the security piece on the back end. The people who designed routers never thought that one day they'd be the lynch pen for advanced nation-state attacks. China has been using all of this to its advantage, because by 2020, most Americans had grown somewhat wise to China's ways.

If an IT operator picked up some unnerving traffic coming from a Chinese server, they

breaking in from Chinese servers anymore.

They're coming in from routers inside the country, precisely where our intelligence agencies can't look.

“Remember way back, an episode 3, keep machine and welding, when China's hackers broke”

in and used the Wisconsin Welding Shop server to hack major American businesses, well, China's living off the land hackers are running the same playbook. Only now they're using American's home routers. Here's John Holquist, Mandience Chief Intelligence analyst. They're coming out of so-called routers.

So your home office, your small office router, they are literally going out a lot of them have vulnerabilities. But last bit, it's an understatement. Voltaiphone made a habit out of targeting home routers that, as I was saying earlier, were sold without security baited in.

To break into these routers, hackers only need to type in the default password, usually

“admin, and even if the user has bothered to change the password, these routers are riddled”

with vulnerabilities. And in too many cases, they've reached quote unquote end of life, which basically means that even when we detect a vulnerability, there is no patch to install. No technical support, they're just sitting ducks. And by 2020, China's Voltaiphone hackers started capturing these home routers and mass,

and using them as a launch pad to infiltrate U.S. critical infrastructure.

They go out, they capture these routers, and they build them into a bot now. Think of a botnet, like the iconic Spider-Man villain, Doc Ock, that evil mastermind to wield his robotic, tonical-like arms. Only in this case, his tentacles are hooked into hundreds, thousands of these vulnerable home routers, commanding them to infiltrate America's critical infrastructure.

“And these zombie routers, they're just dusty, ordinary looking devices, and living rooms,”

and small offices, quietly moving packets for Chinese state hackers halfway across the world. Cybre experts have a Marvel-esque name for these compromised routers. They call them Orbs, short-fer operational relay boxes. So literally, you could be home right now, baking apple pie and have zero idea that your home router is being used by China as a conduit to hack the U.S. power grid.

From China's point of view, this approach is elegant. From ours, it's dangerous. For one, it's the perfect disguise. What they're doing is instead of traversing through systems that they have to buy, and set up, traversing through these stolen compromised systems.

And that means instead of coming from China, they can look like they're coming right from down the street. It's like the Wisconsin welding shop, leveled up. Same idea, just imagine that scaled up. So instead of just coming through that one, our handful of those compromised systems, imagine

just going out and getting hundreds of them. And it's not just one botnet using these Orbs to hack us. China has employed nearly a dozen that we know about. They're managed by mid-level Chinese contractors, like Isoon and Chengdu 404, who least them out to vault typhoon in these other Chinese APTs.

It's layers on layers, like a hall of mirrors. Which one giving Beijing just enough distance to shrug and say, "Wasn't us?" There's just a ton of operations where they're setting this stuff up and different teams are sharing it. It makes it really hard to tell what's right and figure out what you're looking at.

But it's the same exact idea. These compromised system is a great way to sort of hide your tracks. And unfortunately, this sort of router-focused game is a really good way to do that.

Second, routers are easily replaceable.

If one gets burned, hackers can just hop to the one next door. They can pick a router that's right next to you and looks completely natural for your network. And the great thing about also is that tomorrow they can burn it and go to a new one. So for my perspective, so many tries to track this stuff, it makes it really hard. Third, these routers are really hard to monitor.

Volt typhoon has used routers from U.S. companies like Cisco, Fortnite, NetCurren others.

“Many of them unpatched, still running those default passwords or others that have reached”

end of life and been abandoned by their vendors. But these these American brands are getting squeezed out. By a Chinese giant, the world's largest network and communication equipment manufacturers, T.B. link maintains building production bases all over the world. T.B. link is committed to creating reliable products and technologies.

