The agencies said Volt Typhoon’s choice of targets and pattern of behaviour is ‘not consistent’ with traditional cyber espionage or intelligence gathering operations.
A coalition of US intelligence agencies has claimed that Volt Typhoon, a group of hackers allegedly backed by the Chinese state, has had access to critical US infrastructure for at least five years.
In an advisory published yesterday (7 February), the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) warned organisations in the US following observations from their incident response activities.
“[Chinese] state-sponsored cyberactors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the US,” CISA wrote in a statement.
Volt Typhoon is known by many names: Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite and Insidious Taurus.
The group was identified in a statement issued by the attorney’s office of the southern district of Texas last week, claiming the hackers had taken control of hundreds of US-based small office and home office routers.
Authorities claimed the hackers infected these privately owned routers with malware to conceal their hacking activities. The US operation removed the malware from the hacked routers and took steps to prevent any reinfection.
🌐@CISAgov with our government and international partners released a joint guide to help network defenders mitigate and detect living off the land techniques exploited by the PRC-sponsored #VoltTyphoon group to target U.S. critical infrastructure. https://t.co/1ytakMzE87 pic.twitter.com/Y4GUQ10hCm
— CISA Cyber (@CISACyber) February 7, 2024
FBI deputy director Paul Abbate said the organisation and its partners stand against “People’s Republic of China cyberactors that threaten our nation’s cybersecurity”.
“We remain committed to thwarting malicious activities of this type and will continue to disrupt and dismantle cyberthreats, safeguarding the fabric of our cyberinfrastructure,” Abbate said.
CISA said that the choice of targets and pattern of behaviour shown by Volt Typhoon is “not consistent” with traditional cyberespionage or intelligence gathering operations.
“[We] assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to operational technology assets to disrupt functions,” the agency wrote.
“The US authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”
US-China cyber tensions rose significantly last year, after it was suggested that China-based hackers managed to gain access to data from multiple US government agencies – including the emails of the US ambassador to China.
The breach was linked with a wave of attacks that Microsoft attributed to China. The tech giant claimed a hacking operation managed to access the emails of 25 organisations with “forged authentication tokens”. Microsoft didn’t investigate the issue until a month after the attack.