Few cybersecurity risks facing the United States today loom as large as the potential sabotage by Chinese-backed hackers, which U.S. officials have described as an “epoch-making threat.” are.
In recent months, U.S. intelligence officials say hackers backed by the Chinese government have penetrated deep into the networks of critical U.S. infrastructure, including water, energy and transportation systems. Officials say the goal is to lay the groundwork for a potentially devastating cyberattack in the event of a future conflict between China and the United States, including over a possible Chinese invasion of Taiwan. .
FBI Director Christopher Wray said earlier this year that “If China decides the time is right for an attack, Chinese hackers are prepared to wreak havoc on American infrastructure and cause real-world harm to American citizens and communities.'' “We are doing this,” he told lawmakers.
The US government and its allies have since taken action against the Chinese Typhoon family of hackers and released new details about the threat they pose.
In January, the United States thwarted Bolt Typhoon, a Chinese government hacker group tasked with setting the stage for a devastating cyber attack. In late September, federal authorities took over a botnet run by another Chinese hacker group called Flax Typhoon. The group posed as a private company in Beijing and was responsible for concealing the activities of Chinese government hackers. Since then, a new Chinese-backed hacker group called “Salt Typhoon” has emerged and compromised the eavesdropping systems of U.S. phone and internet providers, thereby exposing Americans and potential targets of U.S. surveillance. It is now possible to collect information about
Here's what we know so far about the Chinese hacker group preparing for war.
bolt typhoon
Bolt Typhoon represents a new breed of Chinese-backed hacker group. According to the FBI director, the goal is no longer just to steal U.S. secrets, but rather to disrupt the “mobilization capabilities” of the U.S. military.
Microsoft first identified Bolt Typhoon in May 2023, and hackers have been hacking routers, firewalls, VPNs, and more since mid-2021 as part of an ongoing and coordinated effort to penetrate deep into America's critical infrastructure. We discovered that the malware had been targeting and compromising network equipment. In reality, the hackers may have been active for much longer. In some cases, it can last as long as 5 years.
Volt Typhoon compromised thousands of internet-connected devices in the months after Microsoft reported a vulnerability in internet-connected devices that caused them to be considered “end of life” and no longer receive security updates. was exploited. As such, the hacker group subsequently succeeded in compromising the IT environments of multiple critical infrastructure sectors, including aviation, water, energy, and transportation, setting the stage for future destructive cyberattacks.
“These attackers did not collect secret information or steal secrets, which is common in the United States. They probed sensitive critical infrastructure so that they could disrupt key services if ordered to do so. ,” said Commissioner John Hultquist. Analyst at security company Mandiant.
In January, the US government announced that it had successfully destroyed the botnet used by Bolt Typhoon. The botnet is made up of thousands of hijacked U.S.-based small office and home network routers used by Chinese hackers to hide malicious activity targeting sensitive U.S. information. was using this botnet. infrastructure. The FBI announced that it was able to remove malware from a hijacked router and disconnect it from a Chinese hacker group and botnet.
flax typhoon
Flax Typhoon, first exposed in Microsoft's August 2023 report, is another Chinese-backed hacker group that officials say operated under the guise of a publicly traded cybersecurity company based in Beijing. I am doing it. The company's Integrity Technology Group has publicly acknowledged its ties to the Chinese government, U.S. officials said.
In September, the US government announced that it had taken control of another botnet used by Flax Typhoon, which leverages a custom variant of the notorious Mirai malware, consisting of hundreds of thousands of internet-connected devices.
U.S. officials said at the time that the Flax Typhoon-controlled botnet was used for “malicious cyber activity disguised as routine internet traffic from infected consumer devices.” Prosecutors said the botnet operated by Flax Typhoon enabled other Chinese government-backed hackers to “infiltrate networks in the United States and around the world to steal information and compromise our nation's infrastructure.” said.
Flax Typhoon has been active since mid-2021 and primarily targets “government agencies and education, critical manufacturing, and information technology organizations in Taiwan,” according to Microsoft's government support group profile. The Justice Department corroborated Microsoft's findings, saying Flax Typhoon also “attacked multiple U.S. and foreign companies.”
salt typhoon
The latest, and perhaps creepiest, group of Chinese government-backed cyber forces discovered in recent months is Salt Typhoon.
Salt Typhoon made headlines in October for a more advanced operation. As first reported by the Wall Street Journal, a China-linked hacker group is believed to have compromised the eavesdropping systems of several U.S. telecommunications and internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon. There is.
According to one report, Salt Typhoon may have used compromised Cisco routers to access these organizations. The US government is said to be in the early stages of an investigation.
The scale of the breach by internet providers remains unclear, but the magazine cited national security officials as saying the breach could be “potentially catastrophic.” Salt Typhoon fulfilled many of the U.S. government's requests by hacking systems used by law enforcement to collect court-sanctioned customer data, including potential Chinese identities for U.S. surveillance. The data and systems we store could be accessed.
It's not yet clear when the breach occurred, but the Journal reports that the hackers may have had access to the internet provider's eavesdropping systems for “months or more.”