Members of the Chinese Peoples’ Liberation Army (PLA) have been accused by U.S. Government officials of accessing critical US networks in an attempt to preposition themselves to sow chaos in the US if tensions between China and Taiwan escalate in the next few years.
The IT and OT networks of utility companies responsible for water, power, oil & gas, transportation, and communications have all been infiltrated by members of an Advanced Persistent Threat (APT) being tracked as Volt Typhoon.
China and the US have for many years accused each other for attacks against various networks, and systems – historically, China’s attacks have been to gather and extract data for technology, manufacturing, healthcare as well as government communications, but these network intrusions are apparently being conducted to sit patiently and wait in case the US tries to affect China’s policy of reunifying the Island of Taiwan back under Beijing’s control.
Some of the networks compromised seem to be ones which could have an impact the US naval capability in the Pacific Ocean – specifically the attacks against a water utility network in Hawaii, and a port authority on the US West coast.
Other attacks could be so as to cause disruption in the US to divert US decision making and resources internally instead of the Pacific and the South China Sea – an area where China is making huge territorial claims.
Attacks on the US mainland would also cause disruption to everyday life for citizens which would put added pressure on the US authorities – diverting attention form the South China Sea even further.
Who are Volt Typhoon?
The Chinese have a huge number of cyber specialists who target overseas industries – currently, there are 29 different APTs tracked by Mandiant attributed to China – Volt Typhoon (Microsoft), also known as Vanguard Panda (crowdstrike), and Bronze Silhouette (Secureworks) are tracked as APT27.
Active since 2021, Volt Typhoon primarily targets US government and defence operations for intelligence-gathering, although this activity has neow been said to also be a prepositioning exercise for future capability.
The group typically exploits vulnerable internet-facing servers to gain initial access and often deploys a web shell for persistence. The APT has demonstrated careful consideration for operational security such as the use of living-off-the-land binaries, defense evasion techniques, and compromised infrastructure to prevent detection and attribution of their intrusion activity, and to blend in with legitimate network activity.
A Microsoft paper in May 2023 first highlighted activity attributed to Volt Typhoon which said the group had: “targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.“
To avoid detection, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised Small Office and Home Office (SOHO) network equipment, including routers, firewalls, and VPN hardware.
In June, a Joint CyberSecurity Advisory was released by the NSA, CISA, FBI, CCCS, NCSC-NZ, and the NCSC-UK which highlighted the Tactics, Techniques, and Procedures (TTPs) of Volt Typhoon along with Indicators of Compromise (IOCs) and steps to take to reduce any impact the adversary might have on a network.