U.S. agencies and those of America’s closest allies issued a rare joint report advising organizations on how to hunt for signs of intrusion by the same group and how to shore up defenses. The “Five Eyes” intelligence alliance said that facilities in Britain, Canada, Australia and New Zealand could be targeted, as well.
The hacking activity by the group was first detected two years ago, Microsoft and others said. The newest campaign uses compromised devices protected by the cybersecurity firm Fortinet, probably taking advantage of an unpublicized flaw in that software. Microsoft said it has notified those targeted.
“We recognize the actor from a series of intrusions that have targeted air, maritime and land transportation targets, as well as other organizations,” said John Hultquist, chief analyst at Google’s Mandiant Intelligence. “There are a variety of reasons actors target critical infrastructure, but a persistent focus on these sectors may indicate preparation for disruptive or destructive cyberattack.”
Russia and the United States also penetrate networks in other nations and try to establish a persistent, undetected presence. In recent years, the Americans have also moved to disclose more about the intrusions on its shores to make adversaries work harder and use new techniques.
In this case, attributed to a Chinese group dubbed Volt Typhoon, detection is harder because the hackers use legitimate credentials and software commands to move around the networks, a technique known as “living off the land,” according to officials from the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency. The intruders hide their initial access, as well, using small-office routers before reaching the Fortinet gear.
“Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity,” CISA director Jen Easterly said in a joint news statement.
A CISA spokesman declined to answer questions about the significance of Guam as a target.
This is a developing story. Please check back for updates.
