A state-sponsored Chinese hacking group has been spying on a wide range of critical US infrastructure organizations, from telecommunications to transportation hubs, Western intelligence agencies and Microsoft said on Wednesday.
The espionage has also focused on the US island territory of Guam, home to strategically important US military bases, Microsoft said in a report, adding that «mitigating this attack could be challenging.»
While China and the United States routinely spy on each other, analysts say this is one of the largest known Chinese cyber-espionage campaigns against critical US infrastructure.
Chinese Foreign Ministry spokesman Mao Ning said Thursday that the hacking allegations were a «collective disinformation campaign» by the Five Eyes countries, a reference to the intelligence-sharing grouping of countries made up of United States, Canada, New Zealand, Australia and the UK.
Mao said that the campaign was launched by the US for geopolitical reasons and that the report by Microsoft analysts showed that the US government was expanding its disinformation channels beyond government agencies.
«But no matter what variety of methods are used, none of this can change the fact that the United States is the piracy empire,» he told a regular news conference in Beijing.
It was not immediately clear how many organizations were affected, but the US National Security Agency (NSA) said it was working with partners including Canada, New Zealand, Australia and the United Kingdom, as well as the Federal Office of US investigations to identify violations. Canada, the United Kingdom, Australia and New Zealand warned that hackers could target them too.
Microsoft analysts said they were «moderately confident» that this Chinese group, which it dubbed «Volt Typhoon,» was developing capabilities that could disrupt critical communications infrastructure between the United States and the Asian region during future crises.
«It means they’re preparing for that possibility,» said John Hultquist, who leads threat analysis at Google’s Mandiant Intelligence.
The Chinese activity is unique and worrying also because analysts do not yet have enough visibility into what this group might be capable of, he added.
«There is greater interest in this actor due to the geopolitical situation.»
As China has increased military and diplomatic pressure on its claim to a democratically governed Taiwan, US President Joe Biden has said he would be willing to use force to defend Taiwan.
Security analysts expect Chinese hackers could target US military networks and other critical infrastructure if China invades Taiwan.
The NSA and other Western cyber agencies urged companies that operate critical infrastructure to identify malicious activity using the technical guidance they issued.
“It is vital that operators of critical national infrastructure take steps to prevent attackers from hiding in their systems,” said Paul Chichester, director of the UK’s National Center for Cyber Security, in a joint statement with the NSA.
Microsoft said the Chinese hacking group has been active since at least 2021 and has targeted several industries, including communications, manufacturing, utilities, transportation, construction, maritime, government, IT, information and education.
NSA cybersecurity director Rob Joyce said the Chinese campaign was using «embedded network tools to evade our defenses and leave no trace.» Such techniques are more difficult to detect since they use «capabilities already built into critical infrastructure environments,» he added.
Unlike the use of traditional hacking techniques, which often involve tricking the victim into downloading malicious files, Microsoft said this group infects the victim’s existing systems to find information and extract data.
Guam is home to US military installations that would be key in responding to any conflict in the Asia-Pacific region. It is also a major communications hub connecting Asia and Australia to the United States via multiple undersea cables.
Bart Hoggeveen, a senior analyst at the Australian Strategic Policy Institute who specializes in state-sponsored cyberattacks in the region, said the undersea cables made Guam «a logical target for the Chinese government» to look for intelligence.
“There is a high vulnerability when the cables land on the coast,” he said.
New Zealand said it would work to identify any such malicious cyber activity in its country.
“It is important to our country’s national security that we are transparent and honest with Australians about the threats we face,” Australia’s Home Affairs and Cyber Security Minister Clare O’Neil said.
Canada’s cybersecurity agency said it did not yet have any reports of Canadian victims of this hack. «However, Western economies are deeply interconnected,» he added. “Much of our infrastructure is tightly integrated, and an attack on one can affect the other.”