The US State Department is warning the private sector, the public sector and Washington to “remain vigilant” amid news of a Chinese state-sponsored cyber espionage in the country.
The group called “Volt Typhoon” by Five Eyes’ Cyber security agencies and Microsoft on Wednesday is conducting discreet espionage operations within critical US infrastructure and may target other nations, they warn.
These operations could be aimed at developing ways to disrupt critical communications between the US and Asia “during future crises”, Microsoft said – a warning that could refer to a potential attack on Taiwan by China, which has indicated it could use military force to bring the democratically governed island under its direct control.
“U.S. intelligence agencies assess that China is almost certainly capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including oil and gas pipelines and rail systems,” Matthew Miller, a spokesman for the U.S. State Department, said Thursday.
“It’s important for the government, network defenders and the public to be vigilant. That’s why the U.S. government … has been working with the private sector to prepare defenses, prepare defenses from the private sector, and we will continue to work with our allies and partners to address this critical issue.”
Beijing has rejected claims that its spies are going after Western targets, calling Wednesday’s joint warning a “collective disinformation campaign”.
Microsoft and the agencies, including the Communications Security Establishment (CSE)’s Canadian Center for Cyber Security, said Volt Typhoon has avoided detection by blending into normal Windows operations through a series of techniques known as “living off the land.”
The process allows the actor to move through systems by taking advantage of built-in network administration tools, making its actions look like normal activity.
CSE says the Volt Typhoon has only been spotted in the US so far and no Canadian casualties were reported as of Wednesday.
In its threat intelligence advisoryMicrosoft said Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure in Guam and elsewhere in the United States, including the government, communications, information technology, maritime and education sectors, among others.
Researchers at Secureworks, which is part of Dell Technologies, told Reuters on Thursday that the hackers have conducted a cyberespionage campaign against military and government targets that would “shed light on US military activities.”
Guam is home to major US military installations, including Andersen Air Force Base, which would be key to responding to any conflict in the Asia-Pacific region.
That would include a Chinese military attack on Taiwan, which the island’s democratic government has said it is actively preparing for. Taiwan’s foreign minister told Global News last month it was a matter of when, not if, Beijing would launch such a campaign.
China claims Taiwan as its own territory and top members of the Chinese Communist Party, including President Xi Jinping, have not been shy about their goals to take back control of the island. Xi and his top officials have not ruled out using military force to do so.
Microsoft did not say whether “future crises” was a reference to a potential future invasion of China by Taiwan. None of the allied intelligence agencies, including the CSE, addressed that comment from Microsoft in the joint statement.
The CSE referred questions about the wording to Microsoft, adding that it “could not say” what the company was referring to. Microsoft did not respond to a request for comment.
“This may be over Taiwan, but it would also affect US deterrence more broadly — in the South China Sea or the East China Sea,” said Jonathan Miller, senior fellow and director of foreign affairs at the Macdonald-Laurier Institute in an email to Global News.
“The goal is not to stop but to slow down and hamper U.S. efforts to support allies and partners in a contingency, and also disrupt intelligence and surveillance operations.”
Microsoft said Volt Typhoon actors will hide within normal network activity and continue to collect data from their targets, including local network data that is then used to “maintain persistence.” Data will also be stored for exfiltration to external servers.
The company said it had notified targeted or compromised customers and provided them with information on how to “hunt” for the tactics and techniques used by Volt Typhoon and mitigate any effects.
But Microsoft also warned that “mitigating this attack can be challenging” due to the “live off the land” techniques used. It warned that compromised accounts “must be closed or modified” to avoid future attacks.
Chinese Foreign Ministry spokesman Mao Ning told reporters that the warnings, issued by the US, Britain, Canada, Australia and New Zealand, were intended to promote their Five Eyes intelligence alliance – and that it was Washington that was responsible for the hacking.
“The United States is the empire of hacking,” Mao said.
— with files from Global News’ Sean Boynton and Reuters
© 2023 Global News, a division of Corus Entertainment Inc.