Microsoft notes hits on strategic Pacific island of Guam
May 25, 2023 Updated:
May 25, 2023
A Chinese cyber espionage group has been
targeting a wide range of networks across U.S. critical infrastructure
sectors, from telecommunications to transportation hubs, since at least
mid-2021, according to Microsoft and various cybersecurity agencies under the
Five Eyes alliance.
Microsoft announced on
Wednesday that the “stealthy and targeted malicious activity” is carried out by
Volt Typhoon, a state-sponsored actor based in China that typically spies and
gathers information on targets.
The American multinational technology
giant added that Volt Typhoon appears to intend “to perform espionage and
maintain access without being detected for as long as possible.”
The China-based hacking group is believed to
be pursuing capabilities to “disrupt critical communications infrastructure
between the United States and Asia region during future crises,” according to
Microsoft.
Affected U.S. critical sectors include “the
communications, manufacturing, utility, transportation, construction, maritime,
government, information technology, and education sectors.”
It wasn’t immediately clear how many networks
have been affected.
Military
Risk
This includes various networks in Guam in
the western Pacific where the United States has a major military presence,
Microsoft noted.
These U.S. military facilities play a major
role in responding to conflicts in the Asia-Pacific region. Guam also
serves as a major communications center linking Asia and Australia to the
United States, via submarine cables.
Bart Hoggeveen, a senior analyst at the
Australian Strategic Policy Institute, said the submarine cables made Guam “a
logical target” for China’s ruling communist party to seek intelligence.
“There is high vulnerability when cables land
on shore,” he said.
Warning
From Five Eyes Agencies
U.S. and other intelligence partners noted in
a joint cybersecurity advisory they
believe China’s Volt Typhoon campaign could target other critical
infrastructures abroad.
The agencies include the U.S. National
Security Agency, the FBI, the Cybersecurity and Infrastructure Security Agency
(CISA), and their counterparts from Australia, New Zealand, Canada, and
Britain.
“For years, China has conducted aggressive
cyber operations to steal intellectual property and sensitive data from
organizations around the globe,” CISA Director Jen Easterly said in an advisory warning.
In the same warning, Bryan Vorndran, the FBI
cyber division assistant director, referred to the hacking as having used
“unacceptable tactics.”
“It is vital that operators of critical
national infrastructure take action to prevent attackers hiding on their
systems,” Paul Chichester, director at the UK’s National Cyber Security Centre
said in the warning.
‘Living
Off The Land’
According to Microsoft, one of the main
tactics Volt Typhoon is using is “living off the land,” which involves
using various built-in Windows network administration tools against
targets.
This allows the cyber espionage group to evade
detection because the hacking tools blend in with normal Windows system and
network activity, and doesn’t trigger security alerts.
Such techniques are harder to detect as they
use “capabilities already built into critical infrastructure environments,”
said NSA cybersecurity director Rob Joyce in the advisory warning.
After it infects a target’s existing systems,
the hacking group conducts espionage and starts extracting data, Microsoft
said.
Some of the built-in tools being used
are wmic, ntdsutil, netsh, and PowerShell.
The hackers gained initial access through
internet-facing Fortiguard devices, which are engineered to use
machine-learning to detect malware, Microsoft said.
Microsoft
Customers Alerted
Microsoft said it proactively reached out to
all its customers that were either targeted or compromised, and provided them
information to secure their networks.
Over at least the past decade, human rights
groups have been warning American companies like Microsoft of potential
national security risks associated with negotiating with the Chinese Communist
Party to gain access to the Chinese market.
A report by the group Victims of Communism in
February 2022 warned that Google,
GE, Intel, and Microsoft had “potentially problematic linkages that may
directly or indirectly support China’s state surveillance, military
modernization, and human rights violations.”
Meanwhile, Microsofts Bing has become China’s
leading desktop search engine, surpassing Baidu, according to recent
statistical data from StatCounter.
John Hultquist, chief analyst at Google’s
Mandiant cybersecurity intelligence operation, called Microsoft’s Wednesday
announcement “potentially a really important finding.”
“We don’t see a lot of this sort of probing from
China. It’s rare,” Hultquist said. “We know a lot about Russian and North
Korean and Iranian cyber-capabilities because they have regularly done this.”
He added that China has generally withheld use
of the kinds of tools that could be used to seed, not just
intelligence-gathering capabilities, but also malware for disruptive attacks in
an armed conflict.
The
Associated Press contributed to this report.
No comments:
Post a Comment