Recent reports indicate that a likely China-backed threat actor has been targeting critical infrastructure organizations in Guam, raising concerns about the possibility of America’s geopolitical adversaries launching disruptive cyberattacks against key communications and operational technologies in a future crisis. According to Microsoft, the attacks are part of a broader campaign dubbed “Volt Typhoon,” which is targeting organizations in communications, government, utility, manufacturing, maritime, and other critical sectors. While most state-backed Chinese cyber campaigns over the past several years have focused on cyber espionage, evidence examined by Microsoft suggests that this recent targeting of Guam is laying the groundwork for attacks that could disrupt US-Asia communications in a kinetic conflict.
Dick O’Brien, principal intelligence analyst at Symantec Threat Hunter Team, notes that there was a period of a few years where relatively little Chinese activity was directed against US targets, but that has changed over the past year due to the geopolitical tensions around the Taiwan issue. “We think the one named US location (Guam) is significant as Chinese actors are very heavily focused on Taiwan right now, and Guam may be part of that focus,” he says. The apparent preparation for disruptive attacks that Microsoft observed marks a significant departure from most cyberattacks by Chinese groups over the past nearly two decades, which have mainly focused on stealing trade secrets and intellectual property from the US and other countries to support China’s strategic goals around self-reliance.
A survey conducted by the Center for Strategic and International Studies (CSIS) using publicly available information found 224 reported instances of Chinese espionage targeting US organizations. Almost half (46%) of these involved cyber-enabled espionage. Notable early examples in the list include a April 2005 campaign where Chinese actors stole information about the Space Shuttle Discovery program from a NASA network, a 2005 operation called Titan Rain to steal US military and defense secrets from defense contractors and military entities, and a 2010 campaign dubbed Aurora that hit Google and some 30 other major technology companies. More recently, Chinese hackers stole 614 GB of data on a US supersonic anti-ship missile from a US Navy Contractor in 2018, a 2019 attack resulted in the theft of data pertaining to General Electric jet engine turbines, and in May 2020, an attack was aimed at stealing US research related to the coronavirus vaccine.
According to John Hultquist, Chief Analyst at Mandiant Intelligence – Google Cloud, “China has not demonstrated the ability to disrupt critical infrastructure, but it’s something we believe they are capable of and other states are capable of.” Hultquist notes that critical infrastructure can be disrupted with capabilities such as ransomware, though some countries, like China, are likely to have access to the ability to attack operational technology (OT) systems. China-backed threat actors are currently the most active among nation-state groups, especially those focused on conducting cyber espionage.
Security researchers have little doubt that the skills that Chinese groups have used in executing these attacks can be used in carrying out destructive ones if needed. “When comparing the technical aspects of the cyber threat from China to other adversary nations, there are differences in tactics, techniques, and procedures (TTPs). Russian groups have often leveraged social engineering and sophisticated malware,” says Cliff Steinhauer, Director of Information Security and Engagement at the National Cybersecurity Alliance. Russian groups often leverage social engineering and sophisticated malware, North Korean groups tend to lean toward to destructive attacks and cyber-enabled financial heists, while Iranian groups have frequently employed DDoS attacks and defacements. Chinese groups, meanwhile, have tended to use a mix of spear-phishing, waterhole attacks, and exploit chains.
In recent years, Chinese APT groups have gotten significantly better at discovering and exploiting zero-days than any other groups. And they also have typically been among the fastest to exploit newly disclosed flaws. Data from Mandiant shows that in 2022, Chinese cyber espionage groups exploited seven zero-day flaws in various campaigns, a notch lower than the eight zero-days they exploited in 2021, but still the highest by threat actors from any one country. Examples of zero-day vulnerabilities that Chinese threat actors have used recently used with highly disruptive effect included CVE-2022-30190 (aka Follina), CVE-2022-42475 against FortiOS systems, and the so-called ProxyLogon set of flaws in Microsoft Exchange in 2021.
While Chinese groups have not shown they can wreak widespread havoc on US critical infrastructure so far, researchers have no doubt that they – and other nation-state backed groups, especially Russian APTs – can if they choose to do so. Chinese groups have tended to use a mix of spear-phishing, waterhole attacks, and exploit chains. According to Craig Jones, VP of security operations at Ontinue, “One of their favorite mediums is launching and staging attacks from network edge devices. These groups demonstrate proficiency in infiltrating targeted networks and maintaining persistent access [and] operating covertly within compromised systems for extended periods.”
Overall, the threat of Chinese cyberattacks remains a troubling inflection point for US security experts, particularly with the possibility of kinetic conflict on the horizon. Time will tell if these recent developments signify a turning point in the capabilities of Chinese cyber-espionage groups or whether it is merely another predictable wrinkle in the ongoing saga of nation-state espionage in the age of global interconnectedness.