homehome Home chatchat Notifications


Chinese state hackers infiltrate US and Guam critical infrastructure, steal sensitive data

Chinese state hackers employed stealthy techniques and leveraged compromised devices for cyber espionage.

Tibi Puiu
May 25, 2023 @ 10:45 pm

share Share

Illustration of hacker with abstract background
Credit: Pixabay.

Chinese government-sponsored hackers have managed to infiltrate critical infrastructure systems across the United States and Guam, conducting covert cyber espionage operations and stealing sensitive data, according to reports by Microsoft and government agencies, including the NSA and FBI.

These foreign hackers, known as the ‘Volt Typhoon’ group, have been operating for at least two years, remaining undetected while targeting crucial information for the People’s Republic of China.

Living off the land hacking

To maintain their stealthy presence, the Volt Typhoon hackers employ a sneaky technique called “living off the land.” Hackers typically install external tools or malware to infiltrate vulnerable devices. However, the Volt Typhoon technique targets existing software and features already present on compromised devices. By doing so, they avoid attracting attention from security systems that typically detect the presence of malicious software.

“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity,” the Microsoft researchers wrote in their advisory report.

The data stolen by the Chinese hackers includes credentials, which are then used to further obscure hacking activity. For instance, this data is used to blend in with normal network traffic by using compromised small office and home office (SOHO) network equipment such as routers, firewalls, and VPN hardware.

This way, when security analysts look at network traffic looking for patterns of suspicious activity, they won’t see any red flags. However, the traffic that is supposedly from Guam or California is spoofed, masking activity coordinated all the way from China.

To first gain access to critical US-based infrastructure, the hackers seem to have found a back door in Internet-facing Fortinet FortiGuard devices, Ars Technica reported. Ironically, these are security appliances designed to protect networks from various threats. However, when these devices are left unpatched or have unaddressed vulnerabilities, they become susceptible to exploitation by hackers.

In the context of the Volt Typhoon campaign, hackers exploit these vulnerabilities in FortiGuard devices to gain unauthorized access to a network. Once they penetrate the device, they extract credentials from the network’s Active Directory. The Active Directory is a database that stores crucial information such as usernames, password hashes, and other sensitive data related to user accounts. With these credentials in hand, the hackers can then proceed to infect other devices within the network, expanding their reach and control.

What’s at stake?

The industries affected by these cyber intrusions span a wide range, including communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education.

According to Microsoft researchers, the ultimate aim for the Volt Typhoon campaign likely aims to develop capabilities for disrupting critical communications infrastructure between the United States and the Asia region during potential future crises.

Guam is of particular strategic importance as it hosts important Pacific ports and an air base utilized by the US military. As tensions rise over issues like Taiwan, Guam has become a focal point due to its critical position.

The United States has long followed a policy of “strategic ambiguity” on whether it would intervene militarily to protect Taiwan in the event of a Chinese attack. However, U.S. President Joe Biden has said he would be willing to use force to defend it. In the event of such action, the U.S. would effectively go to war with China, who will most likely activate and disrupt hacked systems from day one.

While the Volt Typhoon hack has now been exposed, there may be many other systems and networks that are currently compromised but the hacking has yet to be detected.

Besides Taiwan, the US and China are engaged in tussling over a range of issues, including trade and technology transfer. In order to hamper Chinese influence, the US has introduced various export controls, most notably on semiconductors, and is even seriously considering banning the popular social media application TikTok, owned by China’s ByteDance.

In its turn, China has introduced its own control measures. For instance, products from the U.S.-based memory chip maker Micro are banned in China, citing natural security.

One of the most significant clashes between the two powers occurred in February when the U.S. Air Force shot down what it says was a Chinese spy balloon over American airspace. China denied the accusation, saying the airship was simply a weather balloon that had run off course.

To help organizations detect and mitigate these attacks, the advisory provides indicators of compromise that administrators can use to identify potential infections. For instance, compromised systems may exhibit successful sign-ins from unfamiliar IP addresses, and unusual command-line activities may be associated with the same user account.

share Share

This car-sized "millipede" was built like a tank — and had the face to go with it

A Carboniferous beast is showing its face.

9 Environmental Stories That Don't Get as Much Coverage as They Should

From whales to soil microbes, our planet’s living systems are fraying in silence.

Scientists Find CBD in a Common Brazilian Shrub That's Not Cannabis

This wild plant grows across South America and contains CBD.

Spruce Trees Are Like Real-Life Ents That Anticipate Solar Eclipse Hours in Advance and Sync Up

Trees sync their bioelectric signals like they're talking to each other.

The Haast's Eagle: The Largest Known Eagle Hunted Prey Fifteen Times Its Size

The extinct bird was so powerful it could kill a 400-pound animal with its talons.

Miracle surgery: Doctors remove a hard-to-reach spinal tumor through the eye of a patient

For the first time, a deadly spinal tumor has been removed via the eye socket route.

A Lawyer Put a Cartoon Dragon Watermark on Every Page of a Court Filing and The Judge Was Not Amused

A Michigan judge rebukes lawyer for filing documents with cartoon dragon watermark

This Bold New Theory Could Finally Unite Gravity and Quantum Physics

A bold new theory could bridge quantum physics and gravity at last.

America’s Cities Are Quietly Sinking. Here's Why

Land subsidence driven by groundwater overuse is putting millions at risk.

This Priest Was Embalmed With Wood Chips Through His Rectum—And It Worked Surprisingly Well

A strange embalming technique emerges from the annals of history.