Chinese hackers target US critical infrastructure in massive cyber-espionage campaign

Chinese hackers have been spying on a wide range of critical infrastructure organisations in the US, including telecommunications and transportation hubs, according to intelligence agencies and Microsoft. The espionage also targeted the US island territory of Guam, which houses strategically important American military bases. Analysts consider this one of the largest known Chinese cyber-espionage campaigns against American critical infrastructure.

Microsoft’s report states that mitigating this attack could be challenging. While China and the US routinely spy on each other, the scale and targets of this espionage campaign are causing concern. The Chinese embassy in Washington has not yet responded to requests for comment.

The US National Security Agency (NSA) is working with partners, including Canada, New Zealand, Australia, and the UK, as well as the US Federal Bureau of Investigation, to identify breaches. These countries have also been warned that they could be targeted by hackers.

Microsoft analysts have “moderate confidence” that the Chinese group, dubbed “Volt Typhoon,” is developing capabilities that could disrupt critical communications infrastructure between the US and the Asia region during future crises. John Hultquist, head of threat analysis at Google’s Mandiant Intelligence, added that “it means they are preparing for that possibility.”

The Chinese activity is particularly concerning because analysts do not yet have enough visibility on what this group might be capable of. The geopolitical situation further heightens interest in this actor.

As China has increased military and diplomatic pressure in its claim to Taiwan, US President Joe Biden has said he would be willing to use force to defend the island. Security analysts expect Chinese hackers could target US military networks and other critical infrastructure if China invades Taiwan.

The NSA and other Western cyber agencies urged companies that operate critical infrastructure to identify malicious activity using the technical guidance they issued. “It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems,” said Paul Chichester, director at the UK’s National Cybersecurity Centre, in a joint statement with the NSA.

Microsoft revealed that the Chinese hacking group has been active since at least 2021 and has targeted several industries, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. NSA cybersecurity director Rob Joyce said the Chinese campaign was using “built-in network tools to evade our defences and leaving no trace behind.” Such techniques are harder to detect as they use “capabilities already built into critical infrastructure environments.”

Instead of using traditional hacking techniques, which often involve tricking a victim into downloading malicious files, Microsoft said this group infects a victim’s existing systems to find information and extract data. Guam is home to US military facilities that would be key to responding to any conflict in the Asia-Pacific region.

New Zealand has stated it will work towards identifying any such activity in its country. Australia’s Minister for Home Affairs and Cybersecurity, Clare O’Neil, said, “It’s important for the national security of our country that we’re transparent and upfront with Australians about the threats that we face.” Canada’s cybersecurity agency has not received reports of Canadian victims of this hacking yet, but noted that “Western economies are deeply interconnected” and that “much of our infrastructure is closely integrated and an attack on one can impact the other.”