What just happened? Microsoft and authorities from several countries have warned that a state-sponsored hacking group has been spying on critical US infrastructure across a range of industries, with the aim of disrupting communications between the United States and Asia in the event of future crises.
Microsoft said that the hackers, codenamed Volt Typhoon, have been in operation since mid-2021. By exploiting vulnerabilities in internet-facing Fortinet FortiGuard devices that admins never patched, the attackers are able to extract credentials to a network’s Active Directory, and use the data to infect other devices on a network.
“Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers),” Microsoft wrote. “Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the Internet.”
Microsoft said the affected organizations include the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
“Observed behaviour suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft continued. This is achieved by the campaign relying on living-off-the-land techniques, where attackers use native, legitimate tools within the victim’s system to sustain and advance an attack; and hands-on-keyboard activity, which are attacks carried out manually by hand rather than programmatically and automatically.
Microsoft added that Volt Typhoon had targeted critical infrastructure in Guam, the location of a crucial US military outpost in the Pacific Ocean, and a key strategic point for the United States in the event of a Chinese invasion of Taiwan.
Microsoft said it has notified targeted or compromised customers and provided instructions on identifying an attack. It urged those impacted to close or change their credentials for all compromised accounts.
It wasn’t just Microsoft that issued a warning. Authorities in the US, Australia, Canada, New Zealand, and the UK, which make up the Five Eyes intelligence network, released a statement that read: “The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon.”
The Chinese foreign ministry has criticized the allegations, saying they “lacked evidence.” It reiterated the accusation it made earlier this month that the US is a “hacker empire” and said the involvement of certain companies in the warning (Microsoft) “shows that the US is expanding channels for disseminating false information.”
While tensions between the two countries have been ramping up in recent times, China and the US have a long history when it comes to hacking. In 2015, then-President Obama and Chinese President Xi Jinping announced that they had come to an agreement that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property.” But attacks on US companies by Chinese government-backed hackers were reported just a few weeks later.
One of the biggest hacks the US blamed on China in recent times was the one on Microsoft Exchange in 2021. And in February last year, Federal Bureau of Investigation director Christopher Wray said that China is responsible for more cyberattacks on the US than every other country combined.