US shorts China's Volt Typhoon crew targeting America's criticals
Invaders inveigle infrastructure
The US Justice Department and FBI may have scored a win over Chinese state-sponsored snoops trying to break into American critical infrastructure.
Citing "two Western security officials and one person familiar with the matter," Reuters claims the Feds' operations has been ongoing over recent months. Law enforcement obtained a court order granting them permission to "remotely disable aspects of the Chinese hacking campaign."
This criminal crew's campaign first came to light in May 2023, after Microsoft and intelligence agencies from the Five Eyes nations disclosed that Volt Typhoon had accessed networks belonging to US critical infrastructure organizations as far back as 2021.
The vector is typically vulnerable Internet-facing devices — such as buggy routers, modems, security cameras and other kit — to access corporate networks. The crew uses command line tools to steal credentials and other sensitive data, and then uses those credentials to maintain persistence on the system, and the PRC-backed group upgraded their tactics, it seems.
American government officials are reportedly concerned about the Chinese hackers disrupting US critical networks, including military installations, utilities, and internet service providers. If China invades Taiwan and the US provides some type of military assistance or other support the situation .
- Five Eyes and Microsoft accuse China of attacking US infrastructure again
- China caught – again – with its malware in another nation's power grid
- Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
- Eyeing China, US may require clouds to report when foreign actors rent kit to build AI models
"This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the US," Mandiant intelligence chief snalyst John Hultquist told The Register. "They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down."
The reported take-down follows a CISA emergency directive issued earlier this month requiring federal agencies to apply mitigations to Ivanti Connect Secure devices, after reports that these buggy VPNs had been hacked by Chinese nation-state attackers.
And while the US government agency did not attributed the exploits to a specific gang, Goldstein said the Feds have a "persistent concern" about China-backed criminals targeting government networks and these types of devices.
"Exploitation of these products would be consistent with what we have seen from PRC actors like Volt Typhoon in the past," CISA Executive Assistant Director Eric Goldstein said at the time. ®