Relations between the United States and China, particularly over Beijing’s threat to annex Taiwan, have deteriorated sharply in recent years, raising concerns about hostilities and the possibility of full-scale conflict. So the recent revelation that a Chinese hacking network known as Bolt Typhoon had been dormant within America’s critical infrastructure for five years caused considerable alarm.
This network exploited US technological and security weaknesses. But U.S. and allied intelligence agencies said they were focused on “prepositioning” for future acts of sabotage, rather than stealing secrets.
FBI Director Christopher Wray told a U.S. committee hearing last week that Bolt Typhoon was “the defining threat of our generation.”
The Netherlands and the Philippines also recently publicly acknowledged that Chinese-backed hackers were targeting national networks and infrastructure.
What is Bolt Typhoon?
Western intelligence officials believe that Volt Typhoon (also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) is a state-sponsored Chinese cyber operation. Thousands of internet-connected devices were compromised. They said this was part of a larger effort to penetrate critical infrastructure in the West, including military ports, internet service providers, communications services and public utilities.
The new Bolt Typhoon advisory comes on the heels of recent announcements by US authorities that they have dismantled a bot network of hundreds of compromised devices attributed to a hacking network.
“CISA [Cybersecurity and Infrastructure Agency] The team includes aviation, water, energy, [and] transportation,” CISA Director Jen Easterly said at a U.S. House of Representatives committee hearing earlier this month.
How does it work?
Volt Typhoon works by exploiting vulnerabilities in small or end-of-life routers, firewalls, and virtual private networks (VPNs), often using administrator credentials or stolen passwords. or use outdated technology that lacks regular security updates. This is the main weakness. Identified in U.S. digital infrastructure. It uses a “living off the land” technique where the malware only uses existing resources within the target operating system, rather than introducing new (and more detectable) files.
A report released last week by CISA, the National Security Agency, and the FBI said the Bolt Typhoon hackers had maintained this access for the past five years and targeted only U.S. infrastructure, but this intrusion was The Five Eyes are allies of Canada, Australia, New Zealand and the United Kingdom.
What is its purpose?
U.S. officials said Bolt Typhoon’s unusual target selection and behavioral patterns were inconsistent with traditional cyber espionage or intelligence gathering operations.
According to Microsoft research, Bolt Typhoon has been active since mid-2021 published last year. Microsoft was found to have targeted U.S. infrastructure in places like Guam and “pursued the development of capabilities that could disrupt critical communications infrastructure between the United States and the Asian region in the event of a future crisis.” did.
“People’s Republic of China (PRC) state-sponsored cyber adversaries are using their IT networks to prepare for disruptive or devastating cyber attacks on U.S. critical infrastructure in the event of a major crisis or conflict with the United States. ,” the joint report said. report.
What does China say?
The Chinese government regularly denies any accusations of cyberattacks or espionage linked to or sponsored by the Chinese state. However, evidence of Chinese government cyber espionage has been accumulating for more than two decades. Espionage has been in the spotlight over the past decade, with Western researchers linking leaks to specific units within the People’s Liberation Army and U.S. law enforcement indicting a series of Chinese officers on charges of stealing U.S. secrets. It’s here.
Secureworks, a division of Dell Technologies, mentioned in a blog post Bolt Typhoon’s interest in operational security last year stemmed from embarrassment over the U.S. indictment and “increasing pressure from the (Chinese) leadership to avoid public scrutiny of cyber espionage.” He pointed out that there is a high possibility that
What’s next?
The widespread nature of the hack prompted a series of meetings between the White House and the private technology industry, including several telecommunications and cloud computing companies, during which the U.S. government asked for help tracking the activity. did.
The institutions and assets targeted by the now-dismantled botnet were ordered by CISA to disconnect affected devices and products in January, beginning an intensive and difficult remediation process.
“Given the extent of targeting and compromise around the world, with three vulnerabilities currently being exploited affecting these devices, this is a significant It was necessary,” said Eric Goldstein, executive assistant director of cybersecurity at CISA.
“All organizations running these devices need to be targeted and expect a breach.”
