‘Stay vigilant,’ U.S. warns amid Chinese cyber espionage operation

Click to play video: '‘No physical damage’ to Canadian energy infrastructure amid reports of cyberattacks: Trudeau'
‘No physical damage’ to Canadian energy infrastructure amid reports of cyberattacks: Trudeau
WATCH - 'No physical damage' to Canadian energy infrastructure amid reports of cyberattacks: Trudeau – Apr 11, 2023

The U.S. State Department is warning the private sector, public and Washington to “stay vigilant” amid news of a Chinese state-sponsored cyber espionage operation in the country.

The group dubbed “Volt Typhoon” by Five Eyes’ cybersecurity agencies and Microsoft on Wednesday is performing discrete espionage operations within critical U.S. infrastructure and may target other nations, they warn.

Those operations may be aimed at developing ways to disrupt critical communications between the U.S. and Asia “during future crises,” Microsoft said — a warning that could refer to a potential attack on Taiwan by China, which has indicated it may use military force to bring the democratically governed island under its direct control.

“The U.S. intelligence community assesses that China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including oil and gas pipelines and rail systems,” said U.S. State Department spokesperson Matthew Miller on Thursday.

Story continues below advertisement

“It’s vital for government, network defenders and the public to stay vigilant. It’s why the U.S. government … has worked with the private sector to prepare defences, prepare private-sector defences, and we will continue to work with our allies and partners to address this critical issue.”

Click to play video: 'Taiwan’s Kinmen Island caught in the middle of conflict with China'
Taiwan’s Kinmen Island caught in the middle of conflict with China

Beijing has rejected assertions that its spies are going after western targets, calling Wednesday’s joint warning a “collective disinformation campaign.”

Microsoft and the agencies, including the Communications Security Establishment (CSE)’s Canadian Centre for Cyber Security, said Volt Typhoon has avoided detection by blending in with normal Windows operations through a series of techniques known as “living off the land.”

The process allows the actor to move through systems by taking advantage of built-in network administration tools, making its actions look like normal activity.

Breaking news from Canada and around the world sent to your email, as it happens.

The CSE says Volt Typhoon has been detected only in the U.S. so far, and that no Canadian victims have been reported as of Wednesday.

Story continues below advertisement
Click to play video: 'Taiwan fights back against election interference, disinformation with creativity'
Taiwan fights back against election interference, disinformation with creativity

In its threat intelligence advisory, Microsoft said Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure in Guam and elsewhere in the U.S., including government, communication, information technology, maritime and education sectors, among others.

Researchers at Secureworks, which is an arm of Dell Technologies, told Reuters on Thursday the hackers have been conducting a cyberespionage campaign against military and government targets that would “shed light on U.S. military activities.”

Guam is home to major U.S. military facilities, including Andersen Air Force Base, which would be key to responding to any conflict in the Asia-Pacific region.

That would include a Chinese military attack on Taiwan, which the island’s democratic government has said it is actively preparing for. Taiwan’s foreign minister told Global News last month it was a matter of when, not if, Beijing would launch such a campaign.

Story continues below advertisement
Click to play video: 'Trudeau calls China’s military exercises around Taiwan ‘problematic’'
Trudeau calls China’s military exercises around Taiwan ‘problematic’

China claims Taiwan as its own territory and top-ranking members of the Chinese Communist Party, including President Xi Jinping, have not been shy about their aims to wrestle back control of the island. Xi and his top officials have not ruled out using military force to do so.

Microsoft did not say whether “future crises” was a reference to a potential future invasion by China of Taiwan. None of the allied intelligence agencies, including the CSE, addressed that comment from Microsoft in the joint statement.

The CSE referred questions on the wording to Microsoft, adding it “couldn’t say” what the company was referring to. Microsoft did not respond to a request for comment.

“This might be over Taiwan, but also would impact U.S. deterrence impact more broadly – in the South China Sea or East China Sea,” said Jonathan Miller, senior fellow and foreign affairs director at the Macdonald-Laurier Institute in an email to Global News.

Story continues below advertisement

“The goal is not to stop but to slow down and hamper U.S. efforts to support allies and partners in a contingency, and also disrupt intelligence and surveillance operations.”

Microsoft said Volt Typhoon actors will cloak themselves within normal network activity and proceed to collect data from their targets, including local network credentials that are then used to “maintain persistence.” The data will also be stored for exfiltration to outside servers.

Click to play video: 'Silicon shield: Could Taiwan’s semiconductor industry protect it against invasion by China?'
Silicon shield: Could Taiwan’s semiconductor industry protect it against invasion by China?

The company said it had notified targeted or compromised customers and provided them with information on how to “hunt” for the tactics and techniques being used by Volt Typhoon and mitigate any impacts.

But Microsoft also warned that “mitigating this attack could be challenging” because of the “living off the land” techniques being used. It warned that compromised accounts “must be closed or changed” to avoid future attacks.

Story continues below advertisement

Chinese foreign ministry spokesperson Mao Ning told reporters the alerts, issued by the United States, Britain, Canada, Australia and New Zealand, were intended to promote their Five Eyes intelligence alliance — and that it was Washington that was guilty of hacking.

“The United States is the empire of hacking,” Mao said.

— with files from Global News’ Sean Boynton and Reuters

Sponsored content