China group may have been hiding in IT networks for five years, says Five Eyes warning

Share post:

Following recent American warnings of China’s efforts to secretly plant itself on critical infrastructure for future cyber attacks, Canada and other members of Five Eyes intelligence co-operative today issued a joint advisory so firms in all countries in the group will be on alert — and other nations watching their actions will hear as well.

“People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against critical infrastructure in the event of a major crisis or conflict,” the warning says.

In fact, it notes, the U.S. has evidence Volt Typhoon has been maintaining access and footholds within some victim IT environments for at least five years.

The partners — including Canada, the U.S., Australia, the U.K., and New Zealand — released the advisory to warn critical infrastructure organizations about the assessment by American cyber authorities, based on incident response activities at critical infrastructure organizations.

In particular, the warning urges infosec pros to watch for activity from the PRC state-sponsored cyber group known to researchers as Volt Typhoon (also called Vanguard Panda, Bronze Silhoutte, Dev-0391, UNC3236, Voltzite, and Insidious Taurus by different researchers).

“The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in communications, energy, transportation systems, and water and wastewater systems sectors—in the continental and non-continental United States and its territories, including Guam.” the warning says.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”

The Canadian Centre for Cyber Security believes that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, the warning says. But, it adds, should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration of critical infrastructure providers.

Public warnings of Volt Typhoon emerged last May in a report from Microsoft. It said the group has targeted critical infrastructure organizations in Guam and elsewhere in the United States since 2021, probably for espionage. Its tools include the KV botnet for distributing malware.

Then, in December, researchers at Lumen Technologies reported details about the KV botnet. Researchers at SecurityScorecard followed up with a report that Volt Typhoon had compromised two models of vulnerable end-of-life routers from Cisco Systems in December.

Fighting back, last month the U.S. disabled Volt Typhoon’s botnet of hundreds of U.S.-based small office/home office (SOHO) routers that were distributing malware.

Volt Typhoon will compromise a network in various ways, including password cracking, leveraging stolen credentials, and exploiting hardware or software vulnerabilities. In one confirmed compromise, the report says, Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched.

After establishing a foothold, a favoured tactic is to use common tools already on a victim’s IT or OT network (also called living-off-the-land) to hide and maintain persistence on the network. “Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts,” says the warning.

The warning also links to mitigations that critical infrastructure providers — including utilities, financial institutions, transportation firms, hospitals and others — should act on.

The post China group may have been hiding in IT networks for five years, says Five Eyes warning first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Abuse of valid accounts by threat actors hits a high, says IBM

Attackers are finding that obtaining valid credentials is an easier route to achieving their goals, s

Cyber Security Today, Feb. 21, 2024 – A patch warning from ConnectWise, the latest ransomware news, and more

This episode reports on a report comparing business email compromise attacks against ransomware

UK leads takedown of LockBit ransomware gang’s website

The LockBit ransomware gang’s website has been seized, several news agencies reported late Monday. The Reuters news agency and The Register are carrying stories based on a new splash screen that has appeared on the gang’s website. It says, “This site is now under the control of the National Crime Agency of the UK, working

Cyber Security Today, Feb. 19, 2024 – Fake police data breach notification fools Maine’s AG site

This episode reports a recent fake data breach report and two real ones, a man pleads guilty to being involved in malware distribution

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways