Microsoft announced it has uncovered evidence that a hacking group operated by the communist Chinese regime, has compromised “critical infrastructure organizations in the United States.”
A May 24 message issued directly on Microsoft’s Security Blog points the finger at a group called Volt Typhoon, described as “a state-sponsored actor based in China that typically focuses on espionage and information gathering.”
MORE ON CHINESE COMMUNIST PARTY HACKING OPERATIONS
- Chinese Communist Hackers Using Zero Day Exploits on Microsoft Exchange Email Servers Since January
- Critical US Power Grid Hardware Wide Open With Backdoors, Warns CISA
- ‘Notorious’ State-Linked Chinese Hacking Group Responsible for Cyber Attacks on Dozens of Global Organizations
The company issued a heavy warning that Volt Typhoon is “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
Microsoft stated that the company has “moderate confidence” in its assessment of the situation.
A report by Reuters on the affair stated that the People’s Republic of China (PRC) Embassy in Washington did not respond to a request for comment following the Microsoft bulletins.
Success
You are now signed up for our newsletter
Success
Check your email to complete sign up
Reuters quoted John Hultquist of Google’s Mandiant Intelligence as explaining the description of Volt Typhoon’s “pursuing development” likely “means they are preparing for that possibility.”
“There is greater interest in this actor because of the geopolitical situation,” Hultquist stated.
Allegations are alarming in that Microsoft says the following industries have been targeted by Volt Typhoon, which it adds has been working on targets in both Guam and the U.S. since 2021:
- Manufacturing
- Communications
- Utility
- Transportation
- Construction
- Maritime
- Government
- Information Technology
- Education Sectors
The alert frames Volt Typhoon as a particularly sophisticated threat actor in that it relies on stealth techniques to acquire user credentials that are used to manually collect data while routing traffic through something of a botnet of compromised small and home office network equipment such as wireless routers made by companies such as D-Link, Asus, and Cisco.
Microsoft’s allegations are backed up by a May 24 Joint Cybersecurity Advisory (JCA) by U.S. federal agencies such as the NSA and CISA and security agencies of other Five Eyes intelligence group agencies in Canada, Australia, New Zealand, and the United Kingdom published on the Pentagon website.
The JCA is a 24-page technical document explaining in depth a litany of methods employed by Volt Typhoon in its campaign, exploiting dozens of loopholes found in commonly used software packages native to most computers in an approach called “Living Off The Land.”
Fortinet FortiGuard
Microsoft explains that Volt Typhoon’s initial attack vector is to gain “access to targeted organizations through internet-facing Fortinet FortiGuard devices.”
The website for the Fortinet company’s Fortiguard platform states it was a “Co-founder of the World Economic Forum’s Center for Cybersecurity created in 2018.”
Fortinet is an official organization listed on the World Economic Forum (WEF) website, which states that, “More than 635,000 customers trust Fortinet to protect their businesses.”
An article published on the WEF’s website this April, authored by Fortinet Vice President, Global Training & Technical Field Enablement, Rob Rashotte, pointed out cybersecurity concerns to the market at large when stating “cybercrime activity shows no signs of slowing, with 65% of organizations expecting the number of cyberattacks to increase over the next 12 months.”
Rashotte added, “86% of business leaders and 93% of security leaders believe that global geopolitical instability will likely lead to a catastrophic cyber event in the next two years.”
Ultimately, Volt Typhoon’s exploits are able to obtain authentic user system credentials, allowing the CCP’s hackers to access systems as if they are a normal user, and is able to dump data processed through web browsers.
A May 24 report on the event by The New York Times decided to focus on the aspect of the hacks that hit Guam, rather than the United States, positing whether Taiwan is the real target on the basis that Guam “would be a centerpiece of any American military response to an invasion or blockade of Taiwan.”
Nonetheless, The Times revealed that both Microsoft and “American intelligence agencies” became aware of Volt Typhoon’s exploits in February, around the same time that the Internet was distracted with the spurious Chinese spy balloon scandal.
The New York Times added interviews with unnamed Biden administration officials who “said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere.”
The article added that Tom Burt, a Microsoft executive, directly told the Times that Volt Typhoon exploits were uncovered “while investigating intrusion activity impacting a U.S. port.”
When tracing the hacks, Microsoft found other networks hit included “some in the telecommunications sector in Guam,” Burt stated.
Deputy National Security Advisor for the Biden administration Anne Neuberger was quoted as emphasizing “the urgency to use trusted vendors,” which The Times described as companies “whose equipment has met established cybersecurity standards.”
