According to reports from Western intelligence agencies and Microsoft, a state-sponsored Chinese hacking group has been engaged in a wide-ranging cyber-espionage operation against various critical infrastructure organizations in the United States. The targeted sectors include telecommunications and transportation hubs, as well as the strategically important US territory of Guam, which houses American military bases. Microsoft's report emphasizes the challenging nature of mitigating this attack.
While it is common for China and the United States to engage in mutual espionage, experts argue that this represents one of the largest cyber-espionage campaigns conducted by China against American critical infrastructure. In response to the hacking allegations, Chinese foreign ministry spokesperson Mao Ning dismissed them as a "collective disinformation campaign" orchestrated by the Five Eyes countries, referring to the intelligence-sharing alliance comprising the US, Canada, New Zealand, Australia, and the UK. Mao further alleged that the US was expanding its disinformation efforts beyond government agencies for geopolitical reasons.
The full extent of the breach is currently unknown, but the US National Security Agency (NSA) has stated that it is collaborating with partners, including Canada, New Zealand, Australia, and the UK, as well as the US Federal Bureau of Investigation, to investigate the breaches. In addition, Canada, the UK, Australia, and New Zealand have been alerted to the possibility of being targeted by the hackers.
Microsoft's analysts, while naming the Chinese group "Volt Typhoon," have expressed "moderate confidence" that this group is developing capabilities that could disrupt critical communications infrastructure between the US and the Asia region during future crises. Security experts are particularly concerned because there is limited visibility into the group's potential capabilities, which makes the situation even more troubling given the current geopolitical climate.
As tensions rise between China and Taiwan, with China increasing military and diplomatic pressure, US President Joe Biden has stated his willingness to use force to defend Taiwan. In anticipation of a potential conflict, security analysts anticipate that Chinese hackers may target US military networks and other critical infrastructure.
The NSA and other Western cyber agencies are urging operators of critical infrastructure to proactively identify malicious activity using the technical guidance they have provided. Paul Chichester, director at the UK's National Cyber Security Centre, stressed the importance of taking action to prevent attackers from remaining undetected on systems.
Microsoft has revealed that the Chinese hacking group has been active since at least 2021 and has targeted various industries, including communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education.
According to Rob Joyce, the cybersecurity director at the NSA, the Chinese campaign employs built-in network tools to evade defenses, leaving behind no trace. These techniques are challenging to detect as they exploit capabilities already present in critical infrastructure environments.
Unlike traditional hacking methods that rely on tricking victims into downloading malicious files, Microsoft has noted that this group infects victims' existing systems to gather information and extract data.
Xage CEO Duncan Greatwood commented on the need to secure credentials and control access privileges. "To protect America’s critical infrastructure – against a backdrop of rising geopolitical tensions – the government must focus on securing credentials and controlling access privileges to the most granular degree possible.
They can achieve this by implementing cyber mesh and identity, credential, and access management solutions with multi-factor authentication. They also must implement automated credential rotation, and move to store credentials in a mesh-protected vault for user and machine identities that does not give up its secrets even in the event that some systems are compromised.
In other words, they must embrace genuine defense-in-depth methods to block attacks against critical infrastructure. Layered protection of credentials with strong encryption, combined with granular access control governing what those credentials can do, is a vital step toward protecting our nation’s future.”