Microsoft’s Threat Intelligence team, a leading source of analysis on the movements of advanced persistent threat (APT) state-backed hackers, finds that US critical infrastructure has much more to worry about than threats out of Russia. The report finds that Chinese hackers have been roaming through the networks of private companies in the space for years now, often keeping their presence a secret for extended periods via the use of “living off the land” techniques.
At the moment, the focus is on establishing a long-term foothold and extracting as much useful information as possible. But the Microsoft researchers believe that the Chinese hackers are also looking to establish “kill switches” of sorts throughout critical infrastructure, ready to be activated in the event of war between the two nations or a convenient global crisis of some sort.
China has ramped up infiltration of critical infrastructure in 2023
The interest in US critical infrastructure appears to be primarily about the fortunes of Taiwan, and the possibility of a direct conflict if China makes a military move in that direction. Chinese hackers have reportedly been more active in the US in this way since the “spy balloon” controversy that unfolded in February.
The US has already been underway with serious critical infrastructure defense improvement since the Colonial Pipeline and JBS incidents of 2021, and this appears to have been a wise point of focus. While the Chinese hackers have not been observed using particularly innovative techniques, they are skilled and persistent, and the country has ample resources to devote to funding these activities (often used for developing or buying zero-day attacks). In addition to ordering the nation’s critical infrastructure companies to harden up, the Biden administration has put a renewed focus on open threat intelligence sharing among allied nations as a means of countering this threat.
Chinese hackers having a field day With US infrastructure companies
The lead Chinese APT group in this critical infrastructure campaign appears to be Volt Typhoon, a relatively new team that first surfaced on security researcher radar in 2021 and that seems to focus on the US and territories such as Guam that would be relevant to any military movements near Taiwan.
The group’s success stems from its focus on blending in with regular network traffic and evading detection. It looks to steal legitimate employee credentials and stick to those for access, and to conduct its attacks via scripts rather than more readily detectable malware downloads. The initial breach is usually an attack on a known vulnerability in an internet-facing device, most frequently Fortinet FortiGuard products.
China, as always, denies that any of this is happening and that the US is using Microsoft as a pawn in a disinformation campaign. But additional support for the existence of this current critical infrastructure campaign comes from Cisco, which said it has been called in for multiple situations at critical infrastructure companies that appear to involve this particular group of Chinese hackers.