Like state sponsored hackers Working on behalf of Russia, Iran and North Korea have for years wreaked havoc with disruptive cyberattacks around the world, China’s military and intelligence hackers have largely maintained a reputation for limiting their intrusions to espionage. But when those cyberspies breach critical infrastructure in the United States, and specifically a US territory on China’s doorstep, espionage, conflict contingency planning, and escalating cyberwarfare begin to look dangerously alike.
On Wednesday, Microsoft revealed in a blog post which has tracked down a group of what it believes to be Chinese state-sponsored hackers who since 2021 have carried out a broad hacking campaign that has targeted critical infrastructure systems in US states and Guam, including communications, manufacturing, utilities, construction, and transportation.
The intentions of the group, which Microsoft has dubbed Volt Typhoon, may simply be espionage, since it does not appear to have used its access to those critical networks to carry out data destruction or other offensive attacks. But Microsoft cautions that the nature of the group’s targets, even in a Pacific territory that could play a key role in a military or diplomatic conflict with China, may still allow for that kind of disruption.
“The observed behavior suggests that the threat actor intends to perform espionage and maintain access undetected for as long as possible,” the company’s blog post reads. But he pairs that statement with a “moderately confident” assessment that the hackers are “seeking to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.”
Google-owned cybersecurity firm Mandiant says it has also tracked a swath of the group’s intrusions and offers a similar warning about the group’s focus on critical infrastructure “There is no clear connection to intellectual property or information of policies we expect from a spy operation. says John Hultquist, who leads threat intelligence at Mandiant. “That leads us to question whether they are there because goals are critical. Our concern is that the focus on critical infrastructure is preparation for a potential disruptive or destructive attack.”
Microsoft’s blog post offered technical details of hacker intrusions that can help network defenders detect and evict them: the group, for example, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch their hacking, targeting devices including those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel. The group also often exploits the access provided by compromised legitimate user accounts rather than their own malware to make their activity harder to detect by appearing benign.
Blending in with a target’s regular network traffic in an attempt to evade detection is a hallmark of the approach by Volt Typhoon and other Chinese players in recent years, says Marc Burnard, senior information security research consultant at Secureworks. . Like Microsoft and Mandiant, Secureworks has been tracking the group and watching the campaigns. He added that the group has shown a “relentless focus on adaptation” in pursuing its espionage.
Disclaimer: All the content or information on this article is given for only educational purposes.