Trey Paul, FISM News
Officials with Western intelligence agencies and Microsoft revealed on Wednesday that Chinese government-backed hackers have been spying on an extensive number of critical U.S. infrastructure networks and organizations including transportation hubs.
In this recent blog post, Microsoft analysts warned they had “moderate confidence” that the Chinese hackers are working on gaining capabilities that may be utilized to “disrupt critical communications” between North America and the Asia Pacific region when there’s another crisis involving the U.S. and China.
“It means they are preparing for that possibility,” said John Hultquist, who’s in charge of threat analysis at Google’s Mandiant Intelligence. He added that this Chinese group, which Microsoft is calling “Volt Typhoon,” is worrisome because analysts don’t know what the group is capable of right now.
“There is greater interest in this actor because of the geopolitical situation,” Hultquist said.
Microsoft analysts also say the U.S. Island territory of Guam, where important American military bases are located, is being targeted. They added that “mitigating this attack could be challenging.”
The American military bases on Guam would be vital in responding to any conflict in the Asia-Pacific region. Guam is also the home of a major communications hub that connects Asia and Australia to the United States by multiple submarine cables.
Bart Hoggeveen, a senior analyst at the Australian Strategic Policy Institute who specializes in state-sponsored cyber-attacks in the region, said those very submarine cables made Guam “a logical target for the Chinese government” to seek intelligence. “There is high vulnerability when cables land on shore,” he added.
Microsoft maintains that “Volt Typhoon” has been active since mid-2021 and that the affected organizations “span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.”
Analysts say observed behavior suggests that the threat actor intends to “perform espionage and maintain access without being detected for as long as possible.”
“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity,” the Microsoft blog post reads.
They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.
CHINA DENIES SPYING
Meanwhile, the Chinese government is rejecting claims that its spies are penetrating Western Infrastructure and are calling the joint warning issued by the United States and its allies a “collective disinformation campaign.”
Chinese foreign ministry spokesperson Mao Ning claimed that Washington is guilty of hacking. “The United States is the empire of hacking,” Mao added. She also claimed the U.S. is “expanding new channels to spread disinformation” and that “this is not the first time, and it will not be the last.”
Back in February, FISM News reported that U.S. officials recovered a Chinese spy balloon that went down off the coast of South Carolina.
Many believe China successfully gathered U.S. military and technological information through the balloon. NBC News reported the balloon was able to gather intelligence from several U.S. military sites and transmit it back to Beijing in real-time, despite the Biden administration’s efforts to prevent it from doing so.