No Rest for US Cyber Defense as Chinese Hackers Are Caught Targeting ISPs in Another Scheme

by | Oct 2, 2024

Despite heightened tensions over the past year, the prospect of a military conflict in Taiwan remains unlikely. But Chinese hackers continue to spend substantial time and resources preparing for the possibility. The most recent development in this story is a Wall Street Journal report, citing anonymous government sources, that reveals a state-sponsored team has compromised at least a “handful” of US ISPs in pursuit of this goal.

Series of Chinese “Typhoons” challenges critical infrastructure

The incident is just the latest escapade for a series of groups that Microsoft labels as the “Typhoons.” These groups became a matter of mainstream media attention earlier this year when Microsoft released a detailed report on Volt Typhoon, accusing the Chinese hackers of a long-term campaign of infiltration of US military agencies and the critical infrastructure that supports military bases in the Pacific region; it also suggested the group was targeting private organizations in the mainland in the interest of causing general havoc should a war break out. Much more recently, the FBI issued a warning about the Flax Typhoon group and their massive botnet.

The latest group in the mix is Salt Typhoon, though this is an existing threat actor that penetrated Microsoft in 2021 and has been active for at least several years. Its most recent campaign appears to have been probing US ISPs for known vulnerabilities to exploit. The WSJ sources say that Cisco router vulnerabilities were targeted, but Cisco has responded to media reports by saying that it has no knowledge of any router compromise in connection with ISPs.

Chinese hackers conducting “clear strategy” of preparation for Taiwan conflict

The WSJ report did not name the specific ISPs that were compromised or expand much on what the Chinese hackers had access to, but they did say that data was stolen in at least some of the cases. The attackers also looked to be planting measures for later access, most likely a bid to maintain disruptive capability similar to what Beijing’s other hacking teams have recently been caught doing.

Director of Security Research John Dwyer has also said that the assorted “Typhoon” campaigns, including this most recent one, are all part of a coordinated strategy by the Chinese hackers to identify and exploit whatever weak points can be found in the US. That approach has largely been centered on combing for known unpatched vulnerabilities, but it remains unclear to exactly what extent that approach was used to exploit ISPs.

US officials are concerned about the possibility of Chinese hackers shutting off the electricity, water and internet taps should a  war in Taiwan break out. But ISPs are most likely being targeted right now as they provide the ability to track employees and personnel at other organizations of interest to Beijing, to potentially include military and government staff. As it always does, China denies any reports of cyber malfeasance coming from the US government and claims that it is all fabricated to damage its international reputation.

Recent Posts

How can we help?

9 + 11 =

× How can I help you?