To link global users, to a better life. Well, the White House did there's back and forth on TikTok. Few Americans have ever even heard of T.P. link.

When I get it, when you buy a home router, you don't care what brand you get.

You just want it to work. T.B. link's routers are ubiquitous and easily forgotten. If you've bought a home or small office router recently, chances are your data is flowing through T.P. link.

“In fact, go on Amazon right now, search the world's home router.”

An Amazon's overall pick is a T.P. link router. Despite far the cheapest option, as in less than half the cost of its next close this competitor. T.B. link share of the US router market has exploded from 10% in 2019 to over 60% today. That's according to the Wall Street Journal, which found that T.B. link share of next-gen Wi-Fi systems is even higher, 80%.

In this early as October 2023, China's Volt-Typhoon hackers started using T.P. link routers to borrow into US infrastructure. Now, to be clear, T.B. link isn't the only brand they've used. But what makes T.P. link different is this. It's a Chinese company.

It was started by two Chinese brothers and for three decades, operated from Shenzhen. But last year, T.B. link split into.

“One day's date in China will be other moved its new official headquarters to Irvine, California,”

to serve the US market. T.B. link wants you to believe this split means it's no longer Chinese. And as this episode was coming together, T.B. link's general councils sent me a touristly worded message saying quote, "Any claim T.P. link is a Chinese company is quote unlawful and legally actionable."

According to this lawyer, quote, "T.B. link is a US-based company that manufactures routers for the US market in Vietnam." But a week after T.B. link's lawyers put me on notice, Bloomberg published its own investigation, which found that Vietnam is effectively just a "final assembly point," their words. That only half the percent that T.B. link's components come from Vietnam.

The rest are still imported from China. And then there's what Rob Joyce, the NSA's former cybersecurity chief, testified to Congress and told her life panel podcast in March. He testified that T.B. link's push into the US isn't just smart business, it's strategic. Rob told us the company is selling its routers at a loss.

A deliberate move to flood the US with cheap routers and build what he called a PRC platform. "How have they achieved this miraculous growth? They appear to be selling at price points below profitability to drive out our Western competition." T.B. link routers were among the various brands exploited by Chinese state-sponsored hackers

in the massive "volt flacks and salt typhoon attacks." Imagine these routers in the homes and businesses across America as a PRC platform to launch society, panicking, cyber attacks. This is a threat we cannot ignore." The company is selling them at unprofitable levels, and they're driving out the Western

and US manufacturers. It's exponential growth, and now they have these routers in all of our homes that the software is maintained and updated out of China. Whether T.B. link is complicit in these hacks or not today, at any point the Chinese government can go under their intel laws and direct that company to support them and issue an update

that either bricks a massive amount of our critical infrastructure.

People's ability to get on the internet if they want to attack or make them even better bounces and redirecters for them to do their operations through. It's a huge problem, Nicole. It reminded me of that line from Huawei's founder, a country without its own program controlled

T.B. link disputes all of this and emphasizes that its security is on par if not better than leading routers.

“That said, a recent Microsoft assessment took a careful look at one of these Chinese”

botnets. They call it covert networks 1658, and it's used by multiple Chinese APTs. Microsoft determined it was comprised of 8,000 compromised devices. The vast majority of them, T.P. link. Now that could just come back to the fact that more Americans are using T.P. link routers

than ever before, or it could not. U.S. investigators are now probing just how closely T.P. link systems ink, the new American incarnation of the company, is tied to China. And if they find it presents a quote unacceptable risk, Washington could use new authorities to ban T.P. link from the U.S.

Politicians across the aisle are now zeroing in on the issue. Here's Democratic congressman, Raja, Krishna Morthy, at a hearing on cyber threats in March. For context, he's holding up a T.P. link router. You can actually buy one of these things for $20 online, but don't use this.

Okay, don't put it in your critical infrastructure.

