May 26, 2023
Australia and its fellow Five Eyes security partners have called out China for a major state-sponsored hacking operation targeting critical infrastructure networks in the United States.
Technology giant Microsoft, which uncovered the hack, said the campaign had been active since the middle of 2021 and targeted critical infrastructure assets in Guam, an island in the west Pacific Ocean that is home to some of America’s most important military bases.
Guam would be expected to play an important role in any future conflict between the US and China over the self-governing island of Taiwan.
Home Affairs Minister Clare O’Neil said: “The Australian government has joined with a number of other security agencies from around the world to advise that there have been evidence-based attacks on critical infrastructure associated with the United States and that the origin of those attacks has been the Chinese government”.
O’Neil, the minister responsible for cybersecurity, said she was not concerned naming China would disrupt the government’s efforts to rebuild relations with Beijing and achieve the removal of trade sanctions on Australian goods.
“The Australian government is never going to compromise on our national security and this activity should not be occurring,” she told ABC radio.
“There’s no question about that and we’re not going to be shy when we know who is responsible for that activity.”
Opposition home affairs spokesman James Paterson said: “This is a particularly malign behaviour to target civilian infrastructure like this, and it’s not acceptable ... There’s no doubt in my mind that if this is happening in US critical infrastructure networks, then it’s happening on our networks too.”
Paterson welcomed the government’s decision to publicly attribute the behaviour to China but called on it to go further by using the Magnitsky sanctions regime to penalise people who engage in offensive cyber activity against Australia.
Five Eyes law enforcement leaders recently told The Sydney Morning Herald and The Age that China poses the gravest threat to the security of Australia and its allies as Australian Federal Police commissioner Reece Kershaw refused to be drawn on the Chinese government’s activities.
FBI deputy director Paul Abbate said China “poses a grave danger to each of our countries, our way of life, our democracies and the freedoms that we value so much”, accusing Beijing of involvement in the “sweeping theft of intellectual property, research and development from each of our Five Eye countries” along with industrial-scale cyber hacking and the “transnational repression” of critics abroad.
Microsoft said the “stealthy and targeted malicious activity” had been carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the company said.
Microsoft said the hacking campaign had “affected organisations spanning the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors”.
“Observed behaviour suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft said.
Cybersecurity agencies from the Five Eyes intelligence-sharing nations – Australia, the US, New Zealand, Canada and the United Kingdom – issued a joint advisory note on Thursday morning saying they wanted to “highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon”.
“Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the agencies, including the Australian Signals Directorate, said.
The agencies published the code of the malicious program to help make private companies and government agencies aware of how to identify it.
Alastair MacGibbon, the former head of the Australian Cyber Security Centre, said the revelations were a “wake-up call” for critical infrastructure operators about threats to their networks.
MacGibbon, now chief strategy officer at CyberCX, said the distinctive feature of this attack was that it was a so-called “living off the land” operation, which can allow intruders to dwell undetected in the victim’s device for weeks, months or even years.
“This is not a smash-and-grab operation to grab code or a ransomware attack; it’s a very stealthy, sophisticated method of staying inside a period for long-term surveillance.
“You do that if you want to eventually degrade or destroy those systems.”
He said the prevailing thesis among experts was that China may have sought to disable US military systems on Guam in the case of a conflict fought over Taiwan.