Chinese state-sponsored hacking group, Volt Typhoon, accused of carrying out cyber-espionage on US targets.
Published On 26 May 2023
The US State Department has warned that China is capable of launching cyberattacks against critical United States infrastructure, including oil and gas pipelines as well as rail systems, after researchers discovered a Chinese hacking group had been spying on such networks.
A multination alert earlier this week revealed a Chinese cyberespionage campaign had been aimed at military and government targets in the US.
“The US intelligence community assesses that China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems,” State Department spokesperson Matthew Miller said in a press briefing on Thursday.
“It’s vital for government and network defenders in the public to stay vigilant,” he said.
The espionage group – dubbed “Volt Typhoon” by Microsoft – was the subject of an alert issued by cybersecurity and intelligence agencies in the US, Australia, Canada, New Zealand and the United Kingdom – known as the “Five Eyes” – on Wednesday.
Microsoft researchers said Volt Typhoon was developing capabilities “that could disrupt critical communications infrastructure between the United States and Asia region during future crises” – a nod to the escalating tensions between China and the US over Taiwan and other issues.
Microsoft said the Volt Typhoon campaign relies on “living off the land” attacks, which are fileless malware that uses existing programmes to carry out attacks rather than installing files itself. The tech giant said Volt Typhoon blends in with normal network activity by routing data through office and home networking equipment like routers, firewalls and VPNs, making it extremely difficult to detect.
The hacking group has targeted critical infrastructure organisations in the US Pacific territory of Guam, Microsoft said, adding that the security firm Fortinet’s FortiGuard devices were being abused by Volt Typhoon to break into its targets.
The US Cybersecurity and Infrastructure Security Agency (CISA) separately said it was working to understand “the breadth of potential intrusions and associated impacts”.
That would help the agency “provide assistance where needed, and more effectively understand the tactics undertaken by this adversary,” CISA’s executive assistant director, Eric Goldstein, told the Reuters news agency.
“Many traditional methods of detection, such as antivirus, will not find these intrusions.”
Researcher Marc Burnard, whose organisation Secureworks has dealt with several intrusions tied to Volt Typhoon, said Secureworks had seen no evidence of destructive activity by Volt Typhoon but that its hackers were focused on stealing information that would “shed light on US military activities”.
The Chinese government called the joint warning issued this week by the US and its allies a “collective disinformation campaign”.
China’s foreign ministry spokesperson Mao Ning told reporters that the Five Eyes alerts were intended to promote their intelligence alliance and that it was Washington that was guilty of hacking.
“This is an extremely unprofessional report with a missing chain of evidence. This is just scissors-and-paste work,” Mao said.
“The United States is the empire of hacking,” she said.