I don't have one at home either. It's not a good idea. T.P. link routers, I should note here, aren't just sold on Amazon, they're everywhere. In fact, if you go to any U.S. military base and head to the commissary, you'll find T.P. link routers featured prominently on the shelves.

But the routers are just the first step in breaking into U.S. infrastructure. It's what these hackers do, or don't do. Once they're in, it makes these attacks really difficult to detect. Once they're in, they often don't act immediately. In some cases, they lie completely dormant on a victim's networks for 60s, sometimes 90 days,

which puts them well outside the period most companies even keep logs or can flag anything unusual. Here's John Holkwist again. We lose half the IOCs to this battle, right? We lose all the network-related IOCs, particularly in relation to full typhoon activity,

they're living off the land. IOC indicators of compromise. That's tech-speak for the digital crumbs, artifacts, and other clues that indicate you've been breached. And we'll take bonus figured out how to leave a few crumbs, or IOCs as possible.

Here's Kevin Mandia.

“I think that's what's happening here, and that's why there's been additional concern.”

It's way harder to investigate. So in Mandian folks, go out and figure out what happened, and you're up against a group-like little typhoon. You know they're there, and you see these terrible little scraps of, yeah, they look at this

one file, but you know they look at 10,000 files, and the evidence is always given you

the one, and you're like, "Oh my God, I'm getting less than 1% visibility in what they're doing here." On best, you have great identity security, great identity monitoring. You're not going to catch these folks that live off the land, and that phrase, I'm going to explain it again, it means the attackers are accessing a organization's network.

The same way the organization does. Period. Same user IDs, same passphrases, same programs, there's nothing special. They've learned your networks so well that they look like they're part of your network, and that's really hard to investigate.

It's not impossible, but it does change how we look at things. We have to do friends, it's a little different. After Telven, China's infrastructure hackers started coming for other pipeline operations across the country, but in 2020, they started hacking US infrastructure with an unnerving frequency, something had changed, something set them off.

It waged a fierce battle against the invisible enemy, the China virus, against the Chinese virus.

“It's a disease without question, has more names than any disease in history?”

I can name kung flu. You may recall from Episode 1, the CCP is obsessive about image control. It's why they hacked Google, it's why she agreed to the 2015 cyber-detente. The CCP weren't willing to risk the embarrassment of the White House canceling she's

first official trip, or risk being greeted with sanctions.

It's impossible to say what set them off in 2020. You'd have to be a fly on the CCP's wall. Maybe they were set off by the mocking, maybe it was the isolation and undercurrent

If we were already looking at each other through straws, then after COVID, we were now looking

through needles, as Tom Friedman, the Times columnist, that's it. Whatever it was, in 2020, China's full-time phone became the broadest, most active, most persistent cyber threat to US infrastructure that American intelligence officials have ever seen. The scale of the Chinese cyber threat is unparalleled. They've got a bigger hacking program than that of every other major nation combined.

And they have stolen more of American's personal and corporate data than every nation. Big or small combined. To fully understand just what it was like to reckon with the scale and severity of this

“problem, you have to go beyond the newsclips, you have to go beyond the public statements.”

It's time I bring in someone from inside the classified 10. Someone who's been tracking the Chinese cyber threat, or than anyone, meet Andrew Scott. My name is Andrew Scott. I'm the Associate Director for China Operations here at the Cyber Security and Infrastructure Security Agency. It's a relatively new role that we've created and made 2023 to bring together

a coordinated approach to the efforts to defend critical infrastructure from POC cyber

threat. Frankly, it's a miracle we're hearing from Andrew at all, because ever that same decade I was stemming around in the dark, trying to shine a spotlight on these breaches, Andrew was also tracing these assaults. Only he was doing it from classified skips, with the benefit of a giant intelligence apparatus

at his back.

“In man, what I want to give in to speak to him over that decade I was at the times.”

