Chinese Hackers Have Operated Undetected on US Critical Infrastructure for Half a Decade

Chinese Hackers

The US government on Wednesday said the Chinese state-sponsored hacking group known as Volt Storm embedded in some of the country’s critical infrastructure networks for at least five years.

Threat actor targets include the communications, energy, transportation, and water and wastewater systems sectors in the US and Guam.

“Volt Typhoon’s selection of targets and pattern of behavior are not consistent with traditional cyber espionage or intelligence gathering operations, and U.S. authorization agencies assess with high confidence that Volt actors Typhoons pre-position themselves in IT networks to enable lateral movement of OT assets. to disrupt operations,” the US government SAYS.

The joint advisory, issued by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), is also supported by other countries that are part of the Five Eyes (FVEY). ) intelligence alliance consisting of Australia, Canada, New Zealand, UK

Volt Typhoon – also called Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite – is a covert cyber espionage group based in China believed to be active since June 2021.


This first came to light in May 2023 when Microsoft revealed that hacking crews were able to establish a steady base of critical infrastructure organizations in the US and Guam for long periods of time. not known by the primary exploitation of living-on-the-land (LotL) techniques.

“This type of tradecraft, known as ‘living on the ground,’ allows attackers to operate discreetly, with malicious activity that blends into legitimate system and network behavior making it difficult to distinguish – even for organizations with more mature security posture,” the UK National Cyber ​​Security Center (NCSC) SAYS.

Another notable tactic adopted by Volt Typhoon is the use of multi-hop proxies such as the KV-botnet to route malicious traffic through a network of compromised routers and firewalls in the US to mask its true origin.

Cybersecurity company CrowdStrike, in a report published in June 2023, calls its reliance on a wide arsenal of open-source tooling against a narrow set of victims to achieve its strategic purpose.

“Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; adapt their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate continued resources to maintain continuity and understanding of the target environment over time, even after the initial compromise,” the agencies said.

US infrastructure

“The group also relies on valid accounts and uses strong operational security, which combined, allows for long-term anonymous maintenance.”

In addition, the nation-state has been observed attempting to obtain administrator credentials within the network by exploiting privilege escalation flaws, followed by exploiting elevated access to facilitate lateral movement, reconnaissance, and full domain compromise.

The ultimate goal of the campaign is to maintain access to compromised environments, “methodically” retargeting over the years to validate and expand their unauthorized accesses. This elaborate method, per agency, can be seen in cases where they repeatedly exfiltrate domain credentials to ensure access to current and valid accounts.

“In addition to exploiting stolen account credentials, actors are using LOTL techniques and avoiding leaving malware artifacts on systems that could trigger alerts,” CISA, FBI, and NSA said. .


“Their strong focus on stealth and operational security allows them to maintain long-term, undetected sustainability. Additionally, Volt Typhoon’s operational security is enhanced through targeted log removal to their actions will be hidden within a compromised environment.”

The development comes as Citizen Lab revealed a network of at least 123 websites masquerading as local news outlets spanning 30 countries in Europe, Asia, and Latin America pushing the pro-China content in a massive influence campaign involving a Beijing public relations firm named Shenzhen. Haimaiyunxiang Media Co., Ltd.

The Toronto-based digital watchdog, called the influential operation PAPERWALL, says it shares similarities with HaiEnergy, despite different operators and unique TTPs.

“A central feature of PAPERWALL, observed throughout its network of websites, is the ephemeral nature of its most aggressive elements, where articles attacking critics of Beijing are routinely removed from these websites a few hours after being published,” the Citizen Lab. SAYS.

In a statement shared by Reuters, a spokesperson for the Chinese embassy in Washington said that “it is a typical bias and double standard to allege that pro-China content and reports are ‘disinformation,’ and call the real anti-China information.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment