A People's Republic of China (PRC) cyberespionage group Microsoft and the U.S. government called Volt Typhoon allegedly "breached the U.S. Navy infrastructure," according to the Secretary of the Navy Carlos Del Toro, as reported by Industrial Cyber. The NSA, CISA, and Microsoft announced the malicious breach of "critical communications, maritime and transportation infrastructure" in the U.S. and Guam on May 24, 2023. Both Microsoft and officials from the U.S. government seem to believe the incursions are "state-sponsored" attacks using, in some cases, home networks to breach security systems. China has denied state-sponsored hacking of U.S. infrastructure.
Microsoft Finds Volt Typhoon Malware in Guam
Microsoft apparently found Volt Typhoon's malicious computer code around the time NSA officials were investigating the Chinese balloon incident. The "mysterious computer code appear[ed] in telecommunications systems in Guam and elsewhere in the United States," according to Microsoft. Guam is of particular interest to China's PRC because of its strategic air base and its ports. With the code, the PRC can enter undetected through homes with "internet-connected consumer devices." According to Microsoft:
"Volt Typhoon proxies all its network traffic to its targets through compromised SOHO (Small Office Home Office) network edge devices (including routers). By proxying through these devices, Volt Typhoon enhances the stealth of its operations and lowers overhead costs for acquiring infrastructure. Once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times. They rely on living-off-the-land commands to find information on the system, discover additional devices on the network and exfiltrate data."
Microsoft believes the malware is being used to prepare for future geopolitical crises between the U.S. and China, such as an invasion of Taiwan, for example. If you know anything about Chinese warfare strategy, this is not a particularly farfetched hypothesis. The Chinese often lay the groundwork for their strategic operations well in advance of a strike.
The malicious code may, according to the N.Y. Times, be "'a ticking time bomb' that could give China the power to interrupt or slow American military deployments or resupply operations by cutting off power, water, and communications to U.S. military bases. But its impact could be far broader because that same infrastructure often supplies the houses and businesses of ordinary Americans, according to U.S. officials."
Volt Typhoon: "Living Off The Land" Malware
Volt Typhoon deployed what is known as "living off the land" malware. The malware has allegedly been active in critical military sectors since "mid-2021," according to Microsoft. Living off the land malware is particularly stealthy because it uses existing functions instead of files in a system to do its dirty work and evade detection. Per a Microsoft blog, hackers use tools that do not write to disk or use files and, therefore, can execute while remaining concealed. Executing a "fileless attack" is the "next progression" in a hacker's toolbox for obvious reasons. Hackers merely use "resources already available in the operating system."
Microsoft/Living off the land/https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/
According to Microsoft, "By living off the land, fileless malware can cover its tracks: no files are available to the antivirus for scanning and only legitimate processes are executed." According to the blog, Microsoft has developed at least one program, Windows Defender ATP, to address the challenge of these kinds of attacks. Windows Defender ATP "monitor[s] the system's behavior for anomalies or known patterns of malicious usage of legitimate tools."
U.S. Government Hunts Down Volt Typhoon Code
A detailed report published by the Joint Cybersecurity Advisory from the Department of Defense in June 2023 indicates the government has been working on the issue for some time now. The report aims to "help net defenders hunt for this activity on their systems." The NY Times reported the "U.S. government's effort to hunt down the code, and eradicate it, has been underway for some time."
Questions from the N.Y. Times prompted a July 29 statement from Adam R. Hodge, acting spokesman for the National Security Council. The remarks left out any mention of China or military infrastructure breaches. According to Hodge:
"The Biden administration is working relentlessly to defend the United States from any disruptions to our critical infrastructure, including by coordinating interagency efforts to protect water systems, pipelines, rail and aviation systems, among others."
Government officials fear the threat is much more widespread than the infiltration of the U.S. Navy infrastructure. It could involve other branches of the military and critical infrastructure, including telecommunications, in the U.S. According to the N.Y. Times, it could "allow China to cut off power, water, and communications to military bases, and it could also potentially impact personal homes and businesses across the country."
The Intelligence and National Security Alliance (INSA) held its 10th annual summit in July with many speakers from the Biden administration. Cybersecurity and how to "reduce the risk of a cyber Pearl Harbor" were discussed during the summit. Speakers in a cybersecurity breakout session spoke repeatedly about the importance of "building partnerships to increase trusted information" between private industry, the intelligence community, and all sectors of CISA.