If you happen to be watching C-span during any major congressional testimony on Chinese cyber espionage, you may have glimpsed Andrew in the audience, sitting just beyond the agency heads. He tracked Chinese cyber threats at the CIA, at the National Security Council, and most recently at Sissa, the Cyber Defense Agency.

And here I should disclose that as this threat began metastasizing in 2021, I left the New York Times. After writing about this threat for more than a decade, I could see pretty clearly where things were headed, and it wasn't good. I reckon I could keep writing about these cyber attacks, or I could do something about

it.

“So in 2021, I put down my pen and picked up a shovel.”

I joined Sissa's Advisory Committee, and I served their through its disbanding in January 2025, and that is how I came to know Andrew. Tell us how long you have been working on the threat of cyber espionage, cyber campaigns from the people's Republic of China. So it's been about almost 15 years, and total, so before I spent nearly 15 years in the

intelligence community, working on foreign cyber threat issues, to include East Asia, China, North Korea, and others, in our mix with that, it's been about 4.5 years, working on the National Security Council, both in the Obama Biden administration, where I worked on everything from the APD1 report and responses to that in the 2012-2013 timeframe to the hapium attribution in 2021, being involved in the U.S.-China cyber commitment negotiation

and a whole range of things. So I've worked pretty much every aspect of this issue from Intel, the National Policy to Homeland Security now. I should note here that Andrew left Sissa after I interviewed him for this episode. What he describes here is what he witnessed while he was there.

Through multiple incident response efforts that we've had, we verified that the PRC's

compromised various pieces of critical infrastructure, and what we're seeing that these

actors are persistent and patient against their target, that they are compromising the same entity multiple times over a number of years. We are seeing them gain access into an environment, steel credentials, lay dormant on the network, because all they're looking to do is maintain that access, come back a period of time later, test their credentials, see if they work, if they don't steel credentials

again, maintain access in the environment. It is an act of maintaining access, testing that access, and validating that access, which is exactly what you would do if you were looking to just maintain access and pre-position on a network. Pre-position on a network, that means get in and stay in.

Tim Lewis puts it more succinctly.

It's reconnaissance.

“It's target reconnaissance for the event of a conflict between the United States and China.”

A sinking realization started to creep in.

China was, and is, making strategic inroads into America's most critical infrastructure.

They're not just sightseeing, they're strategically positioning themselves. And big picture, what Andrew and his colleagues were seeing with each new living off the land attack, with the access Chinese hackers were gaining to US power and water supplies or ports or supply chains or gas pipelines, railways, aviation. All of it makes for a big red button.

And the CCP leadership can push in the event of a conflict. And so I'm curious what it was like inside government when you all made this realization that, oh, this is not just IP theft anymore.

“What did it take for the intelligence community to make that determination that wait a minute?”

This looks like it could be the beginnings of something far more aggressive. Was it the victims? So I'd answer that in a couple different ways.

The first to say it was an eye-opening experience when we sort of came collectively to that

realization of a shift in the kinds of targets that we were seeing. And over the course of a number of years, sort of my colleague, elsewhere in government and the IC, here at Sitha in DOD, our international partner, all thought of really focused on this question. As we looked at a bunch of different factors, outside of the cyber domain, Xi Jinping

coming in and stating that reunification is a goal with Taiwan.

“William Live from Taiwan's ruling party wins the presidential election and vows to defend”

the island from China's intimidation, but China said reunification with Taiwan is still inevitable. They sort of shift and re-organization of the people's liberation army in 2015, around blunting and deterring U.S. intervention in a conflict in the Indo-Pacific. A Chinese defense official said that the United States is trying to build a nation-specific

version of NATO to maintain its hegemony in the region. The remarks were made at the Shangri-La Dialogue in Singapore, left in general Xi-ang-Giang-Fun, one of the regional countries were to sign up for the U.S. Indo-Pacific strategy, they would be loaded into taking bullets for the United States. And then you bring together this piece of what do we see being targeted and one of the

realization was exactly what you highlighted was some of the things that we saw being targeted were entities that even if you stretch the boundaries of your imagination to say could they be an espionage target, they very clearly weren't. And one thing that I really wanted to emphasize here, I've even gotten questions recently of what fundamentally different now.

