A Chinese state-sponsored cyber threat actor conducts discreet espionage operations within critical US infrastructure and may target other nations, Western Cyber security agencies and Microsoft warned Wednesday.
These operations could be aimed at developing ways to disrupt critical communications between the US and Asia “during future crises”, Microsoft said – a warning that could refer to a potential attack on Taiwan by Chinawhich has indicated it may use military force to bring the democratically-ruled island under its direct control.
The threat from the Chinese group, known as Volt Typhoonprompted a rare joint advisory Wednesday from the Five Eyes cyber security agencies, including the Communications Security Establishment (CSE)’s Canadian Center for Cyber Security.
The agencies and Microsoft said the group has avoided detection by blending into normal Windows operations through a series of techniques known as “living off the land.” The process allows the actor to move through systems by taking advantage of built-in network administration tools, making its actions look like normal activity.
Taiwan fights back against election meddling, disinformation with creativity
CSE says Typhoon Volt has only been spotted in the United States so far and no Canadian casualties were reported Wednesday.
“However, Western economies are deeply interconnected,” the agency warned. “Much of our infrastructure is closely integrated and an attack on one can affect the other.”
The agencies further warned that they believe the group “could apply the same techniques against these and other sectors worldwide.”
In a threat intelligence advisoryMicrosoft said Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure in Guam and elsewhere in the United States, including the government, communications, information technology, maritime and education sectors, among others.
“Observed behavior indicates that the threat actor intends to perform espionage and maintain access undetected for as long as possible,” the assessment reads.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign seeks to develop capabilities capable of disrupting critical communications infrastructure between the US and Asia during future crises.”
Taiwan prepares for when – not if – China launches military attack: minister
Guam is home to major US military installations, including Andersen Air Force Base, which would be key to responding to any conflict in the Asia-Pacific region.
That would include a Chinese military attack on Taiwan, which the island’s democratic government has said it is actively preparing for. Taiwan’s foreign minister told Global News last month it was a matter of when, not if, Beijing would launch such a campaign.
China claims Taiwan as its own territory and top members of the Chinese Communist Party, including President Xi Jinping, have not been shy about their goals to take back control of the island. Xi and his top officials have not ruled out using military force to do so.
CSE and Microsoft would not say whether “future crises” were a reference to a potential Taiwan attack.
Taiwan’s president calls China’s military exercises “irresponsible” as planes, ships remain around the country
Microsoft said Volt Typhoon actors will hide within normal network activity and continue to collect data from their targets, including local network data that is then used to “maintain persistence.” Data will also be stored for exfiltration to external servers.
The company said it had notified targeted or compromised customers and provided them with information on how to “hunt” for the tactics and techniques used by Volt Typhoon and mitigate any effects.
But Microsoft also warned that “mitigating this attack can be challenging” due to the “live off the land” techniques used.
It warned that compromised accounts “must be closed or modified” to avoid future attacks.
Five Eyes cyber security agencies also issued detailed instructions on how to detect Volt Typhoon activity and “living off the land” techniques more generally.
Can China invade Taiwan?
Wednesday’s warning came a day after former Governor General David Johnston issued an interim report on his inquiry into how Canada detects and combats threats of foreign interference.
The report noted that Chinese meddling, unlike Russia’s, is designed to permeate democratic institutions and critical infrastructure, making it much more difficult to combat.
CSE’s annual National Cyber Threat Assessment noted that China, Russia, Iran and North Korea pose the greatest strategic cyber threat to Canada and all will continue to target key sectors over the next two years.
“That said, the threat posed by China is very likely the most significant in volume, capability and perceived intent,” the report said.
“China-sponsored cyber threat actors will very likely continue to target industries and technologies in Canada that contribute to the nation’s strategic priorities.”
—With files from Reuters
© 2023 Global News, a division of Corus Entertainment Inc.