‘Volt Typhoon’ Breaks Fresh Ground for China-Backed Cyber Campaigns
News this week that a likely China-backed threat actor is targeting critical infrastructure organizations in Guam has once again raised the specter of America’s geopolitical adversaries launching disruptive cyberattacks against key communications and operational technologies in a future crisis.
The attacks are part of a broader campaign dubbed “Volt Typhoon” that Microsoft reported this week as targeting organizations in the communications, government, utility, manufacturing, maritime, and other critical sectors. Like most state-backed Chinese cyber campaigns over the past several years, the primary focus of Volt Typhoon at first appears to be cyber espionage.
A Troubling New Inflection Point for Chinese Cyberattacks?
But the group’s targeting of Guam — a strategic base for defending Taiwan against potential Chinese annexation — along with other evidence that Microsoft has examined, suggest that the actor is also laying the groundwork for attacks that could disrupt US-Asia communications in a kinetic conflict.
“There was a period of a few years where we saw relatively little Chinese activity directed against US targets […] that’s changed over the past 12 months,” notes Dick O’Brien, principal intelligence analyst at Symantec Threat Hunter Team, likely as a result of the geopolitical tensions around the Taiwan issue. “We think the one named US location (Guam) is significant as Chinese actors are very heavily focused on Taiwan right now, and Guam may be part of that focus,” he says.
The apparent preparation for disruptive attacks that Microsoft observed marks a significant departure from most cyberattacks by Chinese groups over the past nearly two decades — the main focus has been on stealing trade secrets and intellectual property from the US and other countries to support China’s strategic goals around self-reliance. A survey that the Center for Strategic and International Studies did using publicly available information found 224 reported instances of Chinese espionage targeting US organizations. Almost half (46%) of these involved cyber-enabled espionage.
China’s Long History of Cyber Espionage
Notable early examples in the list include: an April 2005 campaign where Chinese actors stole information about the Space Shuttle Discovery program from a NASA network; a 2005 operation called Titan Rain to steal US military and defense secrets from defense contractors and military entities; and a 2010 campaign dubbed Aurora that hit Google and some 30 other major technology companies.
More recently, Chinese hackers stole 614 GB of data on a US supersonic anti-ship missile from a US Navy Contractor in 2018; a 2019 attack resulted in the theft of data pertaining to General Electric jet engine turbines; and in May 2020, an attack was aimed at stealing US research related to the coronavirus vaccine.
In nearly half (49%) of instances, the CSIS could identify that the actor and intent involved Chinese government and military operatives; 29% of those incidents involved attempts to steal military technologies, and 54% of them aimed to steal commercial IP and trade secrets.
So far at least, through all these campaigns, Chinese groups have not shown they can wreak widespread havoc on US critical infrastructure — or at least researchers have simply not uncovered any evidence. But no one doubts that they — and other nation state backed groups, especially Russian APTs — can as well.
“China has not demonstrated the ability to disrupt critical infrastructure, but it’s something we believe they are capable of and other states are capable of,” says John Hultquist, chief analyst at Mandiant Intelligence — Google Cloud.
China’s Cyber Potential for Real-World Disruption
“Critical infrastructure can be disrupted with capabilities such as ransomware, though some countries, like China, are likely to have access to the ability to attack operational technology (OT) systems,” he says.
China-backed threat actors are currently the most active among nation-state groups, especially those focused on conducting cyber espionage. CrowdStrike’s threat intelligence team found that last year China-nexus actors targeted 39 industry sectors in cyber espionage campaigns across 20 geographic regions last year.
Security researchers have little doubt that the skills that Chinese groups have used in executing these attacks, can be used in carrying out destructive ones if needed.
“When comparing the technical aspects of the cyber threat from China to other adversary nations, there are differences in tactics, techniques, and procedures (TTPs). Russian groups have often leveraged social engineering and sophisticated malware,” says Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance (NCA).
In fact, Russian groups often leverage social engineering and sophisticated malware, North Korean groups tend to lean toward to destructive attacks and cyber-enabled financial heists, while Iranian groups have frequently employed DDoS attacks and defacements, Steinhauer says. Chinese groups, meanwhile, have tended to use a mix of spear-phishing, waterhole attacks, and exploit chains. “However, their abilities and scale are very concerning because they are persistent but don’t act upon every opportunity to conduct an attack, leaving their true footprint to be unknown,” he notes.
Improving Zero-Day Use & Hacking Capabilities
In recent years, Chinese APT groups have gotten significantly better at discovering and exploiting zero-days than any other groups. And they also have typically been among the fastest to exploit newly disclosed flaws.
Data from Mandiant shows that in 2022 Chinese cyber espionage groups exploited seven zero-day flaws in various campaigns. That was a notch lower than the eight zero-days they exploited in 2021, but it was still the highest by threat actors from any one country. Examples of zero-day vulnerabilities that Chinese threat actors have used recently used with highly disruptive effect included CVE-2022-30190 (aka Follina); CVE-2022-42475 against FortiOS systems; and the so-called ProxyLogon set of flaws in Microsoft Exchange in 2021.
Many of the attacks from China-based groups have targeted network and edge devices from companies such as Fortinet, Pulse, Netgear, Citrix, and Cisco. Volt Typhoon, the campaign that Microsoft disclosed this week, is no exception. Microsoft analysis showed the threat actor proxying all network traffic via compromised routers and small office/home office (SOHO) edge devices from companies like ASUS, Netgear, D-Link, and Cisco. In recent campaigns — including Volt Typhoon, China-backed groups have also shown an affinity to use legitimate and dual use tools to conduct post-compromise reconnaissance, lateral movement, and to maintain persistence.
“One of their favorite mediums is launching and staging attacks from network edge devices,” says Craig Jones, vice president of security operations at Ontinue. “These groups demonstrate proficiency in infiltrating targeted networks and maintaining persistent access [and] operating covertly within compromised systems for extended periods,” he says. Moreover, they excel in orchestrating supply chain attacks, leveraging trusted vendors and software providers in executing attacks, Jones notes.
Ben Read, senior manager of cyber espionage at Mandiant, assesses that China has the sophistication to create malware capable of disrupting critical infrastructure, though so far there has been no evidence of one. “Given the large number, and distributed nature of US critical infrastructure networks, it is likely that if they made the political decision to cause a disruption, they would be able to have some effect,” he says. “However, the US continues to invest in defense so the scale of the potential impact is uncertain.”