A state-sponsored Chinese hacking group called Volt Typhoon penetrated critical U.S. computer networks throughout the continental U.S. and Guam. The group was reportedly able to steal sensitive electronic credentials and data while remaining largely undetectable.
Microsoft announced in a blog post on Wednesday that Volt Typhoon has been active since at least 2021. Espionage and information gathering are among its primary missions.
The company noted that it believed the hackers are developing “capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.”
The hackers reportedly stayed near-undetectable by using compromised internet gateway devices, including routers manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel.
“Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure,” Microsoft stated.
Volt Typhoon exploited Fortinet FortiGuard devices connected to the internet to break into the targeted networks, obtaining credentials to a network’s active directory.
Wired reported that the Google-owned cybersecurity firm Mandiant had also tracked intrusions by Volt Typhoon that targeted critical infrastructure.
“There’s not a clear connection to intellectual property or policy information that we expect from an espionage operation,” John Hultquist, who heads threat intelligence at Mandiant, told Wired. “That leads us to question whether they’re there because the targets are critical. Our concern is that the focus on critical infrastructure is preparation for potential disruptive or destructive attack.”
U.S., Allied Intelligence Agencies Publish Alert
U.S. and allied nations in the Five Eyes intelligence-sharing alliance published an advisory about Chinese hacking activities in a joint press release on Wednesday. The involved agencies included:
-US Cybersecurity and Infrastructure Security Agency (CISA)
-US Federal Bureau of Investigation (FBI)
-Australian Cyber Security Centre (ACSC)
-Canadian Centre for Cyber Security (CCCS)
-New Zealand National Cyber Security Centre (NCSC-NZ)
-United Kingdom National Cyber Security Centre (NCSC-UK)
CISA Director Jen Easterly noted that Chinese hackers have used highly sophisticated means to target U.S. critical infrastructure.
“ [W]e must recognize the agility and capability of PRC cyber actors, and continue to focus on strong cybersecurity practices like network segmentation and ongoing investments in promoting the resilience of critical functions under all conditions,” Easterly stated. “As our nation’s cyber defense agency, CISA stands ready to aid any organization affected and we encourage all organizations to visit our webpage for guidance and resources to make their networks more resilient.”
The Canadian Centre for Cyber Security noted that the hackers exploit tools already built into their target systems to evade detection. They are thus able to blend into normal Windows systems and network activities.
“Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise,” the agencies stated in their joint advisory.
China’s Foreign Ministry denied that any intrusions were made. It instead deflected by focusing on hacking by the U.S. against China.
“We have taken note of the report. I would like to say that it is a report that has been patched together with a lack of evidence,” a spokeswoman for the Chinese Foreign Ministry said.
The Chinese government reported similar hacking activities conducted by the CIA against its computer systems earlier this month.
Chinese hacking has been a pervasive problem for the U.S. for many years, and Chinese hackers have stolen sensitive technology from the U.S. on countless occasions. This included stealing the technology used in the F-35 to produce the Chinese knockoff Shenyang F-31 fighter jet.
John Rossomando was a senior analyst for Defense Policy and served as Senior Analyst for Counterterrorism at The Investigative Project on Terrorism for eight years. His work has been featured in numerous publications such as The American Thinker, The National Interest, National Review Online, Daily Wire, Red Alert Politics, CNSNews.com, The Daily Caller, Human Events, Newsmax, The American Spectator, TownHall.com, and Crisis Magazine. He also served as senior managing editor of The Bulletin, a 100,000-circulation daily newspaper in Philadelphia, and received the Pennsylvania Associated Press Managing Editors first-place award for his reporting.