Critical Infrastructure Security
Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime
Officials Say Hackers Are Evading Detection on Critical Infrastructure Networks
U.S. security agencies are warning critical infrastructure operators to immediately apply patches for critical vulnerabilities known to be frequently exploited by Chinese government hackers.
A Chinese hacking group known as Volt Typhoon has maintained access and footholds in some victim information technology environments “for at least five years,” the Cybersecurity and Infrastructure Security Agency said Wednesday in a joint cybersecurity advisory. The report, which details how Volt Typhoon has managed to gain persistent access to IT networks while avoiding detection, was published in collaboration with the FBI, the National Security Agency and multiple international partners, including cybersecurity agencies from the United Kingdom, Canada, Australia and New Zealand – the countries that form the Five Eyes intelligence-sharing alliance.
Eric Goldstein, CISA’s executive assistant director, said during a Wednesday phone call with reporters that evidence “strongly suggests” the Chinese hacking group is positioning itself on U.S. critical infrastructure networks to launch destructive cyberattacks that would be harmful to national security, economic security and public health.
The report says that Chinese hackers have exfiltrated diagrams and documentation related to operational technology, including SCADA systems, relays and switchgear – data “crucial for understanding and potentially impacting critical infrastructure systems,” CISA said. Volt Typhoon actors in some cases had the capability to access camera surveillance systems at critical infrastructure facilities, it also said.
The U.S. government and the Five Eyes intelligence-sharing alliance first publicly disclosed the existence of Volt Typhoon in May after cyber defenders had detected activity in Guam and the United States. The Pacific island is just hours away from Taiwan via airplane and is the site of two major American military bases (see: Chinese State Hacker ‘Volt Typhoon’ Targets Guam and US).
Microsoft, which also divulged the existence of Volt Typhoon in May, said the group has been active since mid-2021. CISA’s report says “strong operational security” has allowed the threat actor to penetrate networks that have remained undetected for years.
Western pushback against Chinese hacking, although constant for more than a decade now, has taken on extra urgency as concerns grow about Chinese territorial ambitions for Taiwan and the South China Sea. Chinese President Xi Jinping has ordered the military to be capable of invading Taiwan by 2027.
Cybersecurity experts have observed growing sophistication in Chinese state hackers – a possible effect of a Beijing law that requires mandatory disclosure to the government of vulnerability reports (see: It’s Raining Zero-Days in Cyberspace).
Appliances located on network edges, such as VPNs, have been a particular target of Chinese hackers, and the Dutch government warned yesterday that Chinese threat actors perform wide and opportunistic scanning campaigns for vulnerable devices and use zero-days and recently patched vulnerabilities to gain surreptitious access.
“The information that we are releasing with this advisory is reflecting a strategic shift in PRC malicious cyber activity,” Goldstein said. CISA has observed Chinese hacking groups moving away from espionage campaigns toward “prepositioning for future disruptive or destructive attacks,” he added.
Volt Typhoon typically attacks victim environments through known or zero-day vulnerabilities in public-facing networks, the report says. It then conducts extensive reconnaissance operations to learn about the organization’s staff, security practices and overall network structure. Its goal is often to gain admin credentials and eventually achieve full domain compromise. The hackers can then carry out “meticulous post-exploitation intelligence collection” operations and further disrupt the victim networks, according to the advisory.
The advisory comes less than a week after FBI Director Christopher Wray testified that Chinese hackers were preparing “to wreak havoc and cause real-world harm to American citizens and communities” if Beijing launches an invasion against Taiwan. The FBI director told the House Select Committee on the Chinese Communist Party that U.S. officials had recently dismantled Volt Typhoon’s malware from “hundreds” of victims’ personal routers in homes and small businesses across the country (see: Here’s How the FBI Stopped a Major Chinese Hacking Campaign).
“They’re not focused just on political and military targets,” Wray said. “We can see from where they position themselves across civilian infrastructure that low blows aren’t just a possibility in the event of conflict: Low blows against civilians are part of China’s plan.”
The Chinese hackers have exploited vulnerabilities in a wide array of popular commercial networking appliances from organizations such as Fortinet, Citrix and Cisco, among others, the report says. The group likely obtained access to one victim network through an unpatched network security firewall. After gaining unauthorized access into networks, CISA said, the group typically uses “living off the land” techniques to move laterally and carry out its campaigns while evading detection.
China’s targeting of critical infrastructure sectors in the U.S. reflects similar actions that foreign adversaries have taken against Ukraine throughout Russia’s deadly invasion, according to John Hultquist, chief analyst for Mandiant Intelligence.
The report says Volt Typhoon is specifically targeting and collecting information on operational technology systems – “the highly sensitive systems that run the physical processes at the heart of critical infrastructure,” Hultquist said in a statement sent to Information Security Media Group.
“Evidence of forays into OT systems justifies our concerns that the actor is a serious threat,” he added. “If there was any skepticism as to why this actor was carrying out these intrusions, this revelation should put it to rest.”