Chinese malware targeting critical infrastructure, Microsoft and U.S. government warn

Microsoft security researchers have unearthed a Chinese-sponsored hacking campaign targeting critical infrastructure in Guam and other unspecified locations within the United States, the tech giant warned on Wednesday. The hacking operation, code-named "Volt Typhoon,"  has been active since mid-2021 and "could disrupt critical communications infrastructure between the United States and Asia region during future crises."

Microsoft has not detected any offensive attacks, but noted Chinese intelligence and military hackers routinely prioritize espionage and the gathering of information, rather than destruction.

U.S. federal law enforcement and intelligence agencies including the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) released a bulletin Wednesday, outlining Volt Typhoon's ongoing operational playbook as well as a roadmap of code that enables possible victims to detect the intruder.  

According to the bulletin, authorities "recently discovered" the cluster of activity. "Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide," the brief continued.

China denied the latest hacking allegation on Thursday, calling it a disinformation campaign by the "Five Eyes" nations that share intelligence, according to the Reuters news agency. Those nations are the U.S., Canada, New Zealand, Australia and the UK. "Relevant reports from western agencies have no proof," Reuters quotes Chinese Foreign Ministry spokesperson Mao Ning as saying at a regular press briefing.

U.S. intelligence agencies first uncovered the malware in February, roughly the same time that the U.S. downed a Chinese spy balloon, the New York Times first reported. Activity by the Chinese-sponsored hacking group reportedly alarmed U.S. officials, given its proximity to Andersen Air Force Base. The naval port in Guam would play a critically important role in launching any U.S. military response in the event of a Taiwanese invasion.

"Attacks against our critical infrastructure in the event of a Chinese invasion of Taiwan is unfortunately not farfetched," CISA Director Jen Easterly warned in February

At the time, Easterly called the threat of cyber intrusions "far more dangerous" than the Chinese surveillance balloon.

"Our country is subject to cyber intrusions every day from the Chinese government, but these intrusions rarely make it into national news," Easterly said. "These intrusions can do real damage to our nation — leading to theft of our intellectual property and personal information; and even more nefariously, establishing a foothold for disrupting or destroying the cyber and physical infrastructure that Americans rely upon every hour of every day—for our power, our water, our transportation, our communication, our healthcare, and so much more. 

Once Volt Typhoon gains access into a network, it steals user credentials in order to gain access to other computer systems, according to Microsoft. "Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible," Microsoft security researchers noted in Wednesday's blog. 

Microsoft cautioned that affected organizations spanned nearly every critical infrastructure sector, including "communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors."

Microsoft urged those customers impacted to "close or change credentials for all compromised accounts."

As it did Thursday, China has consistently denied hacking into American networks, even after U.S. investigators accused the People's Republic of China of stealing the personal information of millions of current and former federal workers under the Obama administration.  

The Biden White House has hurriedly established cybersecurity standards for critical infrastructure after elevating ransomware attacks, such as the 2021 Russia-linked offensive on Colonial Pipeline, to an issue of national security.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.