Chinese hackers have been discovered engaging in cyberespionage activities, raising concerns due to the potential impact on future conflicts between China and Taiwan. Microsoft, which named the campaign “Volt Typhoon,” described it as a stealthy and targeted operation focused on gaining unauthorized access to credentials and identifying network systems.
In a note documenting the Advanced Persistent Threat (APT) discovery, Microsoft stated that it moderately believes the Chinese cyberespionage campaign aims to develop capabilities that could disrupt crucial communication infrastructure between the United States and the Asian region during future crises.
Taking immediate action, the United States government’s cybersecurity response agency, CISA, issued an urgent bulletin providing information on the threat actor and offering guidance, Indicators of Compromise (IOCs), and other telemetry to aid defenders in identifying signs of compromise.
Microsoft has determined that this hacking group has been active since mid-2021 and has targeted critical infrastructure organizations not only in Guam but also in various other sectors across the United States. These sectors include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
The primary objective of the threat actor is espionage, with a focus on maintaining undetected access for as long as possible. To achieve this, the hackers exploit internet-facing Fortinet FortiGuard devices and compromise small office/home office (SOHO) routers, thus masking the origin of their activities.
Microsoft has confirmed that several devices, such as those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow owners to expose their management interfaces to the internet. To reduce the attack surface, owners of network edge devices are advised to ensure that management interfaces are not publicly accessible.
By utilizing these compromised devices, the Volt Typhoon group enhances the stealth of their operations while minimizing the cost of acquiring infrastructure.
The group primarily relies on “living-off-the-land” commands to gather system information, discover additional network devices, and exfiltrate data. While the discovery of this cyberespionage campaign is concerning, it does not necessarily indicate imminent attacks.
John Hultquist, Chief Analyst at Mandiant, owned by Google, explains that states conduct long-term intrusions into critical infrastructure as a preparation for possible conflicts, as gaining access during conflict may be too late. Similar contingency intrusions have been conducted by other states, including Russia, which targeted various critical infrastructure sectors.
Although Beijing’s operations are aggressive, it does not automatically imply an imminent attack. A more reliable indicator for a destructive or disruptive cyberattack is a deteriorating geopolitical situation. Such capabilities may be utilized by states as alternatives to armed conflicts.
Hultquist highlights that Chinese cyberthreat actors have not frequently engaged in destructive and disruptive cyberattacks. Consequently, their capabilities remain somewhat unclear. The disclosure of this campaign provides a rare opportunity to investigate and prepare for this specific threat.