Volt Typhoon, a hacking group backed by the Chinese government, was once again called out by Five Eyes countries’ Joint Cybersecurity Advisory for its plan to launch destructive cyberattacks against critical infrastructure in the United States and allies.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) said in a report on February 7 that the People’s Republic of China (PRC)’s state-sponsored cyber actors are seeking to pre-position themselves for cyberattacks in the event of a major crisis or conflict with the US.
The Chinese Foreign Ministry accused the Five Eyes countries of launching a smear campaign against China.
“We firmly oppose the US and other Five Eyes nations smearing and attacking China without any evidence,” Wang Wenbin, a spokesperson of China’s Ministry of Foreign Affairs, said in a press conference.
“The alliance needs to know that falsely accusing China will not hide the fact that Five Eyes is the largest global intelligence agency and the US is the No.1 ‘hacking state’ in the world,” he said.
He urged Five Eyes countries to join China’s Global Initiative on Data Security, which was unveiled four years ago to call on countries to jointly build cyberspace that will feature peace, security, openness, cooperation and a sound order, and not to use information technology to undermine other countries’ critical infrastructure, steal important data or otherwise endanger their national security and public interests.
The report of the Joint Cybersecurity Advisory was published after FBI Director Christopher Wray warned on January 31 that China’s hackers are targeting American infrastructure in preparation to wreak havoc and cause real-world harm to US citizens and communities.
He said China’s hackers are targeting water treatment plants, electrical grids, oil and natural pipelines and transportation systems in the US.
Wang said on February 1 that Wray’s criticism is “extremely irresponsible and is a complete distortion of facts.” He said the US itself is the origin and the biggest perpetrator of cyberattacks as the US Cyber Force Command openly declared that the critical infrastructure of other countries is a legitimate target for US cyberattacks.
Five-year infiltration
In its latest report, the CISA, NSA and FBI warned that Volt Typhoon has been targeting some key infrastructure in the US and allies, including:
- US Department of Energy (DOE)
- US Environmental Protection Agency (EPA)
- US Transportation Security Administration (TSA)
- Australian Signals Directorate’s Australian Cyber Security Center (ACSC)
- Canadian Center for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE)
- United Kingdom National Cyber Security Center (NCSC-UK)
- New Zealand National Cyber Security Center (NCSC-NZ)
They said Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about a target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.
“The US authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” they added.
They said Volt Typhoon is also known as Vanguard Panda, Bronze Silhouette, Voltzite and Insidious Taurus.
On January 29, Reuters reported that the US government in recent months launched an operation to crack down on Volt Typhoon. It said the US Justice Department and FBI have sought and received legal authorization to remotely disable aspects of the group’s hacking campaign.
Citing three unnamed sources, it said Volt Typhoon expanded the scope of its operations in late 2023 and changed some of its technologies, resulting in a series of meetings between the White House and private businesses in the technology industry.
Microsoft’s report
On May 24 last year, Microsoft said it has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the US.
It said Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the US.
It said the hacker group collected data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration and then used some stolen valid credentials to maintain persistence.
A Zhejiang-based military writer called Zhiye published an article with the title “Chinese hackers Volt Typhoon have made achievements again, leaving the Central Intelligence Agency (CIA) and Microsoft bewildered.”
In a joint statement released last May, the cybersecurity departments of the Five Eyes governments disclosed the methods that were used by Volt Typhoon to hack foreign organizations and remove its traces.
CrowdStrike, a Texas-based cybersecurity firm, said last June that its team successfully identified Vanguard Panda’s webshells, or malicious scripts, as the Chinese hacker group made a misstep when wiping out its traces.
The company said Vanguard Panda had clearly performed extensive preparation, including prior reconnaissance and enumeration, with its knowledge and use of remote hosts within the environment.
Since 1999, China’s hackers have launched many rounds of cyberattacks on government-related websites in the US. In an attack in 2001, the White House’s website was down for more than two hours due to Chinese hackers’ attack.
Read: US calls Chinese EVs a posssible security threat
Follow Jeff Pao on Twitter at @jeffpao3