A Chinese state-sponsored hacking group has been successfully infiltrating critical infrastructure systems in the US, and in some cases, maintaining access for more than five years, according to federal investigators.
Called “Volt Typhoon,” the hackers have been targeting the communications, energy, transportation, and wastewater sectors with the goal of unleashing chaos if China were ever to confront the US during a major crisis or conflict.
“The US authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations,” federal agencies said today.
To warn the public about the hacking threat, the FBI, NSA, and Cybersecurity and Infrastructure Security Agency (CISA) issued a 45-page report outlining the group’s tactics. The agencies hope this will help push the US to root out Volt Typhoon from its critical infrastructure systems.
“We are at a critical juncture for our national security,” says CISA Director Jen Easterly. “We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”
Volt Typhoon grabbed headlines last week after the FBI said it had dismantled a botnet the Chinese hacking group was using to mask their activities in the US. Wednesday’s report adds that “some victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations.”
The group has been able to hide for so long inside US networks by relying less on malware and more on “living off the land” tactics, which involve harnessing legitimate software tools or hijacking valid accounts inside a company to conduct the infiltration. The group will also time their infiltration attempts to carefully avoid tipping off security measures.
“For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the report noted.
Oftentimes, Volt Typhoon’s primary goal is to gain access to powerful admin accounts inside a network. Once access is achieved, the hackers will exhibit little activity. “This assessment is supported by observed patterns where Volt Typhoon methodically re-targets the same organizations over extended periods, often spanning several years, to continuously validate and potentially enhance their unauthorized accesses,” the report said.
As an example, investigators spotted Volt Typhoon repeatedly stealing the domain credentials from one victim network over a four-year time span, likely to ensure they could maintain access. “In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials at regular intervals,” the report added.