US Navy ‘impacted’ by Volt Typhoon group, as attacks on more critical infrastructure sectors emerge

Chinese government-sponsored hackers have allegedly breached the U.S. Navy infrastructure, the Secretary of the Navy confirmed Thursday. 

Speaking with CNBC’s Morgan Brennan, U.S. Navy Secretary Carlos Del Toro said that the hack by the Chinese government that Microsoft revealed on Wednesday has affected the Navy. 

Del Toro said the U.S. Navy ‘has been impacted’ by the cyberattacks, adding that it was ‘no surprise that China has been behaving in this manner, not just for the last couple years, but for decades.’ He declined to provide further detail on the incursion but suggested that the Navy had been contending with cyberattacks like this for years.

The reveal comes as industry giant Microsoft revealed that the China-backed Volt Typhoon group has since mid-2021 targeted U.S. critical infrastructure, including the manufacturing, transportation, and maritime sectors. The group has been identified as using ‘living-off-the-land’ techniques, while also focusing on post-compromise credential access and network system discovery.

The Chinese Foreign Ministry and state-controlled press dismissed the findings from Microsoft and the intelligence community as ‘disinformation.’

Addressing the level of concern the U.S. is about the Chinese state-sponsored hacking group Volt Typhoon’s recent cyber-attack targeting U.S. infrastructure and whether the U.S. believes that despite going after communication systems in Guam that Taiwan is the real target, State Department spokesperson Matthew Miller said in his Thursday address that he is not going to speak to the last part. “What I will say is that we are aware of recent activity by a People’s Republic of China-sponsored cyber actor to develop a presence in digital networks across the U.S. critical infrastructure sector.” 

“The U.S. Government and close allies have released a joint cyber security advisory to help defenders identify and mitigate any such activity on their networks,” Miller said. “And the U.S. Intelligence Community assesses that China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems.”

Miller added that it is vital for government network defenders and the public to stay vigilant. “It’s why the U.S. Government, in a whole-of-government action, has worked with the private sector to prepare for defenses, and we – prepare private sector defenses. And we will continue to work with our allies and partners to address this critical issue.”

The U.S. and international cybersecurity advisory released highlighted malicious activity executed by a People’s Republic of China (PRC) state-sponsored cyber hacker group, Volt Typhoon. The agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and believe the hacker could apply the same techniques against these and other sectors worldwide. They also identified that the group avoided endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host and limit the amount of activity that is captured in default logging configurations.

Microsoft detailed that using living-off-the-land techniques and hands-on-keyboard activity, the attack was carried out by Volt Typhoon, a state-sponsored hacker group based in China that typically focuses on espionage and information gathering. Active since mid-2021, these attacks have targeted critical infrastructure sectors, including communications, manufacturing, utility, transportation, maritime, and government.

Amid these revelations, the New York Times reported Wednesday that around the time that the FBI was examining the equipment recovered from the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.

“The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan,” the newspaper added. “The operation was conducted with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the intrusion harder to track.”

To defend against attacks by Volt Typhoon hackers, the agencies call upon organizations to harden domain controllers and monitor event logs, limit port proxy usage within environments, investigate unusual IP addresses and ports, review perimeter firewall configurations for unauthorized changes, look for abnormal account activity, and forward log files to a hardened centralized logging server, preferably on a segmented network. 

Since the Volt Typhoon group takes measures to hide their tracks, such as clearing logs, defenders should forward log files to a hardened centralized logging server, preferably on a segmented network to ensure log integrity and availability, the advisory added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.