A Chinese cyber espionage group has been targeting a wide range of networks across U.S. critical infrastructure sectors, from telecommunications to transportation hubs, since at least mid-2021, according to Microsoft and various cybersecurity agencies under the Five Eyes alliance.
The American multinational technology giant added that Volt Typhoon appears to intend “to perform espionage and maintain access without being detected for as long as possible.”
The China-based hacking group is believed to be pursuing capabilities to “disrupt critical communications infrastructure between the United States and Asia region during future crises,” according to Microsoft.
Affected U.S. critical sectors include “the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.”
Military Risk
This includes various networks in Guam in the western Pacific where the United States has a major military presence, Microsoft noted.These U.S. military facilities play a major role in responding to conflicts in the Asia-Pacific region. Guam also serves as a major communications center linking Asia and Australia to the United States, via submarine cables.
Bart Hoggeveen, a senior analyst at the Australian Strategic Policy Institute, said the submarine cables made Guam “a logical target” for China’s ruling communist party to seek intelligence.
Warning From Five Eyes Agencies
U.S. and other intelligence partners noted in a joint cybersecurity advisory that they believe that China’s Volt Typhoon campaign could target other critical infrastructures abroad.The agencies include the U.S. National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and their counterparts from Australia, New Zealand, Canada, and the UK.
In the same warning, Bryan Vorndran, FBI cyber division assistant director, referred to the hacking as having used “unacceptable tactics.”
‘Living Off the Land’
According to Microsoft, one of the main tactics Volt Typhoon is using is “living off the land,” which involves using various built-in Windows network administration tools against targets.This allows the cyber espionage group to evade detection because the hacking tools blend in with normal Windows system and network activity, and it doesn’t trigger security alerts.
Such techniques are harder to detect as they use “capabilities already built into critical infrastructure environments,” NSA cybersecurity director Rob Joyce said in the advisory warning.
After it infects a target’s existing systems, the hacking group conducts espionage and starts extracting data, Microsoft stated.
Some of the built-in tools being used are WMIC, Ntdsutil, netsh, and PowerShell.
Microsoft Customers Alerted
Microsoft said it proactively contacted all targeted or compromised customers and provided them with information to secure their networks.Over at least the past decade, human rights groups have been warning U.S. companies such as Microsoft of potential national security risks associated with negotiating with the Chinese Communist Party to gain access to the Chinese market.
Meanwhile, Microsoft’s Bing has become China’s leading desktop search engine, surpassing Baidu, according to recent statistical data from StatCounter.
John Hultquist, chief analyst at Google’s Mandiant cybersecurity intelligence operation, called Microsoft’s May 24 announcement “potentially a really important finding.”
“We don’t see a lot of this sort of probing from China. It’s rare,” Hultquist said. “We know a lot about Russian and North Korean and Iranian cyber-capabilities because they have regularly done this.”
He added that China has generally withheld use of the kinds of tools that could be used to seed not just intelligence-gathering capabilities, but also malware for disruptive attacks in an armed conflict.