Cybersecurity researchers from Microsoft say they have uncovered a state-sponsored hacking group from China that has for the past two years been actively targeting critical infrastructure organizations in the United States.
The researchers claim the group, which it calls Volt Typhoon, is focused on espionage and information gathering, with the goal of developing solutions that can disrupt critical communications infrastructure between the United States and Asia during future crises.
The US and China are currently in disagreement over the future of Taiwan, with some media outlets even claiming the Chinese are getting ready for a full-scale invasion on the island. The US president Joe Biden said, on multiple occasions, that the US is ready to defend Taiwan with military force, if need be.
Taiwan is, among other things, one of the world’s biggest manufacturers of semiconductors.
Since mid-2021, the group has been actively targeting organizations in industries such as communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education, in Guam, and elsewhere in the US, Microsoft claims.
Guam is an unincorporated territory of the United States in the Micronesia subregion of the western Pacific Ocean, relatively close to Taiwan.
To achieve their goal of espionage and intelligence gathering, while at the same time remaining undetected for as long as possible, the group deployed specific tactics, Microsoft says, including living-off-the-land techniques and hands-on-keyboard activity.
Among other things, the group stole login credentials from local and network systems, and tried to exfiltrate sensitive data quietly by blending into normal network activity. They did that by routing traffic through compromised small office and home office network equipment such as routers, firewalls, and VPN hardware.
For initial access, the group used a zero-day vulnerability in the internet-facing Fortinet FortiGuard devices.
“As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments,” the company concluded.