China-Backed Hackers Targeting Critical US Infrastructure, Microsoft and Five Eyes Warn

China-Backed Hackers Targeting Critical US Infrastructure, Microsoft and Five Eyes Warn
A man walks past a Microsoft sign outside a Microsoft office building in Beijing on July 31, 2014. (Greg Baker/AFP via Getty Images)
Mimi Nguyen Ly

A Chinese cyber espionage group has been targeting a wide range of networks across U.S. critical infrastructure sectors, from telecommunications to transportation hubs, since at least mid-2021, according to Microsoft and various cybersecurity agencies under the Five Eyes alliance.

Microsoft announced on May 24 that the “stealthy and targeted malicious activity” is carried out by Volt Typhoon, a state-sponsored actor based in China that usually spies and gathers information on targets.

The American multinational technology giant added that Volt Typhoon appears to intend “to perform espionage and maintain access without being detected for as long as possible.”

The China-based hacking group is believed to be pursuing capabilities to “disrupt critical communications infrastructure between the United States and Asia region during future crises,” according to Microsoft.

Affected U.S. critical sectors include “the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.”

It wasn’t immediately clear how many networks have been affected.

Military Risk

This includes various networks in Guam in the western Pacific where the United States has a major military presence, Microsoft noted.

These U.S. military facilities play a major role in responding to conflicts in the Asia-Pacific region. Guam also serves as a major communications center linking Asia and Australia to the United States, via submarine cables.

Bart Hoggeveen, a senior analyst at the Australian Strategic Policy Institute, said the submarine cables made Guam “a logical target” for China’s ruling communist party to seek intelligence.

“There is high vulnerability when cables land on shore,” he said.

Warning From Five Eyes Agencies

U.S. and other intelligence partners noted in a joint cybersecurity advisory that they believe that China’s Volt Typhoon campaign could target other critical infrastructures abroad.

The agencies include the U.S. National Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and their counterparts from Australia, New Zealand, Canada, and the UK.

“For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe,” CISA Director Jen Easterly said in an advisory warning.

In the same warning, Bryan Vorndran, FBI cyber division assistant director, referred to the hacking as having used “unacceptable tactics.”

“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems,” Paul Chichester, director of the UK’s National Cyber Security Centre, said in the warning.

‘Living Off the Land’

According to Microsoft, one of the main tactics Volt Typhoon is using is “living off the land,” which involves using various built-in Windows network administration tools against targets.

This allows the cyber espionage group to evade detection because the hacking tools blend in with normal Windows system and network activity, and it doesn’t trigger security alerts.

Such techniques are harder to detect as they use “capabilities already built into critical infrastructure environments,” NSA cybersecurity director Rob Joyce said in the advisory warning.

After it infects a target’s existing systems, the hacking group conducts espionage and starts extracting data, Microsoft stated.

Some of the built-in tools being used are WMIC, Ntdsutil, netsh, and PowerShell.

The hackers gained initial access through internet-facing FortiGuard devices, which are engineered to use machine learning to detect malware, Microsoft said.

Microsoft Customers Alerted

Microsoft said it proactively contacted all targeted or compromised customers and provided them with information to secure their networks.

Over at least the past decade, human rights groups have been warning U.S. companies such as Microsoft of potential national security risks associated with negotiating with the Chinese Communist Party to gain access to the Chinese market.

A report by the group Victims of Communism in February 2022 warned that Google, GE, Intel, and Microsoft had “potentially problematic linkages that may directly or indirectly support China’s state surveillance, military modernization, and human rights violations.”

Meanwhile, Microsoft’s Bing has become China’s leading desktop search engine, surpassing Baidu, according to recent statistical data from StatCounter.

John Hultquist, chief analyst at Google’s Mandiant cybersecurity intelligence operation, called Microsoft’s May 24 announcement “potentially a really important finding.”

“We don’t see a lot of this sort of probing from China. It’s rare,” Hultquist said. “We know a lot about Russian and North Korean and Iranian cyber-capabilities because they have regularly done this.”

He added that China has generally withheld use of the kinds of tools that could be used to seed not just intelligence-gathering capabilities, but also malware for disruptive attacks in an armed conflict.

The Associated Press contributed to this report.