Pierluigi Paganini April 19, 2024

China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher Wray.

FBI Director Christopher Wray warned this week that China-linked threat actors are preparing an attack against U.S. critical infrastructure, Reuters reported.

According to the FBI chief, the Chinese hackers are waiting “for just the right moment to deal a devastating blow.”

In February, US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.

“the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” reads the alert.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.

The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.

“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” continues the alert. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.

The US agencies also released a technical guide containing recommendations to identify and mitigate living off the land techniques adopted by the APT group.

A Chinese Foreign Ministry spokesperson recently stated that the Volt Typhoon activity is not associated with Beijing, but linked it to a cybercrime operation.

Wray confirmed that Volt Typhoon’s campaign is still ongoing and breached numerous American companies in telecommunications, energy, water and other critical sectors.

The state-sponsored hackers also targeted 23 pipeline operators, Wray revealed during a speech at Vanderbilt Summit on Modern Conflict and Emerging Threats.

The FBI Director remarked that China is developing the “ability to physically wreak havoc on US critical infrastructure at a time of its choosing,” “Its plan is to land low blows against civilian infrastructure to try to induce panic.”

Wray explained that it is difficult to determine the purpose behind the cyber pre-positioning, however, the activity is part of a broader strategy to dissuade the U.S. from defending Taiwan.

Wray added that the China-linked actors employed a series of botnets in their activities.

In December, the Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actor Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022. The threat actors target devices at the edge of networks.

The KV-Botnet is composed of end-of-life products used by SOHO devices. In early July and August of 2022, the researchers noticed several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E. 

The researchers pointed out that the use of the KV-Botnet is limited to China-linked actors. Thus far the victimology aligns primarily with a strategic interest in the Indo-Pacific region, the experts observed a focus on ISPs and government organizations.

About the author: Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, China)