Chinese State-Sponsored Hackers Target Critical US Infrastructure with a Focus on Gathering Intelligence, Warns Microsoft and Five Eyes
Chinese state-sponsored hackers have compromised critical U.S. cyber infrastructure across numerous industries with a focus on gathering intelligence, according to a warning issued by Microsoft and the Five Eyes intelligence alliance. The group, known as Volt Typhoon, has been active since mid-2021 and targeted critical infrastructure organizations in the US territory of Guam and in other parts of the US.[0] Microsoft warned that the group was “pursuing development of capabilities that could disrupt critical communications infrastructure between the US and Asia region during future crises.” Guam is home to three American military bases and would play an important strategic role should the US need to respond to any potential Chinese military attack on or blockade of Taiwan.[1]
According to a recent report by Microsoft, critical infrastructure organizations in the US, particularly in Guam, have been targeted by Chinese hackers since mid-2021. These hackers have been engaged in a covert operation to spy and gather information in various parts of the country. The hackers have targeted a range of sectors, including maritime, transportation, communications, utility, and government organizations.[2] The group has attempted to access organizations in “communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.” To remain stealthy, the hackers use tools already installed or built into infected devices that are manually controlled by the attackers rather than being automated, a technique known as “living off the land.”[3]
Critical to any Western response to a conflict in Asia, Guam's air bases and ports serve as a vital US military outpost. In the western Pacific, Guam serves as a significant stopover location for the US military. If China attempted to invade Taiwan, it would be crucial in strengthening Taiwan's defense.[4] The US Pacific region houses Andersen Air Base and a naval station that are essential for US military to react to any Chinese aggression towards the autonomous island. There are concerns that this could lead to the outbreak of World War III as per the treaty obligation of America to support Taiwan in protecting itself.[5]
The US and its allies have issued a joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon.[6] Private sector collaborators have recognized that this operation impacts networks throughout various vital infrastructure sectors in the United States, and the agencies responsible for authoring the report anticipate that the perpetrator may use similar methods to target these and other sectors on a global scale.[6] The Australian Cyber Security Centre of the Australian Signals Directorate reported that Volt Typhoon employed a technique called “living off the land” by utilizing network administration tools already present in the system to achieve their goals. This allowed the group to go undetected by disguising their activities as normal Windows system and network processes.[0]
To achieve initial access, Volt Typhoon compromises Internet-facing Fortinet FortiGuard devices, a popular target for cyberattackers of all stripes.[1] After gaining access to the box, the APT leverages the device's privileges to obtain credentials from the Active Directory account and verify its identity on other network devices.[7] The group was observed blending into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.
The warning said Volt Typhoon was developing capabilities “that could disrupt critical communications infrastructure between the United States and Asia region during future crises” – a nod to escalating tensions between China and the United States over Taiwan and other issues.[8] China denied the claims and denounced the joint warning as a “collective disinformation campaign.” Beijing has repeatedly countered criticisms of its alleged aggressive cyber-espionage operations by accusing the US of conducting similar activities.[9]
0. “Chinese hackers hit critical U.S. infrastructure, intelligence agencies warn” Axios, 25 May. 2023, https://www.axios.com/2023/05/25/chinese-hackers-critical-infrastructure-us-guam
1. “Microsoft warns that China hackers attacked U.S. infrastructure” CNBC, 24 May. 2023, https://www.cnbc.com/2023/05/24/microsoft-warns-that-china-hackers-attacked-us-infrastructure.html
2. “Chinese hackers seeking to disrupt communications between US and Asia in event of crisis, Microsoft says” CNN, 25 May. 2023, https://www.cnn.com/2023/05/24/politics/china-hackers-guam-microsoft-taiwan/index.html
3. “Chinese state-backed hacking group compromised US critical infrastructure orgs” The Record by Recorded Future, 24 May. 2023, https://therecord.media/china-state-backed-hacking-group-compromises-us
4. “Chinese spy hit on US military base sparks fears of communications blackout” The Telegraph, 25 May. 2023, https://www.telegraph.co.uk/business/2023/05/25/china-cyber-spies-us-military-communication-taiwan/
5. “GCHQ warns of fresh threat from Chinese state-sponsored hackers” The Guardian, 25 May. 2023, https://www.theguardian.com/technology/2023/may/25/experts-warn-against-china-sponsored-cyber-attacks-on-uk-networks
6. “People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection” CISA, 24 May. 2023, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
7. “‘Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs” Dark Reading, 24 May. 2023, https://www.darkreading.com/endpoint/-volt-typhoon-china-backed-apt-infiltrates-us-critical-infrastructure
8. “China state-sponsored actor carries out ‘attack' on US critical infrastructure, Microsoft says” Fox Business, 24 May. 2023, https://www.foxbusiness.com/technology/china-state-sponsored-actor-carries-attack-us-critical-infrastructure-microsoft-says
9. “Chinese hackers behind Guam breach have been spying on US military for years” The Record by Recorded Future, 25 May. 2023, https://therecord.media/chinese-hackers-behind-guam-hack-targeting-us-for-years
