A state-sponsored Chinese hacking group has been spying on a wide range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs, Western intelligence agencies and Microsoft (MSFT.O) said on Wednesday. While China and the United States routinely spy on each other, analysts say this is one of the most extensive cyber espionage campaigns against American companies.
The espionage has also targeted the U.S. island territory of Guam, home to strategically important American military bases that would be crucial in responding to a Chinese invasion of Taiwan. The hacks, detected in February around when the U.S. shot down a Chinese spy balloon flying over its airspace, raised alarms because they targeted the communication systems used by Guam’s military facilities.
“While it is not yet clear the purpose of these activities was military, the activity has heightened concerns about potential Chinese attempts to obtain sensitive information related to U.S. strategic interests,” a report from Microsoft’s Mandiant team said. It cited code found in the telecommunications systems of several businesses and government agencies, including the Guam Department of Defense, that had been inserted by hackers dubbed Volt Typhoon. Microsoft said Volt Typhoon was able to gain entry to the systems by exploiting a vulnerability in a software suite used to protect corporate networks. Once inside the networks, the group could steal user credentials and move laterally through the networks to access critical infrastructure. The intrusions were done with great stealth, and the hackers reportedly used “capabilities already built into critical infrastructure environments,” Microsoft said.
While the attacks are not yet confirmed to be from China, Microsoft experts expressed “moderate confidence” the attackers were attempting to develop capabilities that could disrupt communications between the United States and Asia during future crises. In addition, the report noted the attack methods used were more advanced than those of traditional hacking campaigns, involving tricking victims into downloading malicious files. Instead, Microsoft said these were “living off the land” attacks that rely on tools and vulnerabilities in existing systems to penetrate corporate networks without being detected.
The NSA and the national security services of Canada, Australia, New Zealand, and the U.K. are working with their counterparts in the United States to identify breaches, and they warned that other countries may also be at risk. In addition, the NSA has released technical guidance for companies that operate critical infrastructure to help them spot malicious activity.
The Pentagon’s presence in Guam is a point of contention among residents, with many objecting to a significant buildup that would require the island to expand its water supply and create other environmental challenges. Some protesters have held demonstrations outside the base, and a few have launched legal action to challenge the military’s use of the island for training and exercises. But most in Guam are hospitable to the troops, and visitors can expect to hear the local greeting, “hafa adai,” or good morning.