Chinese Attack Critical Infrastructure
The US intelligence community and Silicon Valley are warning of a major threat.
CNBC (“Microsoft warns that China hackers attacked U.S. infrastructure“):
Microsoft warned on Wednesday that Chinese state-sponsored hackers had compromised “critical” U.S. cyber infrastructure across numerous industries with a focus on gathering intelligence.
The Chinese hacking group, codenamed “Volt Typhoon,” has operated since mid-2021, Microsoft said in an advisory. The organization is apparently working to disrupt “critical communications infrastructure between the United States and Asia,” Microsoft said, to stymie efforts during “future crises.”
The National Security Agency put out a bulletin on Wednesday, detailing how the hack works and how cybersecurity teams should respond.
The attack is apparently ongoing. In an advisory, Microsoft urged impacted customers to “close or change credentials for all compromised accounts.”
U.S. intelligence agencies became aware of the incursion in February, around the same time that a Chinese spy balloon was downed, the New York Times reported.
The infiltration was focused on communications infrastructure in Guam and other parts of the U.S., the Times reported, and was particularly alarming to U.S. intelligence because Guam sits at the heart of an American military response in case of a Taiwanese invasion.
Volt Typhoon is able to infiltrate organizations using a unnamed vulnerability in a popular cybersecurity suite called FortiGuard, Microsoft said. Once the hacking group has gained access to a corporate system, it steals user credentials from the security suite and uses them to try to gain access to other corporate systems.
The state-sponsored hackers aren’t looking to create disruption yet, Microsoft said. Rather, “the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”
Infrastructure in nearly every critical sector has been impacted, Microsoft said, including the communications, transport, and maritime industries. Government organizations were also targeted.
Chinese government-backed hackers have targeted critical and sensitive information from U.S. companies before. Covington and Burling, a prominent law firm, was hacked by suspected Chinese state-sponsored hackers in 2020.
In a joint statement with international and domestic intelligence services, the Cybersecurity and Infrastructure Security Agency warned that Chinese attacks pose a continued risk to American intellectual property.
“For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe,” CISA director Jen Easterly said in a statement.
David Sanger of the NYT (“Chinese Malware Hits Systems on Guam. Is Taiwan the Real Target?“) adds:
The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan. The operation was conducted with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the intrusion harder to track.
The code is called a “web shell,” in this case a malicious script that enables remote access to a server. Home routers are particularly vulnerable, especially older models that have not had updated software and protections.
Unlike the balloon that fascinated Americans as it performed pirouettes over sensitive nuclear sites, the computer code could not be shot down on live television. So instead, Microsoft on Wednesday published details of the code that would make it possible for corporate users, manufacturers and others to detect and remove it. In a coordinated release, the National Security Agency — along with other domestic agencies and counterparts in Australia, Britain, New Zealand and Canada — published a 24-page advisory that referred to Microsoft’s finding and offered broader warnings about a “recently discovered cluster of activity” from China.
China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of security clearance files of roughly 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. That exfiltration of data took the better part of a year, and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyberactivity.
On Wednesday, China sent a warning to its companies to be alert to American hacking. And there has been plenty of that, too: In documents released by Edward Snowden, the former N.S.A. contractor, there was evidence of American efforts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.
Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks.
Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — had found the code “while investigating intrusion activity impacting a U.S. port.” As they traced back the intrusion, they found other networks that were hit, “including some in the telecommunications sector in Guam.”
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said that covert efforts “like the activity exposed today are part of what’s driving our focus on the security of telecom networks and the urgency to use trusted vendors” whose equipment has met established cybersecurity standards.
Ms. Neuberger has been spearheading an effort across the federal government to enforce new cybersecurity standards for critical infrastructure. Officials were taken by surprise by the extent of the vulnerabilities in such infrastructure when a Russian ransomware attack on Colonial Pipeline in 2021 interrupted gasoline, diesel and airplane fuel flow on the East Coast. In the wake of the attack, the Biden administration used little-known powers of the Transportation Security Administration — which regulates pipelines — to force private-sector utilities to follow a series of cybersecurity mandates.
Now Ms. Neuberger is driving what she called a “relentless focus on improving the cybersecurity of our pipelines, rail systems, water systems and other critical services,” including the mandates on cybersecurity practices for these sectors and closer collaboration with companies with “unique visibility” into threats to such infrastructure.
In this case, it was the focus on Guam that particularly seized the attention of officials who are assessing China’s capabilities — and its willingness — to attack or choke off Taiwan. Mr. Xi has ordered the People’s Liberation Army to be capable of taking the island by 2027. But the C.I.A. director, William J. Burns, has noted to Congress that the order “does not mean he has decided to conduct an invasion.”
In the dozens of U.S. tabletop exercises conducted in recent years to map out what such an attack might look like, one of China’s first anticipated moves would be to cut off American communications and slow the United States’ ability to respond. So the exercises envision attacks on satellite and ground communications, especially around American installations where military assets would be mobilized.
None is bigger than Guam, where Andersen Air Force Base would be the launching point for many of the Air Force missions to help defend the island, and a Navy port is crucial for American submarines.
This is Cold War-scale intelligence operations using new-age technology. Countries spy on one another. It’s well documented that the United States even spies on its allies and vice-versa. Decision-makers need the best information possible on the capabilities and intentions of other actors in the system.
This seems to go beyond normal, low-level “competition below armed conflict,” in the current Defense Department vernacular, into something more like preparation of the battlespace. Cyber operations are inherently murky compared to traditional “kinetic” operations, making drawing lines difficult. But we seem to be at a point where China is more than a “strategic competitor” but rather an adversary. Which would seem to portend a considerably different economic relationship.