The United States, its Western allies and Microsoft said Wednesday, May 24, that a state-sponsored Chinese cyber actor had infiltrated critical US infrastructure networks, and warned similar activities could be occurring globally.
“The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon,” said a statement released by US, Australian, Canadian, New Zealand and UK authorities.
In a separate statement, Microsoft said Volt Typhoon had been active since mid-2021 and had targeted critical infrastructure in Guam, a crucial US military outpost in the Pacific Ocean. “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the statement said.
“In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. “Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”
The US and Western security agencies warned in their advisory that the activities involved “living off the land” tactics, which takes advantage of built-in network tools to blend in with normal Windows systems. It warned that the hacking could then incorporate legitimate system administration commands that appear “benign”.
No response from China
Microsoft said Volt Typhoon tried to blend into normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls and VPN hardware. “They have also been observed using custom versions of open-source tools,” Microsoft said.
The director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, also released a warning related to Volt Typhoon. “For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe,” Easterly said.
“Today’s advisory, put out in conjunction with our US and international partners, reflects how China is using highly sophisticated means to target our nation’s critical infrastructure. “This joint advisory will give network defenders more insights into how to detect and mitigate this malicious activity. “
China offered no immediate response to the allegations. But it routinely denies carrying out state-sponsored cyber attacks. China in turn regularly accuses the United States of cyber espionage.