U.S. federal agencies warned this week that a state-sponsored Chinese hacking group is positioned in critical infrastructure IT networks, including communications IT systems, and that they believe the hackers have had a presence in some IT networks for as long as five years.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and the Federal Bureau of Investigation said in a release that People’s Republic of China (PRC) state-sponsored cyber actors are “seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
The warning said that a hacking group known as Volt Typhoon “has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam.”
The group uses extensive reconnaissance to learn about the target organizations and its environment and tailors its tactics to each target, relying on stolen credentials and valid but outdated admin tools and dedicating resources to maintain their foothold in and understanding of the target environment over time, the agencies said, enabling them to operate undetected. The agencies said that they had seen indications that Volt Typhoon had maintained access and footholds in some IT environments for at least five years.
The warning went on to say that Volt Typhoon’s targets and pattern of behavior is unlike cyber espionage or intelligence gathering, leading the agencies to believe that the group not only wants to collect information, but to eventually take action using its unauthorized access. The group avoids leaving evidence such as malware, but has established covert channels for command and control, the warning said.
CISA, the NSA and FBI believe with “high confidence” that Volt Typhoon is pre-positioning itself on IT networks to “enable lateral movement to OT assets to disrupt functions.”
Read the full CISA warning here.