State-sponsored Chinese hacking group known as ‘Volt Typhoon’ has been spying on critical infrastructure in the US
The ‘Five Eyes’ intelligence agencies, as well as tech giant Microsoft, have warned that critical infrastructure in the US is being spied upon by state sponsored Chinese hackers.
The allegations that the Chinese hacking group, codenamed “Volt Typhoon,” has operated since mid-2021, was made in a blog posting by Microsoft, as well as a security advisory from the US National Security Agency, alongside other Western intelligence agencies in the UK, Canada, Australia and New Zealand (the Five Eyes intelligence sharing group).
China has responded and said the allegations were a “collective disinformation campaign” from the Five Eyes countries.
“The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon,” said the NSA.
“Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the US intelligence agency added.
The advisory stems from the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC).
According to the advisory, one of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives.
This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.
Meanwhile Microsoft in its separate blog post noted that Volt Typhoon had been active since mid-2021 and had targeted critical infrastructure in Guam, a crucial US military outpost in the Pacific Ocean that would be key to responding to any conflict in the Asia-Pacific region.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the software giant warned.
Microsoft said that observed behaviour of Volt Typhoon suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.
But Beijing has hit back at the allegations and blamed the accusations on the current geopolitical tensions between the West and China.
Chinese foreign ministry spokesperson Mao Ning was quoted by Reuters as saying on Thursday the hacking allegations were a “collective disinformation campaign” from the Five Eyes countries.
Mao said the campaign was launched by the US for geopolitical reasons and that the report from Microsoft analysts showed that the US government was expanding its channels of disinformation beyond government agencies.
“But no matter what varied methods are used, none of this can change the fact that the United States is the empire of hacking,” she reportedly told a regular press briefing in Beijing.
The US regards critical infrastructure as off limits, ever since US President Joe Biden raised the issue with Vladimir Putin in a June 2021 face-to-face meeting, before the Ukraine invasion in February 2022.
Biden and Putin spent much of that face-to-face meeting talking about cybersecurity issues, with Biden warning Putin of ‘retaliation’ and an ‘aggressive response’ if Russia attacks a list of 16 ‘critical’ industries in America.
Then in July 2021 President Biden underscored the issue of cyberattacks, when he admitted they could cause a ‘real shooting war’ with a ‘major power’.
Ever since 2011 the United States said it reserved the right to retaliate with military force against a cyberattack from a hostile state.
The rare warning of an active Chinese spying operation has prompted a reaction from a number of cyber security specialists.
Sylvain Cortes, VP strategy at cybersecurity services specialist Hackuity for example noted that threat actors such as Volt Typhoon thrive on exploiting zero-day vulnerabilities due to the lack of knowledge around them.
“Persistent threat actors such as ‘Volt Typhoon’, which have been acting against critical national infrastructure since 2021 according to Microsoft, thrive on the exploitation of zero-day vulnerabilities and the lack of knowledge around them,” said Cortes.
“There are a variety of reasons for nation-state driven attacks such as ‘Volt Typhoon’, but mainly their attacks are designed to cause minimum noise and maximum disruption, until it’s too late and an attack is fully underway,” said Cortes.
“To maximise preventative measures, organisations must develop a routine of vulnerability scanning to stay one step ahead of attackers,” Cortes advised. “What’s more, running standard audits of your internal system to locate critical access points in a timely manner will increase your chances of spotting unusual activity amongst your users.”
Meanwhile Simon Chassar, CRO at Claroty, a cybersecurity company that protects industrial control networks from cyberattacks, has warned that protecting critical industries poses a unique challenge.
“Microsoft’s recent announcement about Chinese hacking group Volt Typhoon, underscores the growing concern over cyber threats to critical infrastructure,” said Chassar. “This issue demands immediate action from organisations and governments to safeguard our society.”
“Protecting these environments poses a unique challenge, requiring in-depth expertise in the protocols and networks specific to these systems, which traditional IT cyber tools and threat monitoring lack,” said Chassar. “These tools rely on signature-based threat alerts like Yara and Snort, providing limited information on assets and anomaly detection.”
“To address this, specialised OT and ICS cyber technology vendors are crucial, possessing the ability to identify assets, understand known exploits, and monitor anomaly behaviours through issuing actionable alerts during intrusions,” said Chassar.
“Implementing network policy segmentation is vital in preventing wider impacts and aiding containment through proactive defence strategies,” Chassar concluded. “This allows critical infrastructure organisations to continue operations whilst quickly addressing malicious activities through specialised OT Cyber toolsets and playbooks. By adopting these measures, organisations and governments can ensure the safety and uninterrupted operations of vital systems.”