The United States and its Western allies on Wednesday accused a China-sponsored “cyber actor” of quietly infiltrating American “critical infrastructure”, and warned that similar attacks could take place around the world.
In a joint advisory, cybersecurity authorities in the United States, Canada, United Kingdom, Australia and New Zealand warned of a malicious “group of activities” associated with “a cyber- state-sponsored actor of the People’s Republic of China, also known as Volt Typhoon”.
“This activity affects the networks of critical infrastructure sectors of the United States” and the entity carrying out the attack “could apply the same techniques […] around the world,” authorities added.
In a separate press release, the American group Microsoft explained that Volt Typhoon has been active since mid-2021 and that it has targeted, among other things, critical infrastructure on the island of Guam, which hosts a major American military base in the ‘Pacific Ocean.
This campaign risks “disrupting critical communications infrastructure between the United States and the Asian region in future crises,” Microsoft warned.
The campaign targets “the communications, industrial, utility, transportation, construction, marine, government, information technology and education sectors,” the technology group continued. American.
According to him, “the observed behavior suggests that the threat actor intends to spy and maintain access. [aux infrastructures] undetected for as long as possible.
Undetectable
According to Western security agencies, these attacks use the so-called ” Living off the land (LotL), whereby the attacker uses the features and tools of the system he is targeting to get inside without leaving a trace.
“It’s what I would call low and slow cyber activity,” says Alastair McGibbon, chief strategy officer of Australian firm CyberCX and former director of Australia’s Cybersecurity Centre. “It’s like someone wearing a camouflage jacket and a sniper rifle. We do not see it, it is not there. »
Once inside, intruders can steal information, the expert continues. “But it also gives them the opportunity to carry out destructive actions at a later stage. »
“Someone determined, who takes his time to get into the systems. This can really cause catastrophic damage,” he adds.
In particular, the attacker can use legitimate administrative tools to penetrate the system and insert malicious scripts or code. This type of intrusion is much more effective than those using malware, which are more easily detectable.
According to Microsoft, Volt Typhoon tries to blend in with normal network activity by routing traffic through infected network equipment in small businesses and remote workers, including routers, firewalls and private networks virtual (VPN).
The Director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, also issued a warning against Volt Typhoon.
“For years, China has been conducting operations around the world to steal intellectual property and sensitive data from critical infrastructure organizations,” Mr.me Easterly.
“Sophisticated means”
The Volt Typhoon case “shows that China uses very sophisticated means to target our country’s critical infrastructure”, and its discovery “will allow network defenders to better understand how to detect and mitigate this malicious activity”, adds the director.
For its part, China reacted by accusing the United States and its four allies of carrying out a “disinformation campaign” on Thursday after the publication of the report on Beijing’s sponsorship of the cyberattack against Western interests.
“It is clear that this is a collective disinformation campaign by the countries of the Five Eyes coalition, initiated by the United States for geopolitical purposes,” Mao Ning, a spokeswoman for the Chinese Ministry of Foreign Affairs.
Beijing regularly denies carrying out or sponsoring cyberattacks, and in turn accuses the United States of cyberespionage against it.
China and Russia have long targeted critical infrastructure, but Volt Typhoon has provided insight into the modus operandi of Chinese hacking, said John Hultquist, an analyst at US cybersecurity firm Mandiant.
“Chinese cyber threat actors are unique among their peers in that they do not routinely resort to destructive and disruptive cyber attacks,” he said. According to him, the disclosure by Western countries of the actions of Volt Typhoon “is a rare opportunity to investigate and prepare for this threat”.