The infamous “Volt Typhoon” group that Microsoft began warning the US of last month has been hanging around in critical infrastructure for longer than previously documented, with CISA and the FBI warning that some companies have been compromised for at least five years now.
The extent of the campaign reflects the length of time that there have been serious tensions over the fate of Taiwan, roughly corresponding with increased action by the Chinese military in the Taiwan Strait. This has in turn raised questions about Chinese intent to invade the country, and how far the US will go in absence of a formal military defense agreement with the nation.
China accused of positioning in US critical infrastructure since at least 2019
The new report warns critical infrastructure (and any industry-adjacent) companies that the Chinese hackers are targeting a broad range of routers with known vulnerabilities, more than previously listed. And while the threat actors prefer exploiting end-of-life devices that aren’t secured, they have at times been spotted using zero-days to get into networks.
The report does not list specific breaches of critical infrastructure, but did say that water and electrical systems had been compromised to a potentially dangerous level. The Chinese hackers are sophisticated and they seemingly have no interest in anything but learning about the functions of industrial controls and safety systems, and positioning themselves to cause havoc in some sort of future war scenario.
The expanded amount of information in this new warning raises fresh questions about exactly how far the Chinese hackers are willing to go in the event of a military conflict. Previous information has indicated that they would focus on taking out utilities to military bases, perhaps with some added outages in the US mainland to reduce support for the conflict. This new warning makes it sound as if the threat actors are looking to do even worse damage, such as tainting water supplies, as far north as Canada.
Chinese hackers living off of documented vulnerabilities, weak credentials
While the Chinese hackers are clearly a skilled state-supported group, they are experiencing most of their success on the back of common use of insecure end-of-life devices and failure to properly secure credentials.
That state support allows them to spend very long periods of time in initial reconnaissance, really mapping out the internal organization and network setups of specific targets. Rather than using “noisy” methods of malware infiltration, they patiently seek out compromised credentials during the initial steps of breaches (going so far as to only log in during normal work hours so as to not raise any suspicion about anomalous activity).
The group’s modus operandi is to initially obtain as many useful credentials as possible from the breached target, both by cracking Active Directory databases and combing for materials left in plaintext, and to research how to best cause internal damage. Once it has done that it simply lays low and shows minimal to no activity, in some cases maintaining a presence for multiple years without ever doing anything.
The warning offers a robust range of recommended mediations to potentially impacted critical infrastructure companies, but ultimately the best defense against these particular hackers is to inventory IT assets and replace old end-of-life devices that no longer receive security patches. That, and implementing a strict password hygiene program requiring 15 characters or more and regular changes, with MFA support where possible.