Chinese Hackers Infiltrate US Critical Infrastructure
By Jana Bounds
Jana Bounds

Tensions between the United States and China continue to escalate, with tech giant Microsoft revealing recently that Chinese hackers are spying on US critical cyber infrastructure in the government, communications, manufacturing, utility, and transportation sectors in an ongoing attack.

Analysts are claiming this is one of the “largest known Chinese cyber-espionage campaigns against American critical infrastructure,” which is notable since espionage is regarded as routine between the two countries.

Network Defenders Begin the Hunt

A joint Cybersecurity Advisory (CSA) from the Five Eyes Alliance acknowledges the discovery of a “cluster of activity” by Chinese state-sponsored hacking organization Volt Typhoon.

Jamie Norton, a partner at restructuring and advisory firm McGrathNicol told BBC that there is concern over what this attack might foreshadow and that the hack could be part of a broader campaign to “exfiltrate and farm data over the long term” for future sabotage operations. Microsoft personnel agreed, noting the hacking group isn’t trying to disrupt infrastructure just yet, but rather “intends to perform espionage and maintain access without being detected for as long as possible.”

The CSA advisory provides “hunting guidance” and ways to detect activity.

One of the bad actor’s primary tactics, techniques, and procedures (TTPs) is “living off the land,” according to the advisory.  

This means they are using built-in network administration tools like wmic, ntdsutil, netsh, and PowerShell to achieve their objectives.

“This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” according to the CSA.

Defenders should be cognizant that investigation is needed to determine if findings are malicious or if they are benign and legitimate system administrator commands.

Why Now?

Experts believe this could mean that China is gearing-up for conflict.

China regards Taiwan, which produces the bulk of the world’s advanced semiconductor chips, as its own and has been threatening to bring the democratic island nation under its control, if necessary. To that end, China has increased military and diplomatic pressure.

“Taiwan will not provoke and will not bow to Chinese pressure,” Taiwan’s President Tsai Ing-wen said in a speech marking the seventh year of her governance, according to Reuters.

While leaders of the Group of Seven (G7) nations have agreed they are seeking a peaceful resolution, Taiwan is in discussions with U.S. President Joe Biden’s administration for $500 million in weapons aid. Tsai noted the aid is meant to rectify deliveries that were delayed from the pandemic.

The United States has long maintained a policy of “strategic ambiguity” regarding military intervention if Taiwan were attacked by China. However, President Biden said he would be willing to use force to defend Taiwan from Chinese aggression.

Asia-Pacific Communications

This brings in another interesting piece of the cyberattack:  it also targeted strategic US military communication positions in the Asia-Pacific region.

“The infiltration was focused on communications infrastructure in Guam and other parts of the U.S., the Times reported, and was particularly alarming to U.S. intelligence because Guam sits at the heart of an American military response in case of an invasion of Taiwan,” according to CNBC reporting.

Microsoft analysts report with “moderate confidence” that the hacker group was creating capabilities that can “disrupt critical communications infrastructure between the United States and Asia region during future crises,” according to Reuters, which also noted that Gaum is a hub of U.S. military facilities that would be pivotal in responding to any conflict in that region. Guam also connects communications from Asia and Australia to the United States via submarine cables.

Bart Hoggeveen, a senior analyst at the Australian Strategic Policy Institute who specializes in state-sponsored cyber attacks in the region, told Reuters the submarine cables made Guam “a logical target for the Chinese government” to seek intelligence.

“There is high vulnerability when cables land on shore,” he said.

Other Points of Contention

This is just one area where the U.S. and China are diplomatically struggling.

There is also a rift in trade and technology, with the US targeting Chinese companies across tech, with officials saying they want to keep key technologies from reaching China’s military and are possibly seeking to ban the TikTok app, owned by Chinese company ByteDance, due to security risks.

China then responded by prohibiting essential infrastructure makers from purchasing products from U.S. memory chip maker Micron.

Additionally, the U.S. has accused China of providing weapons to Russia for the Russia-Ukraine war.

“While China has stood by Russia, resisting Western pressure to isolate it, it denies any direct involvement in Ukraine and says it wants to promote a peaceful resolution,” according to Reuters reporting.

Read More