Microsoft, CISA, NSA, FBI, and the Five Eyes on the PRC’s Advanced Persistent Threat: Volt Typhoon

In his post earlier this week, OODA Loop Contributor Emilio Iasiello provided the initial coverage of a “cluster of activity” linked to China, targeting networks across U.S. critical infrastructures and Guam:  Chinese Cyber Activities Against Critical Infrastructure Raises the Stakes in U.S.-China Relations.   As is always the case with Emilio’s weekly contribution here at OODA Loop, it is worth a read.  The advisory referenced by Emilio –  entitled People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection – dovetails with our analysis in April of the State Department turning its strategic focus towards cyber-threat vectors in Guam, Albania, and Costa Rica.

This People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon or Bronze Silhouette, requires additional coverage – including the geopolitical “big picture” as reported by David Sanger at the NY Times and surfacing mitigation recommendations from the 24-page advisory provided by CISA, NSA, FBI, and the Five Eyes Agencies.  Microsoft Threat Intelligence, always top-notch, also contributed to this hunt and discovery: “Microsoft and Secureworks researchers have also released details about the Volt Typhoon (aka Bronze Silhouette) campaigns they detected. They have shared indicators of compromise and mitigation and protection guidance.” (1)

The code, which Microsoft said was installed by a Chinese government hacking group, set off alarms because Guam would be a centerpiece of any U.S. military response to a move against Taiwan.

David Sanger’s The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age was included in OODA CEO Matt Devost’s Best Security, Business, and Technology Books of 2018.  Sanger is a White House and national security correspondent, and a senior writer for the New York Times.  In a 38-year reporting career for The New York Times, Sanger has been on three teams that have won Pulitzer Prizes and has written extensively about the role of cyberconflict in national security.

Volt Typhoon is Sanger’s beat.  Following are some of the vital takeaways from his coverage on May 24th:

“Unlike Russian groups, Chinese intelligence and military hackers usually prioritize espionage.”

  • Around the time that the F.B.I. was examining the equipment recovered from the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.
  • The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan.
  • The operation was conducted with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the intrusion harder to track.
  • The code is called a “web shell,” in this case a malicious script that enables remote access to a server. Home routers are particularly vulnerable, especially older models that have not had updated software and protections.
  • Microsoft on Wednesday published details of the code that would make it possible for corporate users, manufacturers, and others to detect and remove it.
  • In a coordinated release, the National Security Agency — along with other domestic agencies and counterparts in Australia, Britain, New Zealand and Canada — published a 24-page advisory that referred to Microsoft’s finding and offered broader warnings about a “recently discovered cluster of activity” from China.
  • Microsoft called the hacking group “Volt Typhoon” and said that it was part of a state-sponsored Chinese effort aimed at not only critical infrastructure such as communications, electric and gas utilities, but also maritime operations and transportation.
  • The intrusions appeared, for now, to be an espionage campaign. But the Chinese could use the code, which is designed to pierce firewalls, to enable destructive attacks, if they choose.
  • So far, Microsoft says, there is no evidence that the Chinese group has used the access for any offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers usually prioritize espionage.

U.S. Official Responses to Chinese Cyber Espionage

In interviews, administration officials said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere:

The Chinese Spy Balloon 

  • The Biden administration has declined to discuss what the F.B.I. found as it examined the equipment recovered from the balloon. But the craft — better described as a huge aerial vehicle — apparently included specialized radars and communications interception devices that the F.B.I. has been examining since the balloon was shot down.
  • It is unclear whether the government’s silence about its finding from the balloon is motivated by a desire to keep the Chinese government from knowing what the United States has learned or to get past the diplomatic breach that followed the incursion.
  • Speaking at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident had paralyzed the already frosty exchanges between Washington and Beijing.  “And then this silly balloon that was carrying two freight cars’ worth of spying equipment was flying over the United States,” he told reporters, “and it got shot down, and everything changed in terms of talking to one another.”  He predicted that relations would “begin to thaw very shortly.”

 Office of Personnel Management Breach 

  • China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of security clearance files of roughly 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. That exfiltration of data took the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyber activity.
  • [in early May]. China sent a warning to its companies to be alert to American hacking. And there has been plenty of that, too: In documents released by Edward Snowden, the former N.S.A. contractor, there was evidence of American efforts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.

The Hunt for and Discovery of the Code – with a Focus on Guam 

  • Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks.
  • Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — had found the code “while investigating intrusion activity impacting a U.S. port.” As they traced back the intrusion, they found other networks that were hit, “including some in the telecommunications sector in Guam.”
  • The [recent joint advisory] is part of a relatively new U.S. government move to publish such data quickly in hopes of burning operations like the one mounted by the Chinese government. In years past, the United States
    usually withheld such information — sometimes classifying it — and shared it with only a select few companies or organizations. But that almost always assured that the hackers could stay well ahead of the government.
  • In this case, it was the focus on Guam that particularly seized the attention of officials who are assessing China’s capabilities — and its willingness — to attack or choke off Taiwan. Mr. Xi has ordered the People’s Liberation Army to be capable of taking the island by 2027. But the C.I.A. director, William J. Burns, has noted to Congress that the order “does not mean he has decided to conduct an invasion.”
  • In the dozens of U.S. tabletop exercises conducted in recent years to map out what such an attack might look like, one of China’s first anticipated moves would be to cut off American communications and slow the United States’ ability to respond. So the exercises envision attacks on satellite and ground communications, especially around American installations where military assets would be mobilized.
  • None is bigger than Guam, where Andersen Air Force Base would be the launching point for many of the Air Force missions to help defend the island, and a Navy port is crucial for American submarines. (2)

READ MORE HERE

Spread the love
                
By Published On: June 2, 2023Categories: UncategorizedComments Off on Microsoft, CISA, NSA, FBI, and the Five Eyes on the PRC’s Advanced Persistent Threat: Volt Typhoon

Share This Story, Choose Your Platform!

About the Author: Patriotman

Patriotman currently ekes out a survivalist lifestyle in a suburban northeastern state as best as he can. He has varied experience in political science, public policy, biological sciences, and higher education. Proudly Catholic and an Eagle Scout, he has no military experience and thus offers a relatable perspective for the average suburban prepper who is preparing for troubled times on the horizon with less than ideal teams and in less than ideal locations. Brushbeater Store Page: http://bit.ly/BrushbeaterStore

GUNS N GEAR

Categories

Archives

Spread the love