Volt Typhoon
China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”
On Sunday, FBI Director Christopher Wray said Beijing’s efforts to covertly plant offensive malware inside U.S. critical infrastructure networks [1.] is now at “a scale greater than we’d seen before,” an issue he has deemed a defining national security threat. He said that China backed Volt Typhoon was pre-positioning malware that could be triggered at any moment to disrupt U.S. critical infrastructure. “It’s the tip of the iceberg…it’s one of many such efforts by the Chinese,” he said on the sidelines of the security conference.
Wray had earlier told conference delegates, that China was increasingly inserting “offensive weapons within our critical infrastructure poised to attack whenever Beijing decides the time is right.” The FBI chief said the U.S. is particularly focused on the threat of pre-positioning, which some European officials have described as the cyber equivalent of pointing a ballistic missile at critical infrastructure. “Those attacks are now being amplified by artificial intelligence tools. The word ‘force multiplier’ is not really enough,” Wray added.
Note 1. The FBI Director declined to elaborate on what other critical infrastructure had been targeted, stressing that the Bureau had “a lot of work under way.”
Image Credits: imaginima / Getty Images
Machine learning translation has helped Chinese security operatives to more plausibly recruit assets, steal secrets and rapidly process more of the information they are collecting, the Wray said. “They already have built economic espionage and theft of personal and corporate data as a kind of a bedrock of their economic strategy and are eagerly pursuing AI advancements to try to accelerate that process,” Wray added.
FBI Director Christopher Wray PHOTO: KEVIN DIETSCH/GETTY IMAGES
……………………………………………………………………………………………………………………………
Western intelligence officials say China’s scale and sophistication of cyberattacks has accelerated over the past decade. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, planting malware inside U.S. computer systems responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a conflict.
In California, Wray met with counterparts from the Five Eyes intelligence community—which encompasses the U.S., Australia, New Zealand, Canada and the U.K.—to share respective strategies for cyber defense. He has also traveled to Malaysia and India to discuss China’s hacking campaign with authorities in both countries.
“I am seeing more from Europe,” he said. “We’re laser focused on this as a real threat and we’re working with a lot of partners to try to identify it, anticipate it and disrupt it.”
The Netherlands’ spy agencies said earlier this month that Chinese hackers had used malware to gain access to a Dutch military network last year. The agency, considered to have one of Europe’s top cyber capabilities, said it made the rare disclosure to show the scale of the threat and reduce the stigma of being targeted so allied governments can better pool knowledge.
A report released this month by agencies including the FBI, the Cybersecurity and Infrastructure Agency and the National Security Agency said Volt Typhoon hackers had maintained access in some U.S. networks for five or more years, and while it targeted only U.S. infrastructure directly, the infiltration was likely to have affected “Five Eyes” allies.
Author’s Note:
……………………………………………………………………………………………………………………………
Volt Typhoon, the China-sponsored hacking group, has been targeting U.S. critical infrastructure, including satellite and emergency management services and electric utilities, according to a new report from the industrial cybersecurity firm Dragos. That report outlines how the notorious hacking group is positioning themselves to have disruptive or destructive impacts on critical infrastructure in the U.S.
Robert M. Lee, founder and CEO of Dragos, warned during a media briefing that Volt Typhoon is not an opportunistic group, but is instead targeting specific sites that assist U.S. adversaries “trying to hurt or cripple U.S. infrastructure. It’s hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the U.S. electric infrastructure,” Lee added.
The report comes shortly after the National Security Agency, FBI, and Cybersecurity and Infrastructure Security Agency, revealed that Volt Typhoon has been in some critical infrastructure networks for at least five years. That alert warned of Volt Typhoon operations that targeted the aviation, railways, mass transit, highway, maritime, pipeline, and water and sewage sectors.
……………………………………………………………………………………………………………………………………………………………………………………………………………………………………
The NSA, CISA and FBI said in a joint advisory report that Volt Typhoon has been burrowing into the networks of aviation, rail, mass transit, highway, maritime, pipeline, water and sewage organizations — none of which were named — in a bid to pre-position themselves for destructive cyberattacks, published on February 7th. The release of the advisory, which was co-signed by cybersecurity agencies in the United Kingdom, Australia, Canada and New Zealand, comes a week after a similar warning from FBI Director Christopher Wray. Speaking during a U.S. House of Representatives committee hearing on cyber threats posed by China, Wray described Volt Typhoon as “the defining threat of our generation” and said the group’s aim is to “disrupt our military’s ability to mobilize” in the early stages of an anticipated conflict over Taiwan, which China claims as its territory.
According to Wednesday’s technical advisory, Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to gain initial access to critical infrastructure across the country. The China-backed hackers typically leveraged stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, they have maintained access for “at least five years.”
This access enabled the state-backed hackers to carry out potential disruptions such as “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures,” the advisory warned. In some cases, Volt Typhoon hackers had the capability to access camera surveillance systems at critical infrastructure facilities — though it’s not clear if they did.
Volt Typhoon also used living-off-the-land techniques, whereby attackers use legitimate tools and features already present in the target system, to maintain long-term, undiscovered persistence. The hackers also conducted “extensive pre-compromise reconnaissance” in a bid to avoid detection. “For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the advisory said.
Earlier this year, the FBI and U.S. Department of Justice announced that they had disrupted the “KV Botnet” run by Volt Typhoon that had compromised hundreds of U.S.-based routers for small businesses and home offices. The FBI said it was able to remove the malware from the hijacked routers and sever their connection to the Chinese state-sponsored hackers.
According to a May 2023 report published by Microsoft, Volt Typhoon has been targeting and breaching U.S. critical infrastructure since at least mid-2021.
……………………………………………………………………………………………………………………………………………………………………………………………………………………………..
References:
Volt Typhoon targeted emergency management services, per report
US disrupts China-backed hacking operation amid warning of threat to American infrastructure
https://www.controlglobal.com/home/blog/11293192/information-technology