Chinese state-sponsored hackers have been burrowing into U.S. critical infrastructure facilities, ranging from telecommunications to transportation networks in a widespread espionage campaign, Microsoft and Western intelligence allies reported this week.
Microsoft said in a blog post that it is moderately confident that the so-called Volt Typhoon operatives, tagged as responsible for the campaign, are seeking to develop capabilities to disrupt critical communications and other vital infrastructure connections between the U.S. and Asia should a cyber crisis break out in the future.
Who is Volt Typhoon?
The low-profile group has been active since 2021, but little is still known about its capabilities. Volt Typhoon has reportedly hit communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors in this operation. It’s not clear how long the threat activity has been ongoing.
It’s difficult to argue that the moves by China aren’t geopolitical in nature. The hacking comes as U.S. security forces have steadily moved to shore up critical infrastructure defenses and the geopolitical climate has heated up with words between Washington and Beijing over the sanctity of Taiwan.
Indeed, the targets include sites in Guam, where the U.S. has a major military presence, Microsoft said in a blog post. The vendor’s security arm believes that the attacks, which appear to be preparatory espionage rather than all out disruptive, are focused mainly on reconnaissance.
In the blog post, Microsoft said that because Volt’s activity relies on valid accounts and living-off-the-land tactics, “detecting and mitigating this attack could be challenging.” The company has already posted the code that would make it possible for corporate users, manufacturers and others to detect and remove it, the New York Times reported. According to Microsoft, Volt puts strong emphasis on stealth to maintain its persistence in the network:
“They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”
Sophos Security Expert Explains Cybercrime Operation
Security providers are weighing in on the security events. John Shier, Sophos field chief technology officer, explained how state-backed adversaries operate in much the same manner as other cyber criminals:
“Much like cybercriminals, nation-state adversaries also use living-off-the-land binaries to achieve their goals. CISA's latest Cybersecurity Advisory on Volt Typhoon identified the same tools being used as we reported on in our latest Active Adversary report on cybercriminal tools and behaviors. Since many threat actor activities rely on valid credentials and LOLBins, detection and mitigation can be challenging.
"Such is the challenge that organizations today require proactive protection, constant monitoring and a rapid response to suspicious signals. Organizations that invest in the technologies and people required to defend against attacks by nation-state adversaries will also be well positioned to defend against even the most experienced cybercriminals.”
Additionally, and of significant concern, Volt tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls and VPN hardware, and using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar, Microsoft said.
CISA, NSA Issue Warning
Such is the concern over Volt that the National Security Agency, CISA and similar organizations from Australia, Canada, the U.K. and New Zealand issued a bulletin warning organizations of the activity.
As the bulletin stated:
“The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide."
The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.”
China's Official Response
Chinese foreign ministry spokesperson Mao Ning called the hacking charges a “collective disinformation campaign” from the U.S., Canada, New Zealand, Australia and the U.K., the Five Eyes group that shares cyber intelligence, the Associated Press reported.
“But no matter what varied methods are used, none of this can change the fact that the United States is the empire of hacking,” Ning told a regular news briefing in Beijing.