The group’s “actions suggest this is not an exclusively espionage objective,” the spokesperson wrote in the statement. “Focused effort to maintain access to these types of targeted organizations suggests that the threat actor anticipates additional future operations against those systems.”
Microsoft’s blog post offered technical details of the hackers’ intrusions that may help network defenders spot and evict them: The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking—targeting devices that include those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel. The group also often exploits the access provided from compromised accounts of legitimate users rather than its own malware to make its activity harder to detect by appearing to be benign.
Blending in with a target’s regular network traffic in an attempt to evade detection is a hallmark of Volt Typhoon and other Chinese actors’ approach in recent years, says Marc Burnard, a senior consultant of information security research at Secureworks. Like Microsoft and Mandiant, Secureworks has been tracking the group and observing its campaigns. He added that the group has demonstrated a “relentless focus on adaption” to pursue its espionage.
US government agencies, including the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and the Justice Department published a joint advisory about Volt Typhoon’s activity today alongside Canadian, UK, and Australian intelligence. “Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the agencies wrote.
Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States—even over decades of data theft from US systems—the country’s hackers have periodically been caught inside US critical infrastructure systems. As early as 2009, US intelligence officials warned that Chinese cyberspies had penetrated the US power grid to “map” the country’s infrastructure in preparation for a potential conflict. Two years ago, CISA and the FBI also issued an advisory that China had penetrated US oil and gas pipelines between 2011 and 2013. China’s Ministry of State Security hackers have gone much further in cyberattacks against the country’s Asian neighbors, actually crossing the line of carrying out data-destroying attacks disguised as ransomware, including against Taiwan’s state-owned oil firm CPC.
This latest set of intrusions seen by Microsoft and Mandiant suggests that China’s critical infrastructure hacking continues. But even if the Volt Typhoon hackers did seek to go beyond espionage and lay the groundwork for cyberattacks, the nature of that threat is far from clear. State-sponsored hackers are, after all, often assigned to gain access to an adversary’s critical infrastructure as a preparatory measure in case of a future conflict, since gaining the access necessary for a disruptive attack usually requires months of advanced work.
That ambiguity in state-sponsored hackers’ motivations when they penetrate another country’s networks—and its potential for misinterpretation and escalation—is what Georgetown professor Ben Buchanan has called “the cybersecurity dilemma” in his book by the same name. “Genuinely attacking and building the option to attack later on,” Buchanan told WIRED in a 2019 interview as cyberwar tensions rose between the US and Russia, “are very hard to disentangle.”
Drawing the lines between espionage, cyberattack preparation, and imminent cyberattack is an even harder exercise with China, says Mandiant’s Hultquist, given the limited instances of the country pulling the trigger on a digitally disruptive event—even when it does have the access to cause one, as it may well have had in Volt Typhoon’s intrusions. “China’s disruptive and destructive capabilities are extremely opaque,” he says. “Here we have a possible indication that this might be an actor with that mission.”
Update 1:50 pm ET, May 25, 2023 with additional comment from Microsoft.