Full Report
Members of the U.S. House Committee on Homeland Security reached out to Kristi Noem, Department of Homeland Security... The post US lawmakers demand DHS threat assessment on China’s intelligence operations in Cuba appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: People’s Republic of China (PRC) State-Sponsored Actors
## Attribution & Identity
Attribution is explicitly placed on the People’s Republic of China (PRC). Associated threat actors mentioned utilizing cyber means include **Volt Typhoon** and **Salt Typhoon**. The activity involves PRC intelligence and security collaboration with the Republic of Cuba (Cuba).
## Activity Summary
The primary focus of the activity described is the expansion of the PRC's signals intelligence (SIGINT) and security collaboration in Cuba, establishing at least four facilities dangerously close to sensitive U.S. installations (e.g., Naval Station Guantánamo Bay, Kennedy Space Center). This activity is designed to systematically erode U.S. strategic advantages by fusing telemetry interception, geospatial intelligence collection, and electromagnetic surveillance. US Cyber Command has uncovered PRC malware implanted within Latin American networks through hunt-forward operations. Specific criminal/espionage activity mentioned includes intrusions attributed to 'Volt Typhoon' and 'Salt Typhoon.'
## Tactics, Techniques & Procedures
- Fusion of telemetry interception, geospatial intelligence collection, and electromagnetic surveillance to prepare the electromagnetic environment for future exploitation.
- Signals Intelligence (SIGINT) operations, evidenced by the construction and upgrade of facilities.
- Installation of advanced hardware, such as **Circularly Disposed Antenna Arrays (CDAA)** for long-range surveillance.
- Malware implantation within suspected Latin American networks (unspecified malware type, but linked to PRC objectives).
- Cyber espionage operations linked to established APT groups **Volt Typhoon** and **Salt Typhoon**.
- **No specific MITRE ATT&CK IDs** were provided in the context.
## Targeting
- Sectors: Critical Infrastructure (implied via proximity to Naval Stations, Space Force Stations), Air, Space, and Maritime domains.
- Geography: Cuba (for staging/operations), U.S. territory (targets monitored from Cuba), and the broader Western Hemisphere (Latin America).
- Victims: U.S. sensitive installations (Naval Station Guantánamo Bay, Kennedy Space Center, Naval Submarine Base Kings Bay, Cape Canaveral Space Force Station). Networks within the U.S. Southern Command’s area of responsibility.
## Tools & Infrastructure
- **Malware Families Used:** Malware implanted by PRC actors (specific names not listed, but Volt Typhoon and Salt Typhoon intrusion activity is noted).
- **Infrastructure:** Four known or suspected PRC SIGINT facilities in Cuba:
- **Bejucal:** Undergoing significant upgrades, including installation of a CDAA.
- **Wajay:** Operational near Havana.
- **Calabazar:** Operational near Havana, supporting the broader SIGINT network.
- **El Salao:** Activity appears halted/overgrown (as of April 2025).
- **Commercial Infrastructure/Supply Chain Risks:** Use of **Huawei** and **ZTE** technologies in Cuban national telecom networks raises concerns about regional communications exposure.
- **C2/IPs:** None specified or defanged.
## Implications
The PRC's physical and cyber presence in Cuba represents a significant asymmetric escalation, enabling persistent surveillance, mapping of U.S. electronic profiles, and preparedness for potential future electromagnetic exploitation close to U.S. strategic assets. The established SIGINT facilities challenge U.S. strategic advantage without kinetic measures. The cyber operations (Volt Typhoon/Salt Typhoon) demonstrate ongoing preparatory access within regional networks.
## Mitigations
- Sustained scrutiny of PRC intelligence and security activities in Cuba by DHS and the Intelligence Community (IC).
- Enhanced interagency coordination (DoD, IC, State) for monitoring, analyzing, and countering PRC activities in the Caribbean/Western Hemisphere.
- Raising awareness among industry and government entities regarding risks posed by PRC surveillance platforms operating via Cuba.
- Assessing and mitigating risks to homeland components arising from potential SIGINT interception stemming from these facilities.