← CIO Briefings · High Impact ACTION REQUIRED

Five Eyes Warning: Chinese State Actors Pre-Positioning in Critical Infrastructure for Potential Sabotage

A joint advisory from the UK, US, Australian, Canadian, and New Zealand intelligence services has confirmed that Chinese state-sponsored hackers are systematically infiltrating Western critical infrastructure — energy, water, transport, and telecoms — not to steal information, but to establish the capability to disrupt or destroy services in a future conflict. This represents a strategic national security threat that directly affects organisations operating or supplying critical infrastructure.

4 min read
#NIS2

What Happened

The intelligence and cybersecurity agencies of the United States, United Kingdom, Australia, Canada, and New Zealand — collectively known as the Five Eyes alliance — have issued a joint advisory confirming that Chinese government-sponsored hacking groups, operating under names including Volt Typhoon and Flax Typhoon, have systematically infiltrated critical infrastructure networks across Western nations. The advisory is explicit that the purpose of this infiltration is not conventional espionage or data theft, but pre-positioning: establishing persistent, hidden access that could be activated to disrupt or destroy services — including power generation, water treatment, telecommunications, and transportation systems — in the event of a geopolitical conflict, particularly one involving Taiwan or the South China Sea.

To hide their activities, these actors route their communications through compromised home and small-business routers — commonly available devices from brands including Cisco, Netgear, DrayTek, and Zyxel — turning ordinary internet infrastructure into a concealment network. This makes their attack traffic appear to originate from legitimate locations, not from China.

Business Impact

For organisations operating or supplying critical infrastructure, this advisory changes the risk calculus significantly. The threat is not a financially motivated criminal seeking to encrypt files and demand a ransom — it is a state actor with geopolitical objectives and a long time horizon, establishing footholds that may remain dormant for years before activation.

The practical business impact of pre-positioned access, if activated, could include: disruption of industrial control systems managing physical plant operations; outages in operational technology networks that directly affect service delivery; and in the most serious assessed scenarios, damage to physical equipment through manipulation of control systems. The advisory specifically notes that evidence of access to operational technology networks — not merely IT networks — has been observed in some compromised organisations.

Organisations that supply, connect to, or provide technology services for critical infrastructure sectors should also consider their position as a potential access point — supplier network access has been used in prior intrusion campaigns to reach the ultimate target.

Regulatory Implications

Organisations in sectors designated as essential or important entities under NIS2 are subject to obligations to implement appropriate technical and organisational measures against threats of this nature, including network monitoring, access controls, and incident detection. The advisory’s publication by official government agencies constitutes formal notification of a known threat that regulated organisations are expected to address. Failure to review controls following explicit government guidance could be relevant to supervisory assessment of an organisation’s security posture.

Operators of critical national infrastructure in the UK should review their obligations under the Network and Information Systems (NIS) Regulations and engage with their sector regulator regarding this advisory’s implications.

Board-Ready Summary

  • Five Eyes intelligence agencies confirm Chinese state actors have already established hidden footholds inside Western critical infrastructure — including energy, water, and telecoms — capable of disrupting or destroying services on demand.
  • The goal is not data theft but sabotage capability: these actors are preparing for potential conflict, not conducting conventional cyber crime.
  • Leadership of organisations operating or supplying critical infrastructure should authorise an immediate review of whether this advisory’s indicators of compromise are present in their networks, and validate that defensive controls meet the standard this threat requires.

  1. Immediate (this week): Download the full indicator of compromise list from CISA Advisory AA26-113A and run it against network logs, firewall logs, VPN gateway logs, and endpoint telemetry for the past 90 days. Prioritise internet-facing network devices, VPN appliances, and any hosts with access to operational technology networks.

  2. Immediate (this week): Audit all internet-facing network devices — routers, firewalls, and VPN gateways — for firmware currency, focusing on the specific device models listed in the advisory (Cisco IOS routers, DrayTek, Netgear, Zyxel). Replace end-of-life devices that cannot receive firmware updates.

  3. Short-term (this month): Enforce multi-factor authentication on all remote access pathways without exception. The advisory describes actors pivoting from compromised edge devices to internal networks via legitimate-looking remote access sessions — MFA is the primary control that limits this pivot.

  4. Short-term (this month): Review all remote access connections to operational technology and industrial control system networks. Any remote access path to OT/ICS environments that does not require explicit authorisation per session should be treated as a priority remediation.

  5. Ongoing: Implement detection for “living off the land” techniques — the advisory notes that these actors use legitimate, built-in system administration tools rather than distinctive malware, making them invisible to signature-based defences. Detection requires behavioural monitoring of administrative tool usage patterns.

  6. Ongoing: If your organisation operates critical infrastructure, engage your government sector CERT or CISA directly. Several of the indicators and TTPs in the advisory are only fully actionable with sector-specific guidance — the advisory explicitly encourages critical infrastructure operators to reach out for direct assistance.