homehome Home chatchat Notifications


Chinese state hackers infiltrate US and Guam critical infrastructure, steal sensitive data

Chinese state hackers employed stealthy techniques and leveraged compromised devices for cyber espionage.

Tibi Puiu
May 25, 2023 @ 10:45 pm

share Share

Illustration of hacker with abstract background
Credit: Pixabay.

Chinese government-sponsored hackers have managed to infiltrate critical infrastructure systems across the United States and Guam, conducting covert cyber espionage operations and stealing sensitive data, according to reports by Microsoft and government agencies, including the NSA and FBI.

These foreign hackers, known as the ‘Volt Typhoon’ group, have been operating for at least two years, remaining undetected while targeting crucial information for the People’s Republic of China.

Living off the land hacking

To maintain their stealthy presence, the Volt Typhoon hackers employ a sneaky technique called “living off the land.” Hackers typically install external tools or malware to infiltrate vulnerable devices. However, the Volt Typhoon technique targets existing software and features already present on compromised devices. By doing so, they avoid attracting attention from security systems that typically detect the presence of malicious software.

“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity,” the Microsoft researchers wrote in their advisory report.

The data stolen by the Chinese hackers includes credentials, which are then used to further obscure hacking activity. For instance, this data is used to blend in with normal network traffic by using compromised small office and home office (SOHO) network equipment such as routers, firewalls, and VPN hardware.

This way, when security analysts look at network traffic looking for patterns of suspicious activity, they won’t see any red flags. However, the traffic that is supposedly from Guam or California is spoofed, masking activity coordinated all the way from China.

To first gain access to critical US-based infrastructure, the hackers seem to have found a back door in Internet-facing Fortinet FortiGuard devices, Ars Technica reported. Ironically, these are security appliances designed to protect networks from various threats. However, when these devices are left unpatched or have unaddressed vulnerabilities, they become susceptible to exploitation by hackers.

In the context of the Volt Typhoon campaign, hackers exploit these vulnerabilities in FortiGuard devices to gain unauthorized access to a network. Once they penetrate the device, they extract credentials from the network’s Active Directory. The Active Directory is a database that stores crucial information such as usernames, password hashes, and other sensitive data related to user accounts. With these credentials in hand, the hackers can then proceed to infect other devices within the network, expanding their reach and control.

What’s at stake?

The industries affected by these cyber intrusions span a wide range, including communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education.

According to Microsoft researchers, the ultimate aim for the Volt Typhoon campaign likely aims to develop capabilities for disrupting critical communications infrastructure between the United States and the Asia region during potential future crises.

Guam is of particular strategic importance as it hosts important Pacific ports and an air base utilized by the US military. As tensions rise over issues like Taiwan, Guam has become a focal point due to its critical position.

The United States has long followed a policy of “strategic ambiguity” on whether it would intervene militarily to protect Taiwan in the event of a Chinese attack. However, U.S. President Joe Biden has said he would be willing to use force to defend it. In the event of such action, the U.S. would effectively go to war with China, who will most likely activate and disrupt hacked systems from day one.

While the Volt Typhoon hack has now been exposed, there may be many other systems and networks that are currently compromised but the hacking has yet to be detected.

Besides Taiwan, the US and China are engaged in tussling over a range of issues, including trade and technology transfer. In order to hamper Chinese influence, the US has introduced various export controls, most notably on semiconductors, and is even seriously considering banning the popular social media application TikTok, owned by China’s ByteDance.

In its turn, China has introduced its own control measures. For instance, products from the U.S.-based memory chip maker Micro are banned in China, citing natural security.

One of the most significant clashes between the two powers occurred in February when the U.S. Air Force shot down what it says was a Chinese spy balloon over American airspace. China denied the accusation, saying the airship was simply a weather balloon that had run off course.

To help organizations detect and mitigate these attacks, the advisory provides indicators of compromise that administrators can use to identify potential infections. For instance, compromised systems may exhibit successful sign-ins from unfamiliar IP addresses, and unusual command-line activities may be associated with the same user account.

share Share

Why Santa’s Reindeer Are All Female, According to Biology

Move over, Rudolph—Santa’s sleigh team might just be a league of extraordinary females.

What do reindeer do for Christmas? Actually, they just chill through it

As climate change and human development reshape the Arctic, reindeer face unprecedented challenges.

Ducks in the Amazon: Pre-Colonial Societies Mastered Complex Agriculture

Far from being untouched wilderness, the Amazon was shaped by pre-Columbian societies with a keen understanding of ecology.

Archaeologists Uncover Creepy Floor Made From Bones Hidden Beneath a Medieval Dutch House

Archaeologists uncover a mysterious flooring style in the Netherlands, built with cattle bones.

This 5,500-year-old Kish tablet is the oldest written document

Beer, goats, and grains: here's what the oldest document reveals.

A Huge, Lazy Black Hole Is Redefining the Early Universe

Astronomers using the James Webb Space Telescope have discovered a massive, dormant black hole from just 800 million years after the Big Bang.

Did Columbus Bring Syphilis to Europe? Ancient DNA Suggests So

A new study pinpoints the origin of the STD to South America.

The Magnetic North Pole Has Shifted Again. Here’s Why It Matters

The magnetic North pole is now closer to Siberia than it is to Canada, and scientists aren't sure why.

For better or worse, machine learning is shaping biology research

Machine learning tools can increase the pace of biology research and open the door to new research questions, but the benefits don’t come without risks.

This Babylonian Student's 4,000-Year-Old Math Blunder Is Still Relatable Today

More than memorializing a math mistake, stone tablets show just how advanced the Babylonians were in their time.