Chinese government-sponsored hackers have managed to infiltrate critical infrastructure systems across the United States and Guam, conducting covert cyber espionage operations and stealing sensitive data, according to reports by Microsoft and government agencies, including the NSA and FBI.

These foreign hackers, known as the ‘Volt Typhoon’ group, have been operating for at least two years, remaining undetected while targeting crucial information for the People’s Republic of China.

Living off the land hacking

To maintain their stealthy presence, the Volt Typhoon hackers employ a sneaky technique called “living off the land.” Hackers typically install external tools or malware to infiltrate vulnerable devices. However, the Volt Typhoon technique targets existing software and features already present on compromised devices. By doing so, they avoid attracting attention from security systems that typically detect the presence of malicious software.

“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity,” the Microsoft researchers wrote in their advisory report.

The data stolen by the Chinese hackers includes credentials, which are then used to further obscure hacking activity. For instance, this data is used to blend in with normal network traffic by using compromised small office and home office (SOHO) network equipment such as routers, firewalls, and VPN hardware.

This way, when security analysts look at network traffic looking for patterns of suspicious activity, they won’t see any red flags. However, the traffic that is supposedly from Guam or California is spoofed, masking activity coordinated all the way from China.

To first gain access to critical US-based infrastructure, the hackers seem to have found a back door in Internet-facing Fortinet FortiGuard devices, Ars Technica reported. Ironically, these are security appliances designed to protect networks from various threats. However, when these devices are left unpatched or have unaddressed vulnerabilities, they become susceptible to exploitation by hackers.

In the context of the Volt Typhoon campaign, hackers exploit these vulnerabilities in FortiGuard devices to gain unauthorized access to a network. Once they penetrate the device, they extract credentials from the network’s Active Directory. The Active Directory is a database that stores crucial information such as usernames, password hashes, and other sensitive data related to user accounts. With these credentials in hand, the hackers can then proceed to infect other devices within the network, expanding their reach and control.

What’s at stake?

The industries affected by these cyber intrusions span a wide range, including communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education.

According to Microsoft researchers, the ultimate aim for the Volt Typhoon campaign likely aims to develop capabilities for disrupting critical communications infrastructure between the United States and the Asia region during potential future crises.

Guam is of particular strategic importance as it hosts important Pacific ports and an air base utilized by the US military. As tensions rise over issues like Taiwan, Guam has become a focal point due to its critical position.

The United States has long followed a policy of “strategic ambiguity” on whether it would intervene militarily to protect Taiwan in the event of a Chinese attack. However, U.S. President Joe Biden has said he would be willing to use force to defend it. In the event of such action, the U.S. would effectively go to war with China, who will most likely activate and disrupt hacked systems from day one.

While the Volt Typhoon hack has now been exposed, there may be many other systems and networks that are currently compromised but the hacking has yet to be detected.

Besides Taiwan, the US and China are engaged in tussling over a range of issues, including trade and technology transfer. In order to hamper Chinese influence, the US has introduced various export controls, most notably on semiconductors, and is even seriously considering banning the popular social media application TikTok, owned by China’s ByteDance.

In its turn, China has introduced its own control measures. For instance, products from the U.S.-based memory chip maker Micro are banned in China, citing natural security.

One of the most significant clashes between the two powers occurred in February when the U.S. Air Force shot down what it says was a Chinese spy balloon over American airspace. China denied the accusation, saying the airship was simply a weather balloon that had run off course.

To help organizations detect and mitigate these attacks, the advisory provides indicators of compromise that administrators can use to identify potential infections. For instance, compromised systems may exhibit successful sign-ins from unfamiliar IP addresses, and unusual command-line activities may be associated with the same user account.