Photo: The Canadian Press
Hands on a keyboard guy in North Vancouver, BC December 19, 2012. The Canadian Center for Cyber Security warns of evidence Chinese hackers have been targeting critical infrastructure networks in the U.S. THE CANADIAN PRESS/Jonathan Hayward
State-sponsored hackers from China have targeted US critical infrastructure, cybersecurity officials from around the world, including Canada, warned Wednesday in a coordinated effort to root out the perpetrators.
The Canadian Center for Cyber Security was just one of several international agencies, all part of the Five Eyes intelligence alliance, involved in tightening the US National Security Agency’s alert.
The discovery of what the NSA called “indicators of compromise” was first made by Microsoft and attributed to Volt Typhoon, a Chinese state actor the company says has been active since mid-2021.
Volt Typhoon “typically focuses on espionage and intelligence gathering,” the software giant warned in its own threat analysis.
“Microsoft is moderately confident that this Volt Typhoon campaign seeks to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asian region in future crises.”
Rob Joyce, the NSA’s director of cybersecurity, described the attack style as “living off the land” — using existing network tools and valid credentials to better evade detection.
“A (PRC) state-sponsored actor makes a living from farming, uses built-in networking tools to evade our defenses and leaves no trace,” Joyce said in a statement.
“As such, it is imperative for us to work together to find and remove the actor from our critical networks.”
The Microsoft report describes stealth as one of the intruder’s main goals to maintain access to the target network, relying on existing management tools and “handy keyboard” activities to evade detection.
“In addition, Volt Typhoon attempts to interfere with normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls, and VPN hardware.”
According to Microsoft, Volt Typhoon has already targeted infrastructure assets across the US, including in Guam, where the US maintains an air force base and a naval port, both of which are central elements of its military presence in the Pacific Ocean.
Pentagon officials also believe Guam and its military installations were among the main targets of the Chinese spy balloon, which was shot down in February after drifting through North American airspace for a week.
Canadian officials say there have been no reports of attacks on systems inside Canada.
“The Canadian Center for Cyber Security joins its international partners in sharing this newly identified threat and accompanying remediation efforts with critical infrastructure sectors,” the agency’s head, Sami Khoury, said in a statement.
“The interconnectedness of our infrastructures and economies underscores the importance of working with our allies to identify and share real-time threat intelligence.”
Other agencies involved in Wednesday’s announcement included the US Cybersecurity and Infrastructure Security Agency, the FBI, and cybersecurity agencies in Australia, New Zealand and the United Kingdom
“China has been conducting operations worldwide for years to steal intellectual property and sensitive data from critical infrastructure organizations around the world,” said CISA Director Jen Easterly.
“(Wednesday’s) advisory jointly released with our U.S. and international partners reflects how China is using sophisticated means to target our country’s critical infrastructure.”