China may have conducted digital espionage against the US’ Pacific interests. Microsoft and the National Security Agency (NSA) have revealed that an alleged state-sponsored Chinese hacking group, Volt Typhoon, installed surveillance malware in “critical” systems on the island of Guam and elsewhere in the US. The group has been operating since mid-2021 and reportedly compromised government organizations as well as communications, manufacturing, education and other sectors.
Volt Typhoon prioritizes stealth, according to the investigators. It uses “living off the land” techniques that rely on resources already present in the operating system, as well as direct “hands-on-keyboard” action. They use the command line to scrape credentials and other data, archive the info and use it to stay in targeted systems. They also try to mask their activity by sending data traffic through small and home office network hardware they control, such as routers. Custom tools help them set up a command and control channel through a proxy that keeps their info secret.
The malware hasn’t been used for attacks, but the web shell-based approach could be used to damage infrastructure. Microsoft and the NSA are publishing info that could help potential victims detect and remove Volt Typhoon’s work, but they warn that fending off intrusions could be “challenging” as it requires either closing or changing affected accounts.
US officials speaking to The New York Times believe the Guam infiltration is part of a larger Chinese intelligence collection system that includes the reported spy balloon that floated across American nuclear sites early this year. The focus Guam is concerning as it’s home to Andersen Air Force Base, a major station that would likely be used for any US answer to a Chinese invasion of Taiwan. It’s also a key hub for ships in the Pacific.
The Biden administration has stepped up efforts to protect critical infrastructure, including plans for common security requirements. The US fell prey to multiple attacks on vital systems in recent years, including gas pipelines and meat suppliers. The Volt Typhoon discovery underscores the importance of tougher defenses — malware like this could compromise the US military at a crucial moment.