The UK has joined the Five Eyes intelligence alliance to issue a cybersecurity warning after China targeted U.S. critical infrastructure sectors.
The cluster of attacks, first uncovered by Microsoft, was found targeting Guam, home of a number of U.S. military bases, and elsewhere in the United States. Hackers also used compromised local home office devices such as routers to cover their tracks.
NCSC Director of Operations Paul Chichester said in a statement that it’s “vital” for operators of critical national infrastructure to take actions to prevent such attacks.
“We strongly encourage providers of UK essential services to follow our guidance to help detect this malicious activity and prevent persistent compromise,” he said in a statement.
The attacks were associated with a Chinese state-sponsored cyber actor, named as Volt Typhoon by Microsoft.
The hackers collected data, including credentials, from target networks, and used these credentials to keep accessing the systems.
The also tried disguise their location by routing traffic through network equipment in small offices or home offices that are in the same region with the victims.
Because the attacks rely on valid accounts and local, non-malicious codes, “detecting and mitigating this attack could be challenging,” Microsoft said. “Compromised accounts must be closed or changed.”
Microsoft said the group appears to be aiming at spying “for as long as possible,” but it also said “with moderate confidence” that the campaign is “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
“It means they are preparing for that possibility,” said John Hultquist, who heads threat analysis at Google’s Mandiant Intelligence.
The Chinese activity is unique and worrying also because analysts don’t yet have enough visibility on what this group might be capable of, he added.
“There is greater interest in this actor because of the geopolitical situation.”
Cybersecurity agencies of the Five Eyes states—an Anglo-sphere intelligence sharing alliance made up of the UK, the United States, Canada, Australia, and New Zealand, said they believe “the actor could apply the same techniques against these and other sectors worldwide.”
Guam, an island near the Philippines, is the westernmost point of U.S. territories. It’s home to U.S. military facilities that would be key to responding to any conflict in the Asia-Pacific region, such as an invasion or blockade of Taiwan. It is also a major communications hub connecting Asia and Australia to the United States by multiple submarine cables.
Bart Hoggeveen, a senior analyst at the Australian Strategic Policy Institute who specializes in state-sponsored cyber attacks in the region, said the submarine cables made Guam “a logical target for the Chinese government” to seek intelligence.
“There is high vulnerability when cables land on shore,” he said.
Chinese foreign ministry spokesperson Mao Ning claim on Thursday that the hacking allegations were a “collective disinformation campaign” from the Five Eyes countries.
Mao said the campaign was launched by the United States for geopolitical reasons and that the report from Microsoft analysts showed that the U.S. government was expanding its channels of disinformation beyond government agencies.
“But no matter what varied methods are used, none of this can change the fact that the United States is the empire of hacking,” she told a regular press briefing in Beijing.