State-sponsored Chinese hackers have infiltrated critical US infrastructure networks, the United States, its Western allies and Microsoft said on Wednesday, warning that similar spying attacks could be taking place globally.
Microsoft singled out Guam, a US territory in the Pacific Ocean with a vital military outpost, as one of the targets, but said “malicious” activity was also detected in other parts of the United States.
He said the hacking, dubbed “Volt Typhoon”, began in mid-2021 and was likely aimed at harming the United States if there was conflict in the region.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises,” the statement said.
“In this campaign, affected organizations span the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology and education sectors.
“The observed behavior suggests that the threat actor intends to perform espionage and maintain access undetected for as long as possible.”
Microsoft’s statement coincided with a statement released by authorities in the US, Australia, Canada, New Zealand and the UK.
They said a “state-sponsored cyber actor” from China was behind Volt Typhoon and that the hacking was likely taking place globally.
“This activity affects networks in critical US infrastructure sectors, and the authoring agencies believe that the actor can apply the same techniques against these and other sectors around the world,” the statement said.
The United States and its allies said the activities involved “live off the land” tactics that take advantage of built-in networking tools to blend in with normal Windows systems.
He warned that the hack could embed legitimate system administration commands that appear “benign”.
-‘Highly sophisticated’- Microsoft said Volt Typhoon attempted to blend in with normal network activity, routing traffic through compromised small office and home office networking equipment, including routers, firewalls and VPN hardware.
“They have also been observed using custom versions of open source tools,” Microsoft said.
Microsoft and security agencies have released guidelines for organizations trying to detect and combat hacking.
The director of the US Agency for Cybersecurity and Infrastructure Jen Easterly also released a warning related to Volt Typhoon.
“For years, China has carried out operations around the world to steal intellectual property and sensitive data from critical infrastructure organizations around the world,” said Easterly.
“Today’s announcement, released jointly with our US and international partners, reflects how China is using highly sophisticated means to target our country’s critical infrastructure.
“This joint advisory will give network defenders more information on how to detect and mitigate this malicious activity.”
China did not immediately respond to the allegations. But he routinely denies carrying out state-sponsored cyber attacks.
China, for its part, regularly accuses the United States of cyber espionage.
While China and Russia have long targeted critical infrastructure, Volt Typhoon offered new insights into Chinese hacking, according to John Hultquist, chief analyst at US cybersecurity firm Mandiant.
“Chinese cyber threat actors are unique among their peers in that they don’t regularly resort to destructive and disruptive cyberattacks,” he said.
“As a result, its capability is quite opaque. This disclosure is a rare opportunity to investigate and prepare for this threat.”