Chinese-backed hackers maintain access to critical U.S. infrastructure for “at least five years” with a long-term goal of launching “destructive” cyberattacks, a coalition of U.S. intelligence agencies warned on Wednesday. .
Bolt Typhoon, a state-sponsored hacker group based in China, has a network of unnamed airline, rail, public transportation, highway, shipping, pipeline, and water and wastewater organizations. in order to prevent the attack. In a joint advisory released Wednesday, the NSA, CISA and FBI said they are preparing themselves for devastating cyberattacks.
This marks a “strategic shift” in traditional cyber espionage and intelligence-gathering operations by Chinese-backed hackers, instead focusing on disrupting operational techniques in the event of a major conflict or crisis. Government agencies said they were preparing.
The publication of the advisory, co-signed by cybersecurity agencies from the UK, Australia, Canada and New Zealand, comes a week after a similar warning by FBI Director Christopher Wray. During a hearing of the US House of Representatives Committee on Cyber Threats from China, Wray described Bolt Typhoon as “the defining threat of our generation” and said the group's objective was to “prevent military forces” in the early stages of the war. “It disrupts our ability to mobilize,” he said. Clashes are expected over Taiwan, which China claims as territory.
According to Wednesday's technical advisory, Bolt Typhoon is exploiting vulnerabilities in routers, firewalls, and VPNs to gain initial access to critical infrastructure across the country. According to the advisory, Chinese-backed hackers typically leverage stolen administrator credentials to maintain access to these systems, in some cases for “at least five years.” That's what it means.
This access allowed state-sponsored hackers to “manipulate heating, ventilation, and air conditioning (HVAC) systems in server rooms and disrupt critical energy and water controls, leading to major infrastructure failures,” among other things. The advisory warns that it is now possible to carry out potential disruption. In some cases, the Bolt Typhoon hackers had the ability to access camera surveillance systems at critical infrastructure facilities, although it is not clear whether they did so.
Volt Typhoon also used resident techniques, where attackers use legitimate tools and capabilities already present on the target system to remain undetected and maintain long-term persistence. The hackers also conducted “extensive pre-breach reconnaissance” to avoid detection. “For example, in some cases, the Bolt Typhoon attackers may have refrained from using compromised credentials outside of normal business hours to avoid triggering security alerts for anomalous account activity.” says the recommendation.
“Bolt Typhoon is not the only Chinese state-sponsored cyberattacker conducting this type of activity,” senior U.S. intelligence officials warned in a call Wednesday, but there are other groups they are tracking. His name was not disclosed.
Last week, the FBI and the U.S. Department of Justice announced they had disrupted the KV botnet, run by Bolt Typhoon, which compromised hundreds of U.S.-based routers for small businesses and home offices. The FBI announced that it was able to remove malware from a hijacked router and disconnect it from Chinese state-sponsored hackers.
According to a May 2023 report published by Microsoft, Bolt Typhoon has been targeting and infiltrating critical infrastructure in the United States since at least mid-2021.