Multiple Chinese APTs establish major beachheads inside sensitive infrastructure

Three major campaigns from 3 different Chinese groups are keeping defenders busy.

Disrupting US critical infrastructure

The series of attacks reported by the NYT came from Volt Typhoon, a group that hacks critical infrastructure and likely works on behalf of the People's Liberation Army. In May, Microsoft said it had “moderate confidence” that Volt Typhoon was “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.” The software company said Volt Typhoon had specifically targeted critical infrastructure in Guam, where the US has military bases.

Citing American military, intelligence, and national security officials who mostly spoke on condition of anonymity, the NYT said that the Biden administration believes hackers related to the same group have planted malicious code deep inside networks controlling power grids, communications systems, and water facilities serving military bases in the US and elsewhere. The NYT continued:

The malware, one congressional official said, was essentially “a ticking time bomb” that could give China the power to interrupt or slow American military deployments or resupply operations by cutting off power, water and communications to US military bases. But its impact could be far broader, because that same infrastructure often supplies the houses and businesses of ordinary Americans, according to US officials.

The first public hints of the malware campaign began to emerge in late May, when Microsoft said it had detected mysterious computer code in telecommunications systems in Guam, the Pacific island with a vast American air base, and elsewhere in the United States. But that turned out to be only the narrow slice of the problem that Microsoft could see through its networks.

More than a dozen US officials and industry experts said in interviews over the past two months that the Chinese effort goes far beyond telecommunications systems and predated the May report by at least a year. They said the US government’s effort to hunt down the code, and eradicate it, has been underway for some time. Most spoke on the condition of anonymity to discuss confidential and in some cases classified assessments.

They say the investigations so far show the Chinese effort appears more widespread—in the United States and at American facilities abroad—than they had initially realized. But officials acknowledge that they do not know the full extent of the code’s presence in networks around the world, partly because it is so well hidden.

The discovery of the malware has touched off a series of Situation Room meetings in the White House in recent months, as senior officials from the National Security Council, the Pentagon, the Homeland Security Department and the nation’s spy agencies attempt to understand the scope of the problem and plot a response.

The recent Chinese penetrations have been enormously difficult to detect. The sophistication of the attacks limits how much the implanted software is communicating with Beijing, making it difficult to discover. Many hacks are discovered when experts track information being extracted out of a network, or unauthorized accesses are made. But this malware can lay dormant for long periods of time.

Mystery breach of 25 Microsoft cloud customers

The reports from Kaspersky and the NYT come on the heels of yet another big win by Chinese government hackers. In mid-July, Microsoft disclosed a mysterious breach involving its Azure and Exchange cloud services by yet another Chinese APT, this one tracked as Storm-0558. Through means Microsoft has yet to explain, Storm-0558 members acquired an inactive signing key used to grant access to Microsoft consumer cloud accounts.

After acquiring the highly sensitive key, the hackers somehow managed to use it to forge tokens for authenticating enterprise accounts on Azure AD. The supposedly fortified cloud service, in effect, stores the keys that thousands of organizations use to manage logins for accounts on both their internal networks and cloud-based ones. For roughly a month, the hack allowed Storm-0558 to track the email accounts of about 25 organizations, including the US Departments of State and Commerce and other sensitive organizations.

China has called the reports propaganda.

Post updated to correct the countries affected by Zirconium malware. The US wasn't included in the Kaspersky report.

Channel Ars Technica