Microsoft has issued a warning that "critical" U.S. cyber infrastructure has been compromised by Chinese state-sponsored hackers. The group, known as "Volt Typhoon," has been operating since mid-2021 and is focused on gathering intelligence, with a particular emphasis on disrupting "critical communications infrastructure between the United States and Asia." The National Security Agency has issued a bulletin detailing how the hack works and how cybersecurity teams should respond. The attack is ongoing, and impacted customers have been urged to "close or change credentials for all compromised accounts."
The hacking group uses an unnamed vulnerability in the popular cybersecurity suite FortiGuard to infiltrate organizations. Once access is gained, user credentials are stolen from the security suite and used to try to gain access to other corporate systems. The group's primary goal is espionage, and they aim to maintain access without being detected for as long as possible.
Infrastructure in nearly every critical sector has been impacted, including communications, transport, and maritime industries, as well as government organizations. Chinese government-backed hackers have targeted critical and sensitive information from U.S. companies before, with Covington and Burling, a prominent law firm, hacked by suspected Chinese state-sponsored hackers in 2020.
In a joint statement, the Cybersecurity and Infrastructure Security Agency warned that Chinese attacks pose a continued risk to American intellectual property. "For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe," said CISA director Jen Easterly.
The infiltration is particularly alarming to U.S. intelligence because Guam sits at the heart of an American military response in case of a Taiwanese invasion. While the threat actor is not looking to create disruption yet, the concern is that the group could disrupt future crises in the region.