Chinese hackers are operating covertly within critical infrastructure in the United States without being detected
For half a decade, a shadowy threat has lurked within the heart of U.S. critical infrastructure, operating undetected and posing a significant risk to national security. The U.S. government, in a stunning revelation on Wednesday, disclosed that a Chinese state-sponsored hacking group known as Volt Typhoon had infiltrated vital networks across the country, including communications, energy, transportation, and water and wastewater systems sectors.
According to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), Volt Typhoon had been embedded within these critical infrastructure networks for at least five years. The scope of their activities extended beyond traditional cyber espionage, with a clear intent to disrupt functions by pre-positioning themselves on IT networks to enable lateral movement to Operational Technology (OT) assets.
The revelation sent shockwaves through the cybersecurity community and raised urgent concerns about the vulnerabilities within the nation’s infrastructure. “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations,” the U.S. government said, underscoring the gravity of the situation.
The threat posed by Volt Typhoon, also known as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite, is compounded by their sophisticated tactics and stealthy operations. Leveraging living-off-the-land (LotL) techniques, the group managed to evade detection for years, blending malicious activity with legitimate system and network behavior.
In addition to LotL techniques, Volt Typhoon utilized multi-hop proxies like KV-botnet to mask their true origins, routing malicious traffic through compromised routers and firewalls in the U.S. Cybersecurity firm CrowdStrike highlighted the group’s reliance on an extensive arsenal of open-source tooling against a narrow set of victims, underscoring their strategic approach.
The ultimate goal of Volt Typhoon’s campaign is to maintain long-term, undiscovered persistence within compromised environments, with a meticulous focus on obtaining and retaining access to domain credentials. Their strong operational security, coupled with targeted log deletion to conceal their actions, has allowed them to evade detection and maintain persistence over the years.
The disclosure of Volt Typhoon’s activities comes amid growing concerns about Chinese influence operations targeting Western democracies. The Citizen Lab recently uncovered a network of websites impersonating local news outlets in a widespread influence campaign pushing pro-China content. While the connection between Volt Typhoon and these influence operations remains unclear, the revelations underscore the multifaceted nature of China’s cyber and information warfare capabilities.
As the U.S. government and its allies grapple with the threat posed by Volt Typhoon, the incident serves as a stark reminder of the evolving cybersecurity landscape and the urgent need for enhanced measures to safeguard critical infrastructure from malicious actors.
Unveiling the Stealthy Operations of Chinese Hackers in U.S. Critical Infrastructure
In a revelation that sent shockwaves through the cybersecurity community, the U.S. government disclosed on Wednesday that Chinese state-sponsored hackers had infiltrated critical infrastructure networks in the country for at least five years. The hacking group, known as Volt Typhoon, had embedded itself within key sectors such as communications, energy, transportation, and water and wastewater systems, raising urgent concerns about national security vulnerabilities.
According to a joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), Volt Typhoon’s activities extended beyond traditional cyber espionage, with a clear intent to disrupt functions by pre-positioning themselves on IT networks to enable lateral movement to Operational Technology (OT) assets.
The revelation underscored the sophisticated tactics employed by Volt Typhoon to evade detection and maintain persistent access within critical infrastructure networks. Leveraging living-off-the-land (LotL) techniques, the group operated discreetly, blending malicious activity with legitimate system and network behavior to evade detection for years.
In addition to LotL techniques, Volt Typhoon utilized multi-hop proxies like KV-botnet to mask their true origins, routing malicious traffic through compromised routers and firewalls in the U.S. The group’s reliance on an extensive arsenal of open-source tooling against a narrow set of victims further highlighted their strategic approach to cyber operations.
CrowdStrike, a leading cybersecurity firm, emphasized Volt Typhoon’s meticulous pre-exploitation reconnaissance, tailored tactics, techniques, and procedures (TTPs), and ongoing dedication to maintaining persistence within compromised environments. The group’s focus on obtaining and retaining access to domain credentials, combined with strong operational security and targeted log deletion, allowed them to evade detection and maintain persistence over the years.
The disclosure of Volt Typhoon’s activities comes amid growing concerns about Chinese influence operations targeting Western democracies. The Citizen Lab recently uncovered a network of websites impersonating local news outlets in a widespread influence campaign pushing pro-China content. While the connection between Volt Typhoon and these influence operations remains unclear, the revelations underscore the multifaceted nature of China’s cyber and information warfare capabilities.
As the U.S. government and its allies grapple with the threat posed by Volt Typhoon, the incident serves as a stark reminder of the evolving cybersecurity landscape and the urgent need for enhanced measures to safeguard critical infrastructure from malicious actors. The joint advisory issued by the U.S. government, supported by other nations part of the Five Eyes (FVEY) intelligence alliance, underscores the collaborative efforts to address the growing threat posed by state-sponsored cyber actors.
In the face of evolving cyber threats, it is imperative for governments, organizations, and cybersecurity professionals to remain vigilant and adopt proactive measures to enhance the resilience of critical infrastructure and mitigate the risks posed by sophisticated threat actors like Volt Typhoon. Only through concerted efforts and collaboration can we effectively defend against emerging cyber threats and safeguard the integrity of essential systems and services.