Being a state-sponsored hacker working on behalf of Russia, Iran, and North Korea for years wreaking havoc on disruptive cyberattacks across the globe, China’s military and intelligence hackers have largely maintained a reputation for restricting their incursions spy. But when those cyber spies breach critical infrastructure in the United States—and specifically a U.S. territory on China’s doorstep—espionage, conflict contingency planning, and escalation Cyberwars all start out dangerously similar.
On Wednesday, Microsoft revealed in a blog post that they have been tracking a group they believe to be Chinese state-sponsored hackers who, since 2021, have been carrying out a large-scale attack campaign targeting critical infrastructure systems in China. states of the United States and Guam, including communications, manufacturing, utilities, construction, and transportation.
The intentions of the group, which Microsoft has dubbed Volt Typhoon, may simply be espionage, as the group does not appear to be using its access to those critical networks to carry out data destruction. or other offensive attacks. But Microsoft warned that the group’s targeted nature, including the Pacific territory that could play a major role in a military or diplomatic conflict with China, could still cause that disruption.
“The observed behavior indicates that the threat actor intends to carry out espionage and maintain access undetected for as long as possible,” the company’s blog post reads. But it combined that claim with an assessment with “moderate confidence” that the hackers were “pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and the region.” Asia in future crises.”
Google-owned cybersecurity firm Mandiant said it had also tracked a series of intrusions by the group and issued a similar warning about the group’s focus on critical infrastructure. John Hultquist, head of threat intelligence at Mandiant. “That made us question whether they were there because goals are very important. Our concern is that focusing on critical infrastructure is prepared for a potentially disruptive or destructive attack.”
Microsoft’s blog post provides technical details on hacker intrusions that can help network defenders detect and remove them: For example, this group uses routers, firewalls and hacked network “edge” devices as proxies to launch its attack—targeting devices including those sold by hardware manufacturers ASUS, Cisco, D- Link, Netgear and Zyxel. This group also often exploits the access provided from legitimate users’ compromised accounts rather than their own malware to make their activity harder to detect by appearing healthy. count.
Marc Burnard, senior consultant for information security research at Secureworks, said that infiltrating a target’s normal network traffic to avoid detection is a hallmark of Volt Typhoon and its approach to approach of other Chinese actors in recent years. Like Microsoft and Mandiant, Secureworks monitored the group and observed the campaigns. He added that the group had shown a “relentless focus on adaptation” to pursue its espionage.
