Chinese Hackers Operated Undetected In Critical US Networks

Uploaded on 2024-02-13 in INTELLIGENCE-Hot Spots-China, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW, TECHNOLOGY--Hackers

Over 100 websites disguised as local news outlets in Europe, Asia and Latin America are promoting pro-China propaganda in a widespread influence campaign linked to a Chinese public relations firm, according to the Toronto University cyber research institute, Citizen Lab.

The propaganda material appears spread over websites in 30 countries, and interspersed with news aggregated material from local news outlets and Chinese state media, according to a recent  research report from Citizen Labs' Alberto Fittarelli

The US government has also said recently that the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded in some critical US infrastructure networks for at least five years. Targets of these hacks include communications, energy, transportation, and water and wastewater systems sectors in the US with the goal of unleashing chaos if China were ever to confront the US during a major crisis or conflict. "Volt Typhoon's choice of targets and pattern of behaviour is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," the US government has said. 

The objective to pre-position themselves on IT networks by maintaining persistence and understanding the target environment over time for disruptive or destructive cyber attacks against US critical infrastructure in the event of a major crisis or conflict.

The joint advisory, which was released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), was also backed by other nations that are part of the Five Eyes (FVEY) intelligence alliance comprising Australia, Canada, New Zealand, the UK.

Volt Typhoon, which is also called Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite, a stealthy China-based cyber espionage group that's believed to be active since June 2021.

This situation became clear in May 2023 when FVEY and Microsoft said that the hacking crew managed to establish a persistent foothold into critical infrastructure organisations in the US and Guam for extended periods of time sans getting detected by principally leveraging living-off-the-land techniques. "This kind of tradecraft, known as 'living off the land,' allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behaviour making it difficult to differentiate, even by organisations with more mature security postures," the UK National Cyber Security Centre (NCSC) said.

The ultimate goal of the campaign is to retain access to the compromised environments, "methodically" re-targeting them over years to validate and expand their unauthorised accesses. This meticulous approach, per the agencies, is evidenced in cases where they have repeatedly exfiltrated domain credentials to ensure access to current and valid accounts. "In addition to leveraging stolen account credentials, the actors use LOTL (Living Off The Land) techniques and avoid leaving malware artifacts on systems that would cause alerts," CISA, FBI, and NSA said.

"Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon's operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment." according to the joint statement. 

In response to enquiries, a spokesman at China's US embassy in Washington commented "it is a typical bias and double standard to allege that the pro-China contents and reports are 'disinformation."

Citizen Lab:     CISA:     CISA:    NCSC:     Crowdstrike:     Reuters:     Hacker News:    ABC:   PCMag

Image: Curtis Polvin

You Might Also Read: 

Chinese Hacking Campaign Targets US Critical Infrastructure:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 


 

« DDoS Attacks In Poland Have Spiked As New Government Takes Office
The US Makes Robocalls Illegal »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

JumpCloud

JumpCloud

JumpCloud's Directory-as-a-Service (DaaS) is the single point of authority to authenticate, authorize, and manage the identities of a business’s employees and the systems and IT resources they need.

Technology Association of Georgia (TAG)

Technology Association of Georgia (TAG)

TAG's mission is to educate, promote, influence and unite Georgia's technology community to stimulate and enhance Georgia's tech-based economy.

e-Governance Academy (eGA)

e-Governance Academy (eGA)

eGA is a think tank and consultancy founded for the transfer of knowledge and best practice in e-governance, e-democracy and national cyber security.

Cybersecurity Collaborative

Cybersecurity Collaborative

CyberSecurity Collaborative is a forum for CISOs to share information that will collectively make us stronger, and better equipped to protect our enterprises from those seeking to damage them.

Ekran System

Ekran System

Ekran System is an advanced insider threat detection solution for companies of any size.

Global Cyber Alliance (GCA)

Global Cyber Alliance (GCA)

Global Cyber Alliance is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

ACROS Security

ACROS Security

ACROS Security is a leading provider of security research, real penetration testing and code review for customers with the highest security requirements.

LeadingIT

LeadingIT

Leading IT provides IT support, cloud computing, email support, cybersecurity, networking and firewall services to Chicagoland businesses.

comforte AG

comforte AG

comforte AG is a leading provider of data-centric security technology. Organizations worldwide rely on our tokenization and format-preserving encryption capabilities to secure personal, sensitive data

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Across Verticals

Across Verticals

Across Verticals is a boutique cyber security consulting firm that specializes in holistic, deeply technical and end to end cyber security advisory services based on industry best practices.

Pionen

Pionen

Pionen are a specialist information security consultancy with excellent people and proven security delivery methodologies at its core.

Mirai Security

Mirai Security

Mirai Security are a cyber security company that specializes in Governance, Risk Management and Compliance, Cloud Security and Application Security.

Sterling Information Technologies

Sterling Information Technologies

Sterling is an information security, operational risk consulting and advisory group. Our Advisory services help to safeguard information assets while supporting business operations.

Price Forbes

Price Forbes

Building on more than 100 years of specialist insurance broking, Price Forbes partner with clients around the world who are looking to understand and balance today’s risk and plan for the future.