cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

State-sponsored Chinese hackers appear to target US critical infrastructure

Security researchers at Microsoft have uncovered what appears to be a cyber campaign targeting critical infrastructure in Guam and the mainland US, operated by a threat actor sponsored by the People’s Republic of China.

user icon David Hollingworth
Thu, 25 May 2023
us china  x
expand image

The group — dubbed Volt Typhoon by Microsoft under its new naming schema — is known to engage in espionage and data gathering, but in this instance, Microsoft believes the group is aiming to disrupt communications between the US and Asia at some point in the future.

The level of activity is alarming enough that agencies from across the globe have released an advisory on related threat hunting and mitigation. The Australian Cyber Security Centre co-authored the advisory, using Microsoft’s own findings, alongside agencies from the US, Canada, New Zealand, and the UK.

Volt Typhoon’s operations are stealth-focused, aimed as much at maintaining persistence on an affected network or system as they are on exfiltrating data or credentials. The group uses living-off-the-land techniques to stay beneath the radar of automated systems and has been seen to target a range of organisations, from communications to manufacturing, and government to information technology sectors, and education.


Living off the land, in this instance, refers to using largely stolen credentials and command line instructions, as well as routing commands through SOHO hardware such as routers and VPN hardware. In this manner, the malicious traffic is hard to spot — it just appears as normal activity on the network.

Initial network access was gained via “internet-facing Fortinet FortiGuard devices”, according to Microsoft, though the exact details of how Volt Typhoon managed this remain elusive.

“The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” Microsoft’s researchers said in a blog post.

Once inside a network, many of Volt Typhoon’s tactics seem exploratory in nature, essentially pinging away with command line queries to see what works and what doesn’t. The group also logs web browser data and exfiltrates what it finds in password-protected archives.

What makes the activity particularly alarming is the difficulty of detection of such operations and the crucial nature of some of Volt Typhoon’s targets, including port facilities used by the US military. Guam, in particular, is a sensitive target in that regard, as it would be a key staging area for any US intervention in the South China Sea or in aiding Taiwan in defending against a Chinese invasion.

The timing of the intrusions suggests they are part of a wider Chinese data-gathering operation, which included the now infamous Chinese balloon incident.

“The use of ‘living off the land’ techniques, while not new, is something that has not been widely reported previously,” said Jamie Norton, partner on the McGrathNicol Advisory team. “This confirms the use of TTPs by state-sponsored actors that are not traditional malware or malicious payloads, which can increasingly be detected by modern endpoint protection systems. Living off the land involves using techniques that already exist within the tooling on the compromised system, making it harder to distinguish between malicious activity and normal administrative maintenance.”

“This news highlights the patient and professional nature of some Chinese government hacking operations,” said Sam Boarder, also a partner at McGrathNicol. “Past exposures of cyber operations were able to be mapped onto previously documented threat actors. Many of those cyber attacks were led by contract hackers who blended espionage with commercially driven theft.”

“This case involves a previously unknown hacking organisation that until now operated with stealth,” Boarder said.

“Volt Typhoon’s activity suggests it may have been looking to lay the groundwork for sabotage against critical infrastructure, and not just to steal information.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.