WATCH - 'No physical damage' to Canadian energy infrastructure amid reports of cyberattacks: Trudeau – Apr 11, 2023
The U.S. State Department is warning the private sector, public and Washington to “stay vigilant” amid news of a Chinese state-sponsored cyber espionage operation in the country.
The group dubbed “Volt Typhoon” by Five Eyes’ cybersecurity agencies and Microsoft on Wednesday is performing discrete espionage operations within critical U.S. infrastructure and may target other nations, they warn.
Those operations may be aimed at developing ways to disrupt critical communications between the U.S. and Asia “during future crises,” Microsoft said — a warning that could refer to a potential attack on Taiwan by China, which has indicated it may use military force to bring the democratically governed island under its direct control.
“The U.S. intelligence community assesses that China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including oil and gas pipelines and rail systems,” said U.S. State Department spokesperson Matthew Miller on Thursday.
“It’s vital for government, network defenders and the public to stay vigilant. It’s why the U.S. government … has worked with the private sector to prepare defences, prepare private-sector defences, and we will continue to work with our allies and partners to address this critical issue.”
Beijing has rejected assertions that its spies are going after western targets, calling Wednesday’s joint warning a “collective disinformation campaign.”
Microsoft and the agencies, including the Communications Security Establishment (CSE)’s Canadian Centre for Cyber Security, said Volt Typhoon has avoided detection by blending in with normal Windows operations through a series of techniques known as “living off the land.”
The process allows the actor to move through systems by taking advantage of built-in network administration tools, making its actions look like normal activity.
The CSE says Volt Typhoon has been detected only in the U.S. so far, and that no Canadian victims have been reported as of Wednesday.
In its threat intelligence advisory, Microsoft said Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure in Guam and elsewhere in the U.S., including government, communication, information technology, maritime and education sectors, among others.
Researchers at Secureworks, which is an arm of Dell Technologies, told Reuters on Thursday the hackers have been conducting a cyberespionage campaign against military and government targets that would “shed light on U.S. military activities.”
Guam is home to major U.S. military facilities, including Andersen Air Force Base, which would be key to responding to any conflict in the Asia-Pacific region.
That would include a Chinese military attack on Taiwan, which the island’s democratic government has said it is actively preparing for. Taiwan’s foreign minister told Global News last month it was a matter of when, not if, Beijing would launch such a campaign.
China claims Taiwan as its own territory and top-ranking members of the Chinese Communist Party, including President Xi Jinping, have not been shy about their aims to wrestle back control of the island. Xi and his top officials have not ruled out using military force to do so.
Microsoft did not say whether “future crises” was a reference to a potential future invasion by China of Taiwan. None of the allied intelligence agencies, including the CSE, addressed that comment from Microsoft in the joint statement.
The CSE referred questions on the wording to Microsoft, adding it “couldn’t say” what the company was referring to. Microsoft did not respond to a request for comment.
Microsoft said Volt Typhoon actors will cloak themselves within normal network activity and proceed to collect data from their targets, including local network credentials that are then used to “maintain persistence.” The data will also be stored for exfiltration to outside servers.
The company said it had notified targeted or compromised customers and provided them with information on how to “hunt” for the tactics and techniques being used by Volt Typhoon and mitigate any impacts.
But Microsoft also warned that “mitigating this attack could be challenging” because of the “living off the land” techniques being used. It warned that compromised accounts “must be closed or changed” to avoid future attacks.
Chinese foreign ministry spokesperson Mao Ning told reporters the alerts, issued by the United States, Britain, Canada, Australia and New Zealand, were intended to promote their Five Eyes intelligence alliance — and that it was Washington that was guilty of hacking.
“The United States is the empire of hacking,” Mao said.
— with files from Global News’ Sean Boynton and Reuters
cybersecurityMicrosoftcyberattacksCyber AttacksFive EyesCommunications Security EstablishmentCanadian Centre for Cyber SecurityChinese Hackerschina cyber attackChina Hackersvolt typhoonChina Volt TyphoonChinese cyber attacksVolt Typhoon China
Journalistic standards Report an error
© 2023 Global News, a division of Corus Entertainment Inc.