And the answer really is, we now confirmed though there. The PRC is inside the house. The PRC was inside the house, not just a fear of fact.

U.S. officials watched as Chinese hackers crept through dozens, then hundreds of critical

systems across the country, smaller utilities and little-ton massachusetts, major infrastructure hubs, power, water, transportation. This wasn't spycraft as usual, this was sabotage and slow motion, a silent crawled through the machinery that keeps America running. They weren't gathering secrets, they were laying trip wires.

And that was enough to drag U.S. officials out of the shadows and into the open. There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure, our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems, and the risk that poses to every American requires our attention. Now, China's hackers are positioning on American infrastructure in preparation to wreak havoc

and cause real-world harm to American citizens and communities, if and when China decides

They're not focused just on political and military targets.

“We can see from where they position themselves across civilian infrastructure that low-blows”

are just a possibility in the event of a conflict, low-blows against civilians are part of China's plan. That was former FBI Director Chris Ray. In January of 2024, he, along with Jenny Shirley and General Paul Naukassoni, the now former Director of NSA and U.S. CyberCommand testified before the House Select Committee on China.

We and our partners identified hundreds of routers that had been taken over by the PRC state-sponsored hacking group known as Voltaïfune. The Voltaïfune malware enabled China to hide among other things pre-operational reconnaissance

and network exploitation against critical infrastructure like our communications, energy,

transportation, and water sectors, steps.

“China was taking, in other words, to find and prepare, to destroy or degrade the civilian”

critical infrastructure that keeps us safe and prosperous, and let's be clear, cyber threats to our critical infrastructure represent real-world threats to our physical safety. GRC cyber actors are prepositioning in our U.S. critical infrastructure and it is not acceptable. Defending against this activity is our top priority. This is a world where a major crisis halfway across the planet could well endanger the

lives of Americans here at home.

Three top officials speaking plainly before Congress, that should give you a sense of the severity

of the situation. That's about a stark warning as you ever get from the intelligent community in public. What has a particular concern to us is that across government is the breadth of the prepositioning that we see.

“We see it in the transportation sector, we see it in the water sector, we see it in the”

communication sector, we see it in the energy sector. The worst day is in everything everywhere all at one scenario that all of a sudden we see disruption in multiple sectors simultaneously with services to the American public going out. Most Americans can't even bat them, that everything everywhere all at once cyber attack.

We've only caught one off glances, like flashes in the dark, but the full scope, the full capability, we haven't seen it, not yet. Nobody really knows if the gloves came off in cyber space between China and the U.S. what would really happen. Like, it is a pandemonium.

I've had the privilege of lecturing on modern warfare and even I'm not so sure the collateral damage, but I do know that a lot of things would get less predictable, and it would be eerie. Like, if the gloves came off in cyber space, the impact of it, you know, some companies can make phone calls, some can't, some companies that gate rises when you go to park

and sometimes you can't, services might shut down. We don't really know the impact just yet and how it's better to be, because we don't understand all the complex dependencies, so it's really hard to even know what the fear. What I'm hopeful about is the gloves just don't come off. I don't think they do to they come off kinetically.

I really don't think people are just going to unleash everything I've gotten cyber. I don't think we've seen China's total egg yolk. All we know for certain is they've prepared the battlefield, but have we, that's next, on to catch a thief. Followed to catch a thief to make sure you don't miss the next episode, and if you

like what you hear, rate and review the show. To catch a thief is produced by rubric and partnership with pod people, with special thanks to Julia V. It was written and produced by me, Nicole Proleras, and Rebecca Shaston, additional thanks to Hannah Pettersen, Sam Gavauer, and Amy Machado. Editing and sound designed by Morgan Fus and Carter Wogan.