Microsoft headquarters in Redmond, Washington, in a file image. Ted S. Warren (AP)
Microsoft sounded alerts on Wednesday, warning of an attack by state-backed Chinese hackers on critical US communications infrastructure. Microsoft detected this intrusion into its systems with the help of US intelligence services. The fact that part of the compromised systems operated in Guam, in the Western Pacific, where the United States has a key base of possible support for Taiwan, has only increased concern.
The company has communicated its discovery through a detailed post with lines of code and abundant information about the attack suffered. His explanations allow you to take precautions to be a victim of that hacker attack. “Microsoft has discovered stealthy and targeted malicious activity focused on credential access post-breach and network system discovery targeting critical infrastructure organizations in the United States,” the message begins. “The attack is being carried out by Volt Typhoon, a China-based state-sponsored actor that normally focuses on espionage and intelligence gathering,” he adds.
Microsoft assesses with “moderate confidence” that this campaign by the group called Volt Typhoon pursues the development of capabilities that could disrupt critical communications infrastructures between the United States and the Asian region during future crises, according to its information. For now, the intrusion has been done for espionage purposes only and no sabotage or other damage has occurred.
The National Security Agency (NSA) has also released a 24-page report explaining the methods used by the allegedly Chinese government-backed group. The report states that security and intelligence agencies from the United States, Australia, New Zealand and the United Kingdom have been working on the investigation.
Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the organizations affected span the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors. “The observed behavior suggests that the threat actor intends to perform espionage and maintain access undetected for as long as possible,” Microsoft explains.
Join EL PAÍS to follow all the news and read without limits.
To achieve their goal, the Volt Typhoon group placed a heavy emphasis on stealth in their operation, relying almost exclusively on very hard-to-detect techniques. Group members issue commands via the command line to collect data, including credentials from local and network systems, put the data into an archive file to prepare it for extraction, and then use the stolen valid credentials to maintain the intrusion, according to Microsoft’s summary.
In addition, Volt Typhoon attempts to blend in with normal network activity by routing traffic through compromised Small Office and Home Office (SOHO) network equipment, including routers, firewalls, and VPN (virtual private network) hardware. They have also been observed using custom versions of open source tools to establish a command and control channel via proxy to remain more inconspicuous, he continues.
As with any observed activity by a domestic actor, Microsoft has directly notified affected or compromised customers, providing them with important information needed to protect their environments.
Subscribe here to the EL PAÍS America newsletter and receive all the latest news from the region