Chinese Volt Typhoon Hackers Operated Undetected for 5 Years in Critical US Infrastructure

The U.S. government recently disclosed that a sophisticated Chinese state-sponsored hacking group, identified as Volt Typhoon, managed to infiltrate critical infrastructure networks within the United States and Guam, remaining undetected for a staggering five years. These critical systems targeted by Volt Typhoon span across various sectors including communications, energy, transportation, and water and wastewater management.

What distinguishes Volt Typhoon's activities is their unconventional approach, diverging from typical cyber espionage operations. According to U.S. authorities, the group's tactics suggest a premeditated effort to establish a foothold within IT networks, enabling them to maneuver towards Operational Technology (OT) assets with the intent to disrupt essential functions.

The joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), along with support from Five Eyes intelligence alliance nations, highlights the gravity of the situation. This hacking group, alternatively known as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite, has been active since at least June 2021.

Volt Typhoon's modus operandi involves the utilization of advanced techniques such as 'living off the land' (LotL), allowing them to operate covertly by blending malicious activities with legitimate network behavior. Moreover, they employ multi-hop proxies like KV-botnet to obfuscate the origins of their attacks, making attribution challenging.

CrowdStrike, a cybersecurity firm, noted Volt Typhoon's reliance on an extensive array of open-source tools tailored to specific victims, demonstrating a high level of sophistication and strategic planning. The group meticulously conducts reconnaissance, tailors their tactics to target environments, and maintains persistence through the use of valid accounts and strong operational security measures.

One of their primary objectives is to obtain administrator credentials within networks, exploiting privilege escalation flaws to facilitate lateral movement and reconnaissance. Their long-term strategy involves maintaining access to compromised environments, continuously refining their techniques to evade detection and expand unauthorized accesses.

In addition to stolen credentials, Volt Typhoon employs LotL techniques to avoid leaving traces of malware, enhancing their stealth and operational security. They go as far as deleting targeted logs to conceal their actions within compromised environments, further complicating efforts to uncover their activities.

This revelation coincides with findings from Citizen Lab regarding a widespread influence campaign, dubbed PAPERWALL, involving over 123 websites impersonating local news outlets across 30 countries. These websites, linked to a Beijing-based PR firm named Shenzhen Haimaiyunxiang Media Co., Ltd., disseminate pro-China content while removing critical articles after publication.

While the Chinese embassy in Washington dismisses allegations of disinformation, these incidents underscore the growing concern over China's cyber capabilities and influence operations on a global scale.