China-sponsored hackers have successfully established persistent access within the United States’ telecom networks and other critical infrastructure targets, with the aim of espionage and potentially disrupting communications during future military conflicts in the South China Sea region and broader Pacific. This recent investigation conducted by Microsoft, titled “Volt Typhoon,” showed the activities of an advanced persistent threat (APT) group that has previously carried out cyber espionage activities, identified by researchers at Microsoft, Mandiant, and other companies.
While the immediate goal of Volt Typhoon seems to be espionage, Microsoft’s analysis warns that the group could also develop capabilities to disrupt critical communications infrastructure during future crises. This finding has particularly alarmed security professionals as the United States’ relation with China has been frosty since a Chinese spy balloon made headlines in the US airspace earlier this year, and China has been making moves in the South China Sea regarding Taiwan.
The first signs of compromise emerged in telecom networks in Guam, but eventually, Microsoft uncovered a wide range of compromises across multiple sectors, including air, communications, maritime, and land transportation targets. In case of an emerging military crisis, an attack on the United States’ critical infrastructure could disrupt communications and hinder the country’s ability to respond and come to Taiwan’s aid, according to John Hultquist, chief analyst at Mandiant Intelligence – Google Cloud.
However, Hultquist also added that such operations are aggressive and dangerous but do not necessarily mean attacks are looming. Given this capability may be used by states looking for alternatives to armed conflict, Hultquist has noted that China is not the lone state conducting contingency intrusions. Russia has targeted a variety of critical infrastructure sectors in the last decade in operations that were not designed for immediate effect. In comparison, China’s cyber threat actors are far more focused on cyber espionage than destruction.
To achieve initial access, Volt Typhoon compromises Internet-facing Fortinet FortiGuard devices, which is a popular target for cyberattackers. Once inside, the APT uses the device’s privileges to extract credentials from the Active Directory and authenticate to other devices on the network. The state-sponsored actor uses living-off-the-land binaries and the command line to find information on the system, discover additional devices on the network, and exfiltrate data. To cover its tracks, Volt Typhoon proxies its network traffic through compromised small office/home office (SOHO) routers and other edge devices from various brands such as ASUS, Cisco, D-Link, NETGEAR, and Zyxel.
This ongoing activity of China-sponsored hacks and cyber espionage, coupled with its agenda of disrupting communication infrastructure in the event of a conflict, has raised alarms. Security experts believe that it is high time for the United States to develop a comprehensive strategy to counter China’s cyber espionage efforts, not only for safeguarding critical infrastructure but also in the interests of national security. Microsoft’s analysis and findings have led the NSA to release an advisory on Volt Typhoon with an explanation of how to hunt for the threat and also provides mitigation advice and indicators of compromise.