A shadowy figure
Image: Unsplash/Photomosh

CISA, FBI warn of China-linked hackers pre-positioning for ‘destructive cyberattacks against US critical infrastructure’

Hackers allegedly connected to China’s government are conducting attacks with the long-term goal of causing physical destruction, according to a new advisory from several of the world’s leading cyber agencies.

The Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI published an advisory alongside the cybersecurity directorates in Australia, New Zealand and the U.K. outlining the tactics of Volt Typhoon — a China-based hacking group that has caused alarm at the senior-most levels of government over the last year.

“The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts,” the advisory said.

The agencies “assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

In one example, Volt Typhoon — which overlaps with BRONZE SILHOETTE and TAG-87 — stole multiple zipped files that “included diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear.”

“This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems,” the agencies said.

The advisory, first reported by CNN, says that several U.S. agencies have seen that Volt Typhoon hackers have been “maintaining access and footholds within some victim IT environments for at least five years.”

Since last summer, U.S. agencies have been on high alert about Volt Typhoon’s actions — which were first discovered through espionage attacks on critical infrastructure organizations in Guam and other parts of the U.S. around military bases.

The New York Times and Washington Post reported last summer that U.S. officials believed the campaign to be tied to preparatory efforts around a potential invasion of Taiwan, where Chinese officials would allegedly seek to slow down the U.S. deployment of forces. President Xi Jinping has allegedly ordered his military to be prepared to invade Taiwan by 2027.

Since the initial report on the group’s actions in Guam, dozens of reports have been released about Volt Typhoon’s efforts and researchers have since uncovered multiple campaigns with the goal of burrowing into U.S. critical infrastructure enough to enable destructive actions.

Last week, the U.S. Justice Department confirmed that it disrupted the “KV Botnet” malware run by Volt Typhoon. FBI Director Christopher Wray said in a statement that Chinese hackers are “targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict.”

Communications, water, energy and transportation

The lengthy advisory published Wednesday highlights Volt Typhoon’s wide-ranging success in pre-positioning themselves on the IT networks of multiple critical infrastructure organizations — most notably those involved in the communications, energy, transportation, and water and wastewater systems sectors.

The attacks included organizations in the continental and non-continental United States and its territories, including Guam. Some of the victims identified are smaller organizations with limited cybersecurity protections.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the advisory explained.

“The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”

The advisory notes that Canada’s threat exposure is “likely lower than that to U.S. infrastructure” but said any attack on the U.S. would likely affect Canada “due to cross-border integration.” The officials made a similar assessment of Australia and New Zealand critical infrastructure.

Volt Typhoon typically relies on valid accounts and other tools that allow for long-term, undiscovered persistence. The hackers conduct extensive research into their targets and tailor their techniques for each organization they plan to breach.

They also “dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

The hackers track an organization’s security apparatus, user behavior and the actions of IT staff. The agencies said they have seen situations where hackers refrained from using stolen credentials outside of normal working hours to avoid triggering security alerts.

They typically gain initial access by exploiting known and unknown vulnerabilities in public-facing network appliances like routers, firewalls and virtual private networks. From there, they attempt to obtain administrator credentials to pivot into wider access to the network.

“Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets,” the authoring agencies said.

“Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised.”

These kinds of attack enable the group to cause a variety of disruptions, including “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities).”

The agencies have seen in at least one confirmed compromise that the hackers had moved laterally into a control system and were positioned to move into a second if they wanted.

At times, Volt Typhoon hackers will compromise legitimate accounts and conduct almost no activity, suggesting their goal is persistence instead of immediate impact. Some organizations are targeted repeatedly, sometimes over the span of several years. They also delete logs in order to hide their actions.

The advisory notes that the group typically used compromised Cisco and NETGEAR end-of-life home routers as part of the KV Botnet to support their operations. The hackers have also been seen exploiting vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.

“They often use publicly available exploit code for known vulnerabilities but are also adept at discovering and exploiting zero-day vulnerabilities,” the advisory states.

The hackers rarely deploy malware in their attacks, instead using hands-on-keyboard activity to maintain their access.

In one attack on a water utility, the hackers used a VPN with administrator credentials to spend nine months moving laterally throughout the system, eventually obtaining access to a server with information on OT assets.

The access gave them critical information on water treatment plants, water wells, an electrical substation, OT systems, and network security devices.

The agencies urged critical infrastructure organizations to apply a range of mitigations and urgently reach out to CISA or FBI field offices in the event of an attack.

“It is vital that operators of U.K critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems,” said Paul Chichester, director of Operations at the U.K.’s National Cyber Security Centre.

“Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services. Organizations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.