Microsoft and U.S. intelligence agencies said on Wednesday that they have discovered a stealthy Chinese-linked hacking group targeting critical infrastructure entities in the United States and Guam, an operation that researchers at Microsoft assess could lay the groundwork for disrupting communications between the United States and Asia in the event of a crisis.
Guam plays host to a number of key military bases that in the event of a conflict between the United States and China — as in the event of a Chinese invasion of Taiwan — would serve as a hub for U.S. forces in the Pacific. Microsoft researchers assess “with moderate confidence” that the hacking campaign “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
Active since mid-2021 and dubbed “Volt Typhoon” by Microsoft, the state-sponsored hacking group appears to have a wide remit, targeting organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, IT and education industries. The activity was detailed in an advisory by U.S. and allied cybersecurity agencies and a Microsoft blog post published Wednesday.
The disclosure of Chinese hacking activity comes at a time of heightened tension between the United States and China but a moment when policymakers in Beijing and Washington are attempting to restart dialogue. And experts caution that intrusions, which may be carried out in preparation for future operations, should not be conflated with preparation for destructive attacks on critical infrastructure.
“States conduct long-term intrusions into critical infrastructure to prepare for possible conflict, because it may simply be too late to gain access when conflict arises,” said John Hultquist, the chief analyst at Mandiant Intelligence at Google Cloud, noting that “preparation does not mean that attacks are inevitable.”
Volt Typhoon appears to place an emphasis on stealth, relying on multiple techniques to hide its presence on targeted machines. The group relies on a suite of techniques known as “living off the land,” which involves obscuring malicious activity by using tools and commands that are already present on targeted computers. Microsoft’s report notes that the group rarely uses malware following initial access and instead uses ordinary network administration tools to exfiltrate data.
The hackers appear to typically compromise systems by using valid credentials and then searching for additional passwords and credentials to gain further access. To stay undetected, the hackers will often proxy their traffic through compromised networking devices, including home and office routers, according to Microsoft.
By bouncing their traffic via these infected — and ordinary appearing — devices, the hackers are more difficult to detect, and by relying on tools already on infected devices — rather than malicious software — the attackers can more easily avoid modern end-point detection software. The hackers appear to focus mainly on information collection while maintaining access to key sites, Microsoft notes.
“Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity,” Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, said in a statement.
Wednesday’s advisory is a joint product from CISA, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, the FBI, the Australian Signals Directorate’s Australian Cyber Security Center, the Communications Security Establishment’s Canadian Center for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre.
The warning comes as the Biden administration is pressuring critical infrastructure owners and operators to increase their security investments and is working to write mandatory cybersecurity regulations for sectors that have been operating under voluntary guidelines.
China has long been a key concern among defenders of critical infrastructure. Shortly after the Colonial Pipeline ransomware attack in 2021, for example, CISA and the FBI revised a near-decade old alert on Chinese intrusions targeting gas pipelines from 2011 to 2013 adding technical indicators to make such activity more easy to detect.
Wednesday’s disclosure is the latest example of the U.S. government more aggressively disclosing data about Chinese hacking activity, which, in theory, should make such operations easier to stop in the future.
Marc Burnard, a senior security researcher Secureworks who studies Chinese hacking activity, noted that the hacking group observed in Guam, has a “consistent focus on operational security, including a minimal intrusion footprint, defense evasion techniques, and use of compromised infrastructure.”
Securworks tracks the hacking group as “Bronze Silhouette,” which Burnard describes as unusually focused on remaining undetected. “Think of a spy going undercover, their goal is to blend in and go unnoticed,” Burnard said. “This is exactly what Bronze Silhouette does by mimicking usual network activity.”
Just as Russia has used its formidable capability in cyberspace to target critical infrastructure, so too has China developed a cadre of hackers capable of targeting such systems. But relative to Russia, China has exercised a measure of restraint in cyberspace.
“Chinese cyberthreat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks. As a result, their capability is quite opaque,” Hultquist said. “This disclosure is a rare opportunity to investigate and prepare for this threat.”
Microsoft investigators first discovered the hacking activity described Wednesday after responding to an incident at a U.S. port. That investigation eventually discovered a much broader campaign and activity targeting networks in Guam, Tom Burt, Microsoft’s corporate vice-president for customer security and trust, told the New York Times, which first reported news of the campaign.
Officials in Congress are increasingly concerned about the cybersecurity posture of U.S. ports, and last month Reps. Carlos Gimenez, R-Fl., and John Garamendi, D-Calif., introduced a bill that would require U.S. ports to limit the use of cranes made in China.