



While state-sponsored hackers working on behalf of Russia, Iran and North Korea have wreaked havoc for years with disruptive cyberattacks around the world, military hackers and Chinese intelligence have largely retained a reputation for limiting their intrusions to espionage. But when these cyber spies penetrate critical infrastructure in the United States, and specifically in US territory on the doorstep of China, espionage, conflict contingency planning, and escalating cyber warfare begin to look dangerously alike. .

Microsoft revealed in a blog post on Wednesday that it has been tracking a group of what it believes to be Chinese state-sponsored hackers who have been carrying out a massive hacking campaign since 2021 targeting critical infrastructure systems. in the United States and Guam, including communications. , manufacturing, utilities, construction and transportation.

The intentions of the group, which Microsoft has named Volt Typhoon, may simply be espionage, given that it does not appear to have used its access to these critical networks to carry out data destruction or other offensive attacks. But Microsoft warns that the nature of the group’s targeting, including in a Pacific territory that could play a key role in a military or diplomatic dispute with China, could still allow for this kind of disruption.

“The observed behavior suggests that the threat actor intends to eavesdrop and maintain access undetected for as long as possible,” the company’s blog post read. But he combines that statement with an assessment with “moderate confidence” that hackers are pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and the Asian region in future crises.

Google-owned cybersecurity firm Mandiant says it has also tracked some of the group’s intrusions and offers a similar warning about the group’s focus on critical infrastructure. There’s no clear link to the intellectual property or political information we expect from a spy operation, says John Hultquist, who leads threat intelligence at Mandiant. This makes us wonder if they are there because targets are essential. Our concern is that the focus on critical infrastructure is preparation for potential disruptive or destructive attacks.

Microsoft’s blog post offered technical details about hacker intrusions that could help network defenders spot and expel them: the group, for example, uses routers, firewalls and other hacked network as a proxy to launch its hacking targeting devices, including those sold by hardware. manufacturers ASUS, Cisco, D-Link, Netgear and Zyxel. The group also often leverages access provided from compromised accounts of legitimate users rather than its own malware to make its activity harder to detect by appearing benign.

Blending into a target’s regular network traffic in an attempt to evade detection is a hallmark of the approach of Volt Typhoon and other Chinese players in recent years, says senior security research consultant Marc Burnard. information at Secureworks. Like Microsoft and Mandiant, Secureworks followed the group and observed the campaigns. He added that the group demonstrated a relentless focus on adaptation to continue their espionage.

