News

|

National Security

All Five Eyes members pin hack on China

May 26, 2023

Andrew Tillet and Max Mason
The Australian Financial Review
Friday 26 May 2023

Businesses have been warned to be on high alert after Five Eyes members, including Australia, blamed a Chinese state-backed hacking group for a stealth surveillance campaign responsible for a series of attacks on US critical infrastructure.

In a rare public attribution, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) issued an advisory saying the group had exploited built-in Windows tools on compromised hosts.

In a separate statement, Microsoft identified the group as Volt Typhoon, “a state-sponsored actor based in China that typically focuses on espionage and information gathering”.

“This is known as ‘living off the land’ and allows the actor to evade detection by blending in with normal Windows systems and networks, and avoid triggering security alerts by installing new tools,” the ACSC statement said.

“The authoring agencies assess there is a significant risk these tactics, techniques and procedures could be employed by the actor against critical infrastructure and other sectors worldwide.”

The ACSC advises Australian companies to review and optimise their logging configurations to protect their systems.

The advisory was issued as part of a series of co-ordinated statements released on Thursday morning by fellow Five Eyes members the US, UK, Canada and New Zealand. Although China is regularly suspected of cyberattacks, authorities rarely publicly attribute them.

China’s foreign ministry on Thursday night hit back, saying the accusations were a US disinformation campaign.

“Relevant reports from Western agencies have no proof,” spokeswoman Mao Ning said.

Alastair MacGibbon, former cybersecurity adviser to Australia’s prime minister and now chief strategy officer at local cybersecurity firm CyberCX, said the Five Eyes agencies would not come out together if they did not believe the same thing was happening, or could happen, in their countries.

“The technique is really interesting, and a wake-up call because it is truly sophisticated … it’s ‘living off the land’ and requires a degree of stealthiness and skill which is not in the realms of the vast bulk of cyber-threat actors,” he said.

“Most corporates, most governments, most critical infrastructure spend their time looking for smash and grab, ram-raid-type robbery of ransomware or IP theft – stolen credentials, spear phishing, malware, a pivot through systems, a laying of charges or locking up systems after an exfiltration of data.”

McGrathNicol partner Jamie Norton, former chief information security officer at the Australian Taxation Office, said the advisory would help critical infrastructure providers and government agencies develop ways to defend against the China-sponsored group.

“What this allows us to do from a practical sense as cyber defenders is build ways to detect and defend against this threat, as well as proactively hunt for indicators of existing activity,” he said.

Mr Norton said “living off the land” techniques were harder to pick up as it was more difficult to distinguish between malicious activity and normal administrative maintenance. He said critical infrastructure providers would closely examine the advisory and develop plans to monitor their systems.

Home Affairs and Cyber Security Minister Clare O’Neil would not be drawn on whether Australia’s move to join the public blaming of China would derail the recent improvement in relations with Beijing.

“The Australian government is never going to compromise on our national security and this activity should not be occurring. We have the evidence before us,” Ms O’Neil told the ABC.

Opposition home affairs spokesman James Paterson said there was no doubt in his mind that if US infrastructure was being attacked, it was happening in Australia.

“It’s been disclosed this morning that Chinese actors have been acting to infiltrate US networks of critical infrastructure providers and lying dormant on those networks for a purpose that is unstated,” he said.

“This is a particularly malign behaviour to target civilian infrastructure like this, and it’s not acceptable.”

McGrathNicol partner Sam Boarder, a former intelligence professional, said these types of threats suggested the kinds of activity that might precede attempts at sabotage.

“Chinese mapping, and potentially control, of critical infrastructure networks in countries like the US and Australia could allow it to disrupt that entity at a time of their choosing – effectively switching things off or preventing use of that infrastructure. Microsoft has suggested this could be to ‘disrupt critical communications infrastructure between the United States and Asia region during future crises’,” he said.

Ransomware can be incredibly damaging and have long-term ramifications for businesses and government, such as the 2021 ransomware attack on Colonial Pipeline, which shut down major gas pipelines on the east coast of the US.

However, Mr MacGibbon said this type of attack on critical infrastructure was particularly worrying.

“But the nightmare scenario is a nation-state threat actor sitting inside those systems – a whole range of them power grids, communications, transport, medical – and they turn them off, when they decide they want to turn them off,” he said.

In 2015, Russia-backed hackers compromised power grids in Ukraine, shutting off power to more than 230,000 residents just two days before Christmas in the dead of winter.

“It’s a reminder that not all cyber actors wear hi-vis and carry a sledgehammer. Some of them will wear a camouflage suit and carry a sniper rifle.”

Mr Boarder said Thursday’s news highlighted the patient and professional nature of some Chinese government hacking operations.

“Past exposures of cyber operations were able to be mapped onto previously documented threat actors. Many of those cyberattacks were led by contract hackers who blended espionage with commercially driven theft. This case involves a previously unknown hacking organisation that until now operated with stealth,” he said, noting the activity suggests the group may have been looking to lay the groundwork for sabotage, not just stealing information.

“Chinese presence in critical supply chains also provides opportunities for subtle selective sabotage or pre-positioning to facilitate sabotage capabilities at future key junctures. This pre-positioned access to critical infrastructure can inform targeted attacks and increase the effectiveness of sabotage or the act of disabling an adversary.”

Last year, Australia passed new laws putting obligations on critical infrastructure providers including energy and telecommunications companies, payment system operators, media, and food and grocery suppliers to protect themselves from cyberattacks.

Microsoft said Volt Typhoon had been active since mid-2021, and as part of its more recent campaign targeted manufacturing, utilities, transport, construction, maritime, government, education and information technology sectors.

“Observed behaviour suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft said.

“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.

“Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.”

Recent News

All Posts