A Chinese state-sponsored cyber threat actor is performing discrete espionage operations within critical U.S. infrastructure and may target other nations, Western cybersecurity agencies and Microsoft warned Wednesday.
Those operations may be aimed at developing ways to disrupt critical communications between the U.S. and Asia “during future crises,” Microsoft said — a warning that could refer to a potential attack on Taiwan by China, which has indicated it may use military force to bring the democratically-governed island under its direct control.
The threat posed by the Chinese group, known as Volt Typhoon, prompted a rare joint advisory Wednesday from Five Eyes cybersecurity agencies, including the Communications Security Establishment (CSE)’s Canadian Centre for Cyber Security.
The agencies and Microsoft said the group has avoided detection by blending in with normal Windows operations through a series of techniques known as “living off the land.” The process allows the actor to move through systems by taking advantage of built-in network administration tools, making its actions look like normal activity.
The CSE says Volt Typhoon has only been detected in the U.S. so far, and that no Canadian victims have been reported as of Wednesday.
“However, western economies are deeply interconnected,” the agency warned. “Much of our infrastructure is closely integrated and an attack on one can impact the other.”
The agencies further warned that they believe the group “could apply the same techniques against these and other sectors worldwide.”
In a threat intelligence advisory, Microsoft said Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure in Guam and elsewhere in the U.S., including government, communication, information technology, maritime and education sectors, among others.
“Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” the assessment reads.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
Guam is home to major U.S. military facilities, including the Andersen Air Force Base, which would be key to responding to any conflict in the Asia-Pacific region.
That would include a Chinese military attack on Taiwan, which the island’s democratic government has said they are actively preparing for. Taiwan’s foreign minister told Global News last month it was a matter of when, not if, Beijing would launch such a campaign.
China claims Taiwan as its own territory and top-ranking members of the Chinese Communist Party, including President Xi Jinping, have not been shy about their aims to wrestle back control of the island. Xi and his top officials have not ruled out using military force to do so.
Microsoft did not say whether “future crises” was a reference to a potential future invasion by China of Taiwan. None of the allied intelligence agencies, including the CSE, addressed that comment from Microsoft in the joint statement. The CSE referred questions on the wording to Microsoft, adding it “couldn’t say” what the company was referring to.
Microsoft did not immediately respond to a request for comment.
Experts say China’s efforts to undermine America’s ability to respond to a crisis in the Indo-Pacific extends beyond Taiwan, as Beijing seeks greater control in the region.
“This might be over Taiwan, but also would impact U.S. deterrence impact more broadly in the South China Sea or East China Sea,” Jonathan Miller, a senior fellow and foreign affairs director at the Macdonald-Laurier Institute whose research focuses on the Indo-Pacific, told Global News in an email.
“The goal is not to stop but to slow down and hamper US efforts to support allies and partners in a contingency and also disrupt intelligence and surveillance operations.”
Microsoft said Volt Typhoon actors will cloak themselves within normal network activity and proceed to collect data from their targets, including local network credentials that are then used to “maintain persistence.” The data will also be stored for exfiltration to outside servers.
The company said it had notified targeted or compromised customers and provided them with information on how to “hunt” for the tactics and techniques being used by Volt Typhoon and mitigate any impacts.
But Microsoft also warned that “mitigating this attack could be challenging” because of the “living off the land” techniques being used.
It warned compromised accounts “must be closed or changed” to avoid future attacks.
The Five Eyes cybersecurity agencies also issued detailed instructions on how to detect Volt Typhoon’s activity and “living off the land” techniques more broadly.
Wednesday’s warning came a day after former governor general David Johnston issued an interim report on his investigation into how Canada detects and combats foreign interference threats.
The report noted Chinese interference, unlike Russia, is designed to pervade democratic institutions and critical infrastructure, making it much more difficult to combat.
The CSE’s annual National Cyber Threat Assessment noted China, Russia, Iran and North Korea pose the greatest strategic cyber threat to Canada and will all continue to target important sectors over the next two years.
“That said, the threat from China is very likely the most significant by volume, capability, and assessed intent,” the report said.
“China-sponsored cyber threat actors will very likely continue targeting industries and technologies in Canada that contribute to the state’s strategic priorities.”
—With files from Reuters