The “Volt Typhoon” campaign is focused on gathering intelligence and espionage, according to Microsoft
A Microsoft report shows that utilities are among the organizations affected by the Chinese hacking campaign
25 MAY 2023 — Yesterday, Microsoft warned that a state-sponsored Chinese hacking group has compromised “critical” infrastructure in the US in order to disrupt communications between the country and Asia in the event of a crisis. Microsoft said it had notified targeted or compromised customers and urged them to close or secure their accounts. The U.S. and international cyber security authorities also issued a joint advisory notice about Volt Typhoon also warned of Chinese state-sponsored cyber threats.
In a rare announcement about a systems breach, the U.S. technology group said the hackers, codenamed “Volt Typhoon”, have operated since mid-2021. They have been able to infiltrate organisations across industries by exploiting vulnerabilities in a popular cyber security platform called FortiGuard, Microsoft said:
“In this campaign, the affected organisations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. The hacking group’s actions had focused on gathering intelligence and espionage, rather than causing immediate disruption. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises”.
I asked cybersecurity expert Steve King for his thoughts, someone I consult in all-matters-cybersecurity due to his 20+ years in senior leadership roles in cybersecurity and technology development. As always, Steve puts things in perspective, taking a “Big Picture” view. In part of our conversation he said:
“I think you need to understand that the industrial security threat environment suffered a significant transformation after 2020, and attacks with physical consequences are now increasing exponentially. OT security [operational technology security] is a high-priority challenge for organizations of every size, but is essential to be addressed in light of the shifted focus toward physical infrastructure. Which attack would have the most leverage in a Ransomware negotiation? For security solution vendors, the window is closing. It is now time to integrate a complete OT managed service offering that includes a SIEM, SOC and SOAR function, Intel, collecting telemetry at ground zero, leveraging LLMs and all designed around a Zero Trust model of execution, and go to market.
And for end users, it is past time to prepare for that first OT Ransomware attack by adopting the principles of Zero Trust and the leverage found in generative AI, presenting them in a way that makes it easier to detect an incoming attack and far more difficult for the bad guys to pull off a successful breach. If some of us haven’t seen what pre-conflict escalation looks like, we’re putting on quite a show right now”.
NOTE TO READERS:next week I’ll publish a long interview with Steve and we’ll get into the pipes and tubes and wires and concepts of cybersecurity. He’ll help you understand the vernacular of “OT security” and “SIEM” and “SOC” and SOAR” and “Zero Trust” – terms that might be unfamiliar to many of my readers. Steve is the master of all of this.
To no one’s surprise, this morning the Chinese foreign ministry hit back at the allegations, saying they “lacked evidence” and accused the US of being a “hacker empire”. They added that “the involvement of certain companies” in the warning “shows that the US is expanding channels for disseminating false information”.
Rob Joyce, cyber security director of the US National Security Agency, said:
“A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defences and leaving no trace behind. That makes it imperative for us to work together to find and remove the actor from our critical networks.”
“Living off the land” refers to cyber attacks that use legitimate tools already installed in a person’s devices to carry out a hack, making it far more difficult to detect than traditional malware attacks that typically require a victim to download files. John Hultquist, chief analyst at Mandiant Intelligence – a cyber defence service owned by Google – said the Volt Typhoon hack was “aggressive and potentially dangerous”. In a statement he said:
“Chinese cyberthreat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyber attacks. As a result, their capability is quite opaque. This disclosure is a rare opportunity to investigate and prepare for this threat.”
It would be a good idea to read Microsoft’s blog post because it offers technical details of the hackers’ intrusions that may help network defenders spot and evict them: The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking – targeting devices that include those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel. The group also often exploits the access provided from compromised accounts of legitimate users rather than its own malware to make its activity harder to detect by appearing to be benign.
It is a brilliant tactic: blending in with a target’s regular network traffic in an attempt to evade detection is a hallmark of Volt Typhoon and other Chinese actors’ approach in recent years. Secureworks (like Microsoft and Mandiant it has been tracking the group and observing the campaigns) noted in a blog post that this group has demonstrated a “relentless focus on adaption” to pursue its espionage.
And going back to Steve King, he noted:
“Although it appears Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States — even over decades of data theft from U.S. systems — the country’s hackers have periodically been caught inside US critical infrastructure systems. As early as 2009, US intelligence officials warned that Chinese cyberspies had penetrated the US power grid to “map” the country’s infrastructure in preparation for a potential conflict”.
As I have noted in previous posts, and which was emphasised in the Mandiant report on this attack, drawing the lines between espionage, cyberattack preparation, and imminent cyberattack is a hard exercise with China given the limited instances of the country pulling the trigger on a digitally disruptive event – even when it does have the access to cause one, as it may well have had in Volt Typhoon’s intrusions. China’s disruptive and destructive capabilities are extremely opaque. But here we have an indication that this is an actor with exactly that mission.