By Raphael Satter and James Pearson
(Reuters) – Its name is redolent of an exotic electrical storm. But is the freshly christened hacking group “Volt Typhoon” an imminent danger to American infrastructure, or just a new crop of digital spies playing an old game?
Here is what is known about the group and its potential threat:
Nearly every country in the world uses hackers to gather intelligence. Major powers like the United States and Russia have large stables of such groups – many of which have been given colourful nicknames by cybersecurity experts, like “Equation Group” or “Fancy Bear.”
Where experts worry is when such groups turn their attention from intelligence gathering to digital sabotage. So when Microsoft Corp said in a blog post on Wednesday that Volt Typhoon was “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” it immediately brought to mind escalating tensions between China and the United States over Taiwan. Any conflict between those two countries would almost certainly involve cyberattacks across the Pacific.
Does this mean a group of destructive hackers is preparing to sabotage U.S. infrastructure in the event of a conflict over Taiwan?
Microsoft qualified its assessment as “moderate confidence,” intelligence jargon that typically means a theory is plausible and credibly sourced but has yet to be fully corroborated. Different researchers have identified various aspects of the group. Not everyone has seen evidence of sabotage preparation.
Volt Typhoon so far appears to be focused on stealing information from “organisations that hold data that relates to the military or government in the United States,” said Marc Burnard of Secureworks – an arm of Dell Technologies. Although Burnard said Volt Typhoon – which Secureworks calls “Bronze Silhouette” – may well be positioning itself for disruption, he said what he had seen of the hackers suggested it was being used “primarily for espionage purposes.”
U.S. tech firm Cisco Systems Inc said it has seen disturbing evidence that Volt Typhoon was readying itself for something dangerous.
Like Microsoft and Secureworks, Cisco’s experts refused to say exactly where they had encountered the group. Cisco’s director of threat intelligence, Matt Olney, said the company was called in to deal directly with one case at a critical infrastructure facility, where sabotage preparation seemed to be the best explanation.
The hackers were hunting for documentation showing how the facility worked, Olney said, and they did not appear to be after money. He would not provide details but said “it’s the kind of critical infrastructure that would definitely be targeted in a conflict.”
“We definitely had alarm bells going off,” he said.
Nearly all cyber spies work to cover their tracks. Microsoft and other researchers said Volt Typhoon was a particularly quiet operator that hid its traffic by routing it through hacked network equipment – like home routers – and carefully expunged evidence of intrusions from victim’s logs.
China routinely denies hacking and has done so again in the case of Volt Typhoon. But documentation of Beijing’s cyberespionage campaigns have been building for more than two decades. The spying has come into sharp focus over the past 10 years as Western researchers tied breaches to specific units within the People’s Liberation Army, and U.S. law enforcement charged a string of Chinese officers with stealing American secrets.
Secureworks said in a blog post that Volt Typhoon’s interest in operational security likely stemmed from embarrassment over the drumbeat of U.S. indictments and “increased pressure from (Chinese) leadership to avoid public scrutiny of its cyberespionage activity.”
(Reporting by James Pearson and Raphael Satter; Editing by Bill Berkrot)