The United States and four of its Western allies on Wednesday accused a Chinese-sponsored "cyber actor" of quietly infiltrating American "critical infrastructure." They also warned that similar campaigns could take place around the world.
In a joint notice, cybersecurity authorities in the United States, Canada, the United Kingdom, Australia and New Zealand warned of a malicious "cluster of activities" associated with "a state-sponsored cyber actor of the People's Republic of China, also known as the Volt Typhoon." "This activity affects the networks of critical infrastructure sectors in the United States" and the entity carrying out the attack "could apply the same techniques (...) all over the world," add the administrations of these countries whose intelligence services are bound by an agreement earned them the nickname Five eyes.
In a separate statement, Microsoft said Volt Typhoon has been active since mid-2021 and has targeted, among other things, critical infrastructure on the island of Guam, which hosts a major US military base in the Pacific Ocean. The campaign risks "disrupting critical communications infrastructure between the United States and the Asian region in future crises," Microsoft warned.
"Living off the land", a stealth hacking technique
The campaign targets "the communications, industrial, utilities, transportation, construction, marine, government, information technology and education sectors," the U.S. technology group said. According to him, "the observed behavior suggests that the threat actor intends to engage in espionage and maintain access (to infrastructure) without being detected for as long as possible."
According to Western security agencies, these attacks use the so-called "Living off the Land" (LotL) tactic, whereby the attacker uses the features and tools of the system he is targeting to penetrate inside without a trace. In particular, the attacker can use legitimate administrative tools to enter the system and insert malicious scripts or code. This type of intrusion is much more effective than those using malware, which is more easily detectable.
According to Microsoft, Volt Typhoon is trying to blend into normal network activity by routing traffic through infected network equipment in small businesses and remote workers, including routers, firewalls, and virtual private networks (VPNs). "They have also been observed using custom versions of open-source tools," Microsoft said.
Make the attack public to better prepare for it
The director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, also issued a warning against Volt Typhoon. "For years, China has been conducting operations around the world to steal intellectual property and sensitive data from critical infrastructure organizations," she said. "The advisory issued today, in collaboration with our U.S. and international partners, shows that China is using very sophisticated means to target our country's critical infrastructure," she said. According to her, this notice "will allow network advocates to better understand how to detect and mitigate this malicious activity."
China did not immediately respond to the allegations. Beijing, the capital, regularly denies carrying out or sponsoring cyberattacks, and in return accuses the United States of cyberespionage against it.
China and Russia have long targeted critical infrastructure, but Volt Typhoon has shed light on the modus operandi of Chinese hacking, said John Hultquist, an analyst at U.S. cybersecurity firm Mandiant. "China's cyber threat actors are unique among their peers in that they do not regularly resort to destructive and disruptive cyberattacks," he said. According to him, the disclosure by Western countries of the actions of Volt Typhoon "is a rare opportunity to investigate and prepare for this threat".