State Sponsored Hackers While hackers representing Russia, Iran and North Korea have wreaked havoc across the globe in destructive cyberattacks for years, China’s military and intelligence hackers have largely maintained a reputation for limiting intrusions to espionage. But when these cyberspies sabotage critical U.S. infrastructure—especially U.S. territory on China’s doorstep—espionage, conflict contingency planning, and cyberwar escalation all start to look dangerously similar.
On Wednesday, Microsoft revealed in a blog post that it had tracked down what it believed to be a group of Chinese state-backed hackers who had carried out a wide-ranging hacking campaign since 2021 targeting critical infrastructure systems in U.S. states and Guam, including Communications, Manufacturing, Utilities, Construction and Transportation.
The intent of the group, which Microsoft has dubbed Volt Typhoon, may simply be espionage, as it does not appear to be using its access to these critical networks to perform data destruction or other offensive attacks. But Microsoft warned that the nature of the group’s targets, including Pacific territories that could play a key role in a military or diplomatic conflict with China, could cause such disruption.
“Observed behavior indicates that the threat actor intends to conduct espionage and maintain access for as long as possible without being detected,” the company’s blog post reads, but it compared this statement with “medium confidence combined with the assessment that hackers are “seeking to develop capabilities that could disrupt critical communications infrastructure between the U.S. and the Asian region during future crises.”
Mandiant, a cybersecurity firm owned by Google, said it had also tracked a series of intrusions by the group and issued a similar warning about the group’s focus on critical infrastructure, “with the kind of intellectual property or policy we expect from espionage. The information is not clearly linked,” said John Hultquist, head of threat intelligence at Mandiant. “It made us wonder if they were there because Goals matter. Our concern is that the focus on critical infrastructure is to prepare for potentially disruptive or destructive attacks. “
In a Microsoft blog post, it provided technical details of the hack that could help cyber defenders detect and repel them: For example, the group used hacked routers, firewalls and other network “edge” devices as proxies to launch its hack — targeting devices sold by hardware makers ASUS, Cisco, D-Link, NETGEAR and Zyxel. The group also often takes advantage of access provided by compromised accounts of legitimate users rather than its own malware, making its activities harder to detect in seemingly benign ways.
Blending in with a target’s regular network traffic in an attempt to evade detection has been a hallmark of the methods Volt Typhoon and other Chinese attackers have employed in recent years, said Marc Burnard, senior consultant for information security research at Secureworks. Like Microsoft and Mandiant, the company has been tracking the group and observing activity. He added that the group had shown a “relentless focus on adapting” to espionage.
