Chinese hackers behind Guam breach have been spying on US military for years
A state-sponsored Chinese hacking group that on Wednesday was reported to have compromised critical infrastructure in Guam has also been collecting military intelligence from U.S. companies for at least two years, researchers told The Record.
Experts from Secureworks said the group it calls Bronze Silhouette — tracked as Volt Typhoon by Microsoft — was behind a number of incidents its specialists had attended to and attributed to the Chinese government since mid-2021.
Marc Burnard, a Secureworks expert on Chinese threat actors who formerly worked for the British government, said the company had responded to incidents perpetrated by the group which “primarily targeted customers in the U.S. defense and government vertical for intelligence gathering purposes.”
The attribution of the group was particularly important as the hackers had gone to great lengths to conceal their connections to China, the researchers say, suggesting that Beijing has become increasingly sensitive about being blamed for cyberattacks.
Microsoft's warning on Wednesday coincided with a joint advisory from the governments of the Five Eyes intelligence alliance about Chinese state-sponsored activity being carried out against critical national infrastructure.
China denied the claims and denounced the joint warning as a “collective disinformation campaign.” Beijing has repeatedly countered criticisms of its alleged aggressive cyber-espionage operations by accusing the U.S. of conducting similar activities.
The New York Times reported that the infrastructure compromised by the Chinese group included the telecommunications network of Guam, a U.S. territory in the Pacific Ocean described by the Department of Defense as “a strategic hub supporting crucial operations and logistics for all U.S. forces operating in the Indo-Pacific region.”
Although the campaign in Guam appeared to be focused on intelligence-gathering, Microsoft warned the hackers were likely “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” in a nod towards a conflict over Taiwan.
The company’s report follows a warning earlier this year by the Office of the Director of National Intelligence that “China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States.”
Secureworks did not identify the victims for reasons of client confidentiality but said the targeted data belonging to victim organizations varied from personal information to larger data sets offering insight into military activity.
Unusually for Chinese cyber spies, Secureworks said the hackers appeared to be particularly focused on their operational security, adopting measures that were designed not just to help them execute their espionage mission, but also to prevent defenders from figuring out who was behind the hacking.
Instead of using bespoke tools to manipulate the victim's network, the group has been seen operating by “living off the land” or using tools that have already been built into the host's environment, which can be more difficult for defenders to detect.
Burnard said the hackers were highly competent, in one engagement exploiting a vulnerable internet-facing server and then moving forward to collect Active Directory credentials for the whole domain — effectively the keys to the kingdom — “within about 19 minutes.”
Whenever the group's activities needed to output a file to the disc, they were careful to delete that file afterwards to try and cover their footprints, explained Burnard.
Don Smith, who heads Secureworks’ counter threat unit, said the group’s operational security was “higher than typically you find for Chinese actors,” citing the use of native Windows tools, as well as initially accessing victims’ networks by compromising edge-facing internet appliances such as VPN concentrators.
On top of this, they also seemed to have taken a page out of the book of some of the more sophisticated cybercriminal groups by using compromised machines within the same country as the victim to provide their command-and-control infrastructure, said Smith.
“So all the way through that kill chain — your command and control infrastructure, your initial access point, and then where you’re using your access to achieve your objectives — all three of those stages are being conducted in a way that you would expect an actor to operate if they wanted to be stealthy, not to be discovered, and persist for a long time because the information was valuable,” Smith said.
"What they're trying to avoid is ultimately the activity being attributed back to China," said Burnard, adding: “They're after that strategic long term access to organizations that are working very closely with the military and have extremely valuable data that they may potentially be able to mine for military intelligence value.”
“It is clearer than ever that our adversaries in Beijing will stop at nothing to conduct surveillance and infiltrate our networks in their quest to bring America to its knees, and this malicious activity is one more stark example,” warned a joint statement by the chairmen of two U.S. House committees.
Mark Green (R-TN), the chairman of the U.S. House Committee on Homeland Security, and Andrew Garbarino (R-N.Y.), the chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, said: “Congress must do everything it can to empower and equip CISA [the Cybersecurity and Infrastructure Security Agency] to support critical infrastructure owners and operators to defend their networks. The time for decisive action is now.”
Mike Gallagher (R-WI), the chair of the Armed Services Committee's cyber subpanel, said: “Everyone — from our Armed Services to banks, telecoms, and transportation industries, and CISA, FBI, and NSA — must be vigilant and work together to address these vulnerabilities and counter malign actions taken by our adversaries against what keeps our military and our country running.”
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.