Introducing the Chinese 'Typhoon' hackers who are gearing up for conflict.

Of the risks facing U.S. cybersecurity today, few loom larger than the sabotage capabilities possibly posed by China-backed hackers-the harbinger of which top U.S. officials have described as an "epoch-defining threat.".
Introducing the Chinese 'Typhoon' hackers who are gearing up for conflict.

Of the risks facing U.S. cybersecurity today, few loom larger than the sabotage capabilities possibly posed by China-backed hackers-the harbinger of which top U.S. officials have described as an "epoch-defining threat.".

Recently, U.S. intelligence officials said Chinese government-backed hackers have been burrowing deep into the networks of U.S. critical infrastructure-from water to energy and transportation providers-in hopes of laying the groundwork for potentially destructive cyberattacks in the event of a future conflict between China and the U.S.-over, say, a possible Chinese invasion of Taiwan.

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," FBI Director Christopher Wray told lawmakers earlier this year.

The U.S. government and its allies have since taken action against the "Typhoon" family of the Chinese hacking groups, and published new details about the threats they pose.

In January, the U.S. disrupted dubbed "Volt Typhoon," a group of China government hackers charged with helping set the stage for a series of destructive cyberattacks. Later, in September, the feds hijacked a botnet run by another Chinese hacking group called "Flax Typhoon," which masquerades as a private company in Beijing and whose role was to help conceal the activities of China's government hackers. Since then, the new China-backed hacking group "Salt Typhoon" emerged that could collect intelligence on Americans - and possible targets of U.S. surveillance — through compromised wiretap systems of U.S. phone and internet providers.

Here is what we know so far about the Chinese hacking groups gearing up for war:

Volt Typhoon
Volt Typhoon is one of the newest entrants in China-backed elite league of hacking groups. No longer just stealing sensitive US secrets, they are preparing to disrupt the "ability to mobilize" of the U.S. military, FBI director admitted.

Microsoft found mid-May 2023 that hackers with the volunteer name Volt Typhoon targeted and had succeeded in infiltrating network equipment, such as routers and firewalls, along with Virtual Private Networks since mid-2021 as part of an ongoing effort to burrow even more extensively into U.S. critical infrastructure. In fact, hackers probably have been operating for much longer - up to five years.

Volt Typhoon compromised thousands of internet devices within months of the release of Microsoft's report by targeting "end-of-life" products, or those products that would no longer receive updates with security patches. It then followed through with compromising the IT environments of a few sectors dealing with critical infrastructure-aviation, water, energy, and transportation-in preparation for future would-be disruptive cyberattacks.

"This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the U.S. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down," said John Hultquist, chief analyst at security firm Mandiant.

The United States government said in January it was able to stop a botnet employed by a hacking group called Volt Typhoon, composed of thousands of hijacked small office and home network routers based in the country. As reported, the Chinese hacking group had used the botnet in hiding malicious activity targeting critical infrastructure in the United States. The FBI said it successfully eradicated the malware from the routers hijacked by the hackers and cut off the Chinese hacking group's access to the botnet.

Flax Typhoon
Flax Typhoon, first identified in a report from Microsoft in August 2023, is another China-backed hacking group officials say has done business masquerading as a publicly traded cybersecurity company based in Beijing. The company, Integrity Technology Group, has publicly claimed connections to the government of China, U.S. officials said.

In September, the U.S. government claimed that it had taken over another botnet - this one used by Flax Typhoon to conduct its operations through a custom version of the infamous Mirai malware, comprised of hundreds of thousands of internet-connected devices.

U.S. officials at the time said the apparently nefarious cyber activity masked as typical internet traffic from the compromised consumer devices was facilitated by the Flax Typhoon-controlled botnet. Prosecutors said the botnet run by Flax Typhoon allowed other China government-backed hackers to "hack into networks in the U.S. and around the world to steal information and hold our infrastructure at risk."

According to Microsoft's profile of the government-backed group, Flax Typhoon has been active since mid-2021 and mainly targeted "government agencies and education, critical manufacturing, and information technology organizations in Taiwan." The Department of Justice said it corroborated Microsoft's findings and that Flax Typhoon also "attacked multiple U.S. and foreign corporations."

Salt Typhoon
The latest — and possibly the most sinister — group within China's government-backed cyber army to be uncovered in recent months is Salt Typhoon.

Salt Typhoon made news headlines this October for a far more complex operation. According to reports from the Wall Street Journal, the Chinese hacking group is suspected of having intercepted the wiretap systems of several US telecom and internet service providers, including AT&T, Lumen formerly CenturyLink and Verizon.

According to one report, Salt Typhoon perhaps entered these organizations using a number of compromised Cisco routers. The U.S. government is stated to be in its preliminary stages of its investigation.

While the extent of the compromises of the internet provider is not clear, the Journal, quoting sources of national security, said the breach could be "potentially catastrophic." By accessing systems that law enforcement agencies use for court-authorized collection of customer data, Salt Typhoon potentially gained access to data and systems that contain much of the requests made by the U.S. government - and including the possible identities of Chinese targets of U.S. surveillance.

As of now, it doesn't seem possible to say when the hack occurred, but WSJ says hackers could have been in control of the internet providers' wiretap systems "for months or longer."

Blog
|
2024-10-14 17